Top Mobility-Enabling Security Features in Office 365

Back to Blog
13Oct2016

Top Mobility-Enabling Security Features in Office 365

At this point, even the staunchest conservatives among us have to admit that we live in a post-perimeter world. In recent years there have been even more developments and trends chipping away at our traditional conceptions of so-called perimeter-based security.

Cloud and mobility means two things:

  1. Users can go straight to the Internet from any device and any location and get access to their corporate resources (they are usually stored in someone else’s datacenter)
  2. As a corollary, IT has very little control, visibility and protections to offer their cloud-enabled mobile users (sorry)

But there are other indicators besides that a domain-and-firewall lock-down approach just can’t be that successful anymore. For example, with Internet encryption on the rise (which you might think is a good thing), it paradoxically means that IT has a harder time protecting their user’s traffic with traditional tools like firewalls and other forms of packet inspection.

Software-defined security

It is now on the heads of the software and service providers to protect their users and their users’ data. So what do you think? Do you trust Google to do that for you?

I believe that when you look out across the landscape of cloud software products with an eye toward modern, mobility-enabling security features, Microsoft is the clear leader. We have some pretty great application-level controls and levers available to us, which makes us feel good since it puts more control–more options–into our hands.

Let’s ignore the Enterprise Mobility and Security products for a second, and just look at what we can achieve with Office 365. We can look at security in Office 365 from three angles.

1. Identity is managed through Azure Active Directory

Do you know what comes with every single Office 365 plan? Azure Active Directory. That’s how you authenticate to the cloud with your email address and password.

Do you know what else you can do to protect that identity, again with any version of Office 365? Multifactor authentication (MFA). It is quick and easy to setup, and makes it much more difficult for attackers who are able to gain access to your password, whether through a keylogger, a website breach or hack, or some other means.

MFA-O365-8

One thing to note: MFA can be sort of annoying. In addition to getting a code sent to your mobile device as a second step every so often, it carries the added complexity of an “app password” which is a randomly generated string of characters that you might have to supply sometimes for certain applications. The only reasonable solution I’ve come up with to deal with this is to store the app password in something like LastPass’s Secure Notes, since you have to dig it out now and again, and it’s almost impossible to memorize unless you’re some kind of savant.

2. Devices can be managed with Mobile Device Management for Office 365

Every version of Office 365 comes with a “Lite” version of Microsoft Intune that allows you to enable “Conditional Access” for your mobile users. This means that you can withhold access to corporate applications and data stored in the cloud until users agree to accept your terms, which includes a managed profile, the ability to require encryption, passcodes, auto-lockout and wipe policies.

Also, with Mobile Device Management turned on, you can “selectively wipe” a device, meaning that just the corporate data/email profile will be removed, without destroying other data on the device.

MDM-O365-6d

3. Data from applications can be protected with Information Rights Management and other cool add-ons

With Information Rights Management (available with E3 or as a separate subscription for Azure Rights Management) you can do cool things like flag Email messages and documents with special rights such as “Do Not Forward” (meaning: I want to share this content with you, but I don’t want you to share it with someone else). You can also enable secure message encryption which requires authentication by the intended recipient on a secure website to retrieve the content of the message.

X-365-RMS-5

Data Loss Prevention (DLP) is available with Exchange Online Plan 2 / E3. This lets you apply policies that in turn automatically flag content with sensitive types of data based on templates (think SSN’s, ABA/routing numbers, credit card numbers, etc.).

Another add-on worth mentioning is Advanced Threat Protection (ATP), which helps protect against zero-day threats. This is available wtih E5 (almost nobody buys this expensive plan) or as a separate add-on, and it comes with two great features: Safe Links and Safe Attachments. In this case, Microsoft is “detonating” the contents of an email message in a cloud sandbox before users ever receive it. If a link is determined to be “dark” or an attachment malicious (even if it passes other Antimalware scans), the user will be protected from it, whether they are inside your perimeter or not.

Security. Be About it.

So here’s the thing. A lot of this stuff isn’t on by default. And it’s not always intuitive to get setup. So you might need to work with a technology partner to help you stay protected and ahead of the game when it comes to this “mobile-first-cloud-first” stuff.

Yes, I totally drink the mobility Koolaid, as I think most of us should.  But we have to at least try to be somewhat safe about it, too, right? I believe Microsoft has given us a good start in the right direction with Office 365.

Business, Technical , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

30Mar

Why you need UAC (and how to enable it)

I don't know why it has come to this, but here it is. Here we are. We need to review why it is that you need User Account Control (UAC), and how to go about turning it on. I know! Like, why is this even... read more
23Jun

Migrating File Shares from SBS to Office 365 SharePoint Online

When it comes to file shares, you have a choice to make. Whether you are coming from Windows Small Business Server, or one of the other releases (Essentials, Standard, Datacenter, etc.), you must decide: Do you want to continue to use traditional file shares, or are... read more
18Aug

2016 Essentials Integration: Azure AD & Office 365

This post is part of a series on the Microsoft Cloud Services integrations that are included with Windows Server 2016 Essentials Experience. To begin we will connect our local on-premises Windows Essentials Experience Server to the Microsoft cloud by enabling the Azure Active Directory and Office 365 integrations. Please note that this is... read more
03Oct

How to secure your BYOD Windows 10 Device

I do not want to confuse anyone too much with this post. So let me begin with a clear disclaimer: I am not suggesting that we abolish Active Directory and encourage open BYOD across our small and mid-sized enterprises. Active Directory and Group Policy still provides the... read more
27Sep

Security Reports and Identity Protection features available in Azure AD, Azure AD Premium P1 and P2

Azure AD Premium P1 is included with Enterprise Mobility and Security (EMS) E3. I have been experimenting with numerous aspects of this subscription, since security is such a high priority these days, especially for the SMB (small businesses are statistically far more more likely to... read more
Alternatives to SharePoint and OneDrive
01Sep

Alternatives to OneDrive and SharePoint (and when to consider them)

One of the things I often get asked about is how to deal with various limitations in OneDrive and SharePoint Online. For those who don’t know, SharePoint Online is the file storage & sharing solution underpinning the Microsoft 365 universe of applications, including the popular... read more
11Apr

New ransomware variant also finds & deletes backups?!

I recently came across this forum thread on Veeam's website, which scared the crap out of me. Coincidentally, Veeam published this article the same day. If these reports are accurate, then it means most organizations have some work to do to better secure themselves against... read more
10Sep

Revisiting Baseline Policies in Microsoft 365

Microsoft has been doing more to make secure configurations easier to implement for admins. But, from my testing and experience, I still have reservations about some of them. Let's review. Conditional Access Baseline Policies There are presently four baseline policies available under Azure AD > Security >... read more
18May

5 Tips to Help Tighten your Security Using BIOS/UEFI

In the olden days of PC's, BIOS or "Basic Input-Output System" was something only the nerdy computer geeks were aware of, and the typical user never really went in there, or ran any kind of updates for it, unless explicitly instructed to by a support... read more
26May

Migration path from SBS to Office 365 & Windows Server 2016

So many small businesses adopted Microsoft's Windows Small Business Server (SBS) product--now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011. Do I still need an On-premises Windows Server? With the option to... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me