office 365 security - cio summits by cdm media · the solution: single sign-on ... account through...
TRANSCRIPT
The Definitive Guide to OFFICE 365 SECURITYWHITE PAPER
2© 2015 BITGLASS, INC.
Do a search for trending IT topics today, and it’s hard to find a topic that’s more discussed, and more controversial than cloud security. Cloud adoption within major enterprises has increased significantly thanks to the promise of cost savings, flexibility and increased productivity. Microsoft’s Office 365, in particular, is making significant headway into enterprises. The popular app is on pace to beat out Google Apps as the new leader in cloud-based email, file sharing, and productivity.
The idea that you can simply shift responsibility for your company’s data security to Microsoft however, is far from the truth. The Office 365 team includes highly trained security experts who excel at protecting their infrastructure—they’re all over SSL, data redundancy, and backup systems. But they also won’t tell you who is accessing your data, from what device or when. They don’t know when an employee has “gone rogue” or has had their credentials compromised. And they have no idea what happens to your data when it’s downloaded from the cloud to personal mobile devices.
According to the 2015 Bitglass Cloud Security Survey, 90 percent of companies are concerned about cloud security. In addition, 36 percent of companies believe that cloud-based applications like Office 365, are more risky than on-premise applications and fear the security risks associated with migrating to the cloud.
White Paper | The Definitive Guide to Office 365 Security
© 2015 BITGLASS, INC.
3© 2015 BITGLASS, INC.
The adoption of many cloud applications in the enterprise was ad hoc, with individual accounts created within each cloud app instead of consolidation on the existing identity and authentication systems used for internal applications. This has lead to difficult-to-manage provisioning and deprovisioning, and a proliferation of usernames and passwords for employees— a situation that causes frustration, productivity loss and calls to the help desk. Employees with too many passwords are also more likely to reuse them or write them down on sticky notes, adding to the likelihood of compromised passwords
THE SOLUTION: SINGLE SIGN-ON (SSO) & MULTI FACTOR AUTHENTICATION
Deploying a SSO system so that employees have just one password to remember and manage for all cloud applications can drastically reduce the attack surface that hackers can use to steal your data. SSOs also give you control over the access point to your Office 365 application. They allow you to manage every account through Microsoft Active Directory, so that if you deactivate an account, the user is automatically locked out of all company systems. No more worrying about what information employees may have squirreled away in their cloud apps after they’ve left the company.
Many organizations also opt to employ multi-factor authentication as an added security mechanism. Multi-factor authentication comes in many different forms (hard tokens, soft tokens, SMS, etc), but is not a capability offered by a cloud app vendor like Microsoft. To achieve this added security requires third party technology via an Identity & Access Management product.
In order to mitigate cloud risk, enterprises are looking for ways to better increase the security and control of their corporate data by filling the following four gaps, or SaaS holes:
White Paper | The Definitive Guide to Office 365 Security
Identity SprawlONE
Pro Tip: An increasing number of Cloud Access Security Brokers include built-in identity and authentication capabilities, allowing you to consolidate products (and budget) as you seek to fill the gaps in Office 365.
4© 2015 BITGLASS, INC.
White Paper | The Definitive Guide to Office 365 Security
TWOThe most counter-intuitive aspect of cloud app security is the fact that the source of greatest risk is not cloud data stored at rest in the cloud, but rather, the simple fact that cloud apps are accessible from ANY device and often include capabilities that allow for easy and automatic synchronization of data to those devices. Cloud adoption and consumerization are growing together, with employees demanding use of their
own devices to access corporate data. With this proliferation of data outside of corporate control, companies must be able to protect cloud data downloaded to mobile devices. Controlling data accessibility from unmanaged mobile devices, and revoking data when required, such as when an employee leaves the company or when the device is lost or stolen, is a key requirement for Office 365 security.
SOLUTION: DEVICE PROFILING & SELECTIVE WIPE
In order to secure mobile devices today you should look to solutions that allow for device profiling. The chart to the right shows an example of this.
Scenario Contextual Access Control Application Access Data ProtectionManaged device Corporate HQ
Device Profile: Pass• Device Type: Windows 8.1• Domain member• X.509 Certificate present • Registry match
• Email• Browser• One Drive sync
client
• Full access
Unmanaged device On-campus
Device Profile: Fail• Device Type: Mac OS X• No X.509 Certificate
• Browser-based email only
• Container/encryption for all downloads
• Sensitive data redaction
Managed mobile Off-campus
Device Profile: Pass• Device Type: Apple iOS• MDM Profile installed
• Native email• Browser• One Drive App
• Full access
Unmanaged BYOD Off-campus
Device Profile: Fail• Device Type: Apple iOS• No MDM Profile installed
• Native email• Browser
• Container/encryption for all downloads
• Sensitive data redaction
Securing Mobile Data
5© 2015 BITGLASS, INC.
