Why you should take a real hard look at upgrading from Office 365 to Microsoft 365 this yearAlex Fields
Readers of this blog are probably already familiar with the differences between Office 365 and Microsoft 365 plans. But I still run into plenty of folks out there who think these are the same thing, or who believe this is for “cloud only” customers, and there are still others who do not yet grasp the importance of migrating to the more comprehensive “Microsoft” bundle.
I personally cannot recommend a standalone Office 365 subscription anymore. It doesn’t matter if you are still hybrid or heading toward cloud-only–the advice remains the same. Why?
Because we already live in the reality of a post-perimeter world. Therefore, you need a modern management platform that addresses the needs for a post-perimeter security model. The featured graphic for this post is a bit simplified since there remain other vectors as well, such as social engineering, physical loss or theft, and so on. But it still illustrates a good point: Most organizations do not have adequate coverage across the entire attack kill chain, and are woefully under-prepared for a breach event.
Now if organizations do not start moving toward the new management stack that is included in the Microsoft 365 bundle, they are going to have to answer the same concerns some other way–i.e. with third party tools.
Building a post-perimeter infrastructure
Beyond the perimeter, we have several considerations that we must take into account when we are erecting our new information systems (many of which are likely to be based in the cloud).
Protection from advanced and zero-day threats is built-in with Office 365 Advanced Threat Protection, and covers web links, email attachments and anti-spoofing /anti-phishing detection. You would need third-party services to cover this if you didn’t get it natively through a Microsoft plan such as Microsoft 365 Business or E5.
Modern identity management with strong authentication including MFA and Conditional Access is baked into every Microsoft 365 plan. Ideally an alternative solution that you’re comparing with also allows you to connect all your apps via SAML for single sign-on (you don’t want to be managing umpteen different identities for each user).
Endpoint management so that you can enforce device compliance and security policies, push applications and updates, and more–whether the device is in the office or not. Microsoft Endpoint Manager does the job nicely, but otherwise you’d have to find an alternative MDM.
Management for unmanaged / personal devices: Microsoft has somewhat of an unfair advantage in this space since they own the productivity apps, and this allows us to manage at the application layer, creating boundary lines between corporate and non-corporate data on unmanaged endpoints.
Information protection & rights management is provided by Azure Information Protection, and this enables Office 365 Message Encryption for Email as well as Sensitivity labels for messages and files. The idea here is that you can wrap your security boundary around individual pieces of data, rather than requiring that data to live in a protected “container.” Old world security was based on containers and perimeters, but in this paradigm we can label content and know that it is protected whether it lives on our cloud or on some other, whether on corporate or non-corporate devices.
Not to mention other governance must-haves like Data Loss Prevention and Retention–again, these are all included with Microsoft 365, and they integrate nicely into places like Microsoft Cloud App Security: a Cloud Access Security Broker or CASB solution that can help you get more granular with your security & compliance policies, to automate incident response, and to bring the same level of security and compliance that you enjoy with Microsoft to other third-party cloud apps.
If you are attempting to cover all these same bases with third parties, I think you will quickly end up with more complexity and more cost in your new architecture, than if you just moved up from an Office 365 to a Microsoft 365 plan (especially since you still need your Office productivity suite at the end of the day, and a place to host your files and email besides).
For more details on the migration path from traditional infrastructures, such as Windows Server Active Directory, check out my recent migration guide.