Security question of the week

I just received an interesting security question from a new NSP customer who reached out to us after experiencing an Office 365 breech.

His question raised the broader discussion point of the value of Office 365 in relation to the time, cost and effort required to secure it.

Comparing his division to another that still hosts on premise and setting aside the version or generation of products being used, he’s now reflecting on the fact that the other division has remained breech-free, yet he will have to work to strengthen his organisational security posture, as well as consider additional technologies to prevent further breeches. It’s got him wondering why Office 365 security seems hard and whether it’s worth it.

This is a valid security question. However, my experience over the last five years of cloud migrations has shown that the above is less a fundamental issue with cloud services, and more of an issue around organisations not adjusting their security strategy for cloud architectures. For on premise services, the perimeter architecture works fairly well and organisations have been building on it over the last 30 years. However, when moving data to cloud services, it’s a Zero Trust architecture that is required. Zero Trust architecture concentrates security on the user and on the data, with the perimeter no longer a central issue. Most organisations don’t make this switch and therefore suffer issues.

With the O365 licenses our customer has, they can:

Register their devices in Azure Active Directory (AAD), so only those devices can be used to access SharePoint and EoL
Enforce Multi Factor Authentication (MFA) for logins
Block all logins from undesirable countries

Meaning, they can dictate that entry is only permitted from known machines, in expected countries and using MFA. This level of security means an identity compromise must impact the laptop and mobile phone, i.e. an attack by only the most accomplished of cybercriminal gangs.

This obviously does not protect you from malicious insiders, as they can login. So, this is where you protect the data with AIP where it is possible to:

Classify all the data and encrypt high classification data
Restrict access to decrypt the data to select users for limited times
Stop the forwarding of emails with classified documents
Stop the export of classified documents
Get extensive logs of user behaviour with data

Looking back 10 years, this level of security would have cost organisations millions of dollars to purchase, configure and manage. Today most of it is available with your licensing, but it must be configured to ensure you benefit from its value.