White Paper | The Definitive Guide to Office 365 Security
Securing Mobile DataTWO
The idea is to provide different levels of access to applications and to data based on key contextual variables including the user’s role in the organization, the app being accessed, the device and whether it is managed, location, and more. In this example, an employee on a managed device, located inside of the corporate headquarters has full access to Office 365. That same employee accessing Office 365 from an unmanaged device has a much more restricted level of access—browser-based email only, with sensitive data being redacted and encrypted upon download.
If a device is lost or any employee leaves the company, you also have the ability to selectively wipe corporate data from all of their mobile devices. Wiping an employee’s entire device brings them back to factory settings, creating a huge headache for your users. The ability to differentiate between corporate data and personal data is crucial.
Pro Tip: Rather than reinvent the wheel, many organizations start by creating policies very similar to those that they have created for remote access to internal applications on SSL VPN platforms, saving considerable policy development time.
6© 2015 BITGLASS, INC.
Office 365 does not provide visibility or audit logging of user activity. In other words, Microsoft won’t tell you that “Jenn” logged into your Salesforce.com account from San Jose, CA at 1:34pm and then 5 minutes later, “Jenn” logged into Office 365 from New York, NY. These are separate and distinct applications, but require consistent, cross-app visibility.
If you are in healthcare, financial services or any other highly regulated industry, visibility into employee activity is even more important, or you could risk operating out of compliance with regulations like HIPAA and PCI.
SOLUTION: CLOUD ACCESS SECURITY BROKER (CASB)
Complete visibility into corporate activity for Office 365 is more easily achievable than you think. When you implement a Cloud Access Security Broker, all data from Office 365 flows through a proxy. Since the CASB proxy sits in the data path, it has visibility into all data flowing through it. Any suspicious activity that takes place is then flagged, and an alert is automatically sent to your IT security team.
White Paper | The Definitive Guide to Office 365 Security
Suspicious ActivityTHREE
Pro Tip: For many organizations, Office 365 is one of the first applications deployed as part of a “cloud first” strategy. Note that not all CASBs support all applications. When selecting a vendor, ensure that the CASB chosen supports not only your current applications, but cloud apps you expect to deploy in the future.
7© 2015 BITGLASS, INC.
White Paper | The Definitive Guide to Office 365 Security
The consequences of data leaking getting into the wrong hands can be brutal. Home Depot, Sony, JP Morgan, Anthem, Premera all fell victim to breaches that exposed customer data to the world. Companies must be able to protect against data leakage, but since most data leakage prevention solutions protect only premises applications, migration to Office 365 makes those solutions irrelevant.
Office 365 does offer some basic built-in DLP functionality, but its capabilities are limited: it focuses only on data egress, or data sent between sender and email recipients already within the app. It doesn’t take into account the fact that the point of consumption, the employee’s device, is no longer a trusted/secured asset. DLP must flow in both directions—preventing sensitive data from leaving the organization but also on the outward path preventing that same data from being download to an unmanaged employee devices by tracking, encrypting, masking or blocking content.
SOLUTION: CLOUD ACCESS SECURITY BROKER (CASB)
CASBs allow the enterprise to set policies on data access, limiting who can access sensitive data, ensuring that compliance and security goals are met.
It is also important to remember that all data is not created equally. For example, most marketing materials are meant to be shared whereas customer credit card numbers and company secrets must be kept secure at all times. A CASB can help classify data and build security controls based on the sensitivity of the data being accessed. These controls include tracking, encrypting, masking or blocking data that is leaving your Office 365 cloud application, less sensitive data would most likely be embedded with data tracking technologies sensitive data would be encrypted, masked or even blocked from leaving the cloud app altogether.
Data LeakageFOUR
Pro Tip: Many set out on a path of attempting to “block” certain transactions. Such an extreme measure must be applied only when absolutely necessary. Today’s employees know that they can find ways to “go rogue” if they don’t like the applications and security measures that IT puts into place—providing a desirable employee experience is the first step towards a successful data protection program.
8© 2015 BITGLASS, INC.
A move to Office 365 can help you gain control over company data and online employee activity, but only if you rethink your information security strategy. Emerging technologies like Cloud Access Security Brokers can fill the security gaps in cloud applications.
Learn more about how to adopt cloud applications, without sacrificing security at: http://www.bitglass.com/solutions/microsoft-office-365-security
In a world of cloud applications and mobile devices, IT must secure corporate data that resides on third-party servers and travels over third-party networks to employee-owned mobile devices. Existing security technologies are simply not suited to solving this task, since they were developed to secure the corporate network perimeter. The Bitglass Cloud Access Security Broker solution transcends the network perimeter to deliver total data protection for the enterprise—in the cloud, on mobile devices and anywhere on the Internet.
For more information, visit www.bitglass.com
White Paper | The Definitive Guide to Office 365 Security
You Can’t Outsource All of Security About Bitglass
Phone: (408) 337-0190 | Email: [email protected]