The Office 365 Security Lowdown for IT Pros   It’s no mystery that Microsoft has doubled down on cloud related endeavors as of late. In fact, Microsoft’s commercial cloud revenue…

The Office 365 Security Lowdown for IT Pros

Michael Gleason

I spend my days (and nights) explaining how the strengths of the cloud - high availability, scalability, and interoperability - can help us overcome what is often considered its greatest weakness: security.


Low on Time? Get a FREE Cloud Security Assessment Now


It’s no mystery that Microsoft has doubled down on cloud related endeavors as of late. In fact, Microsoft’s commercial cloud revenue grew 106% in the most recent quarter, fueled by the technology giant’s Office 365 and Azure offerings, leading to an annualized revenue run rate of $6.3 billion.

Adoption continues to accelerate – and for good reason. Office 365 gives users a comfortable and familiar means of entering the cloud ecosystem. Meanwhile, IT leadership is enjoying the familiar host of cloud benefits: financial and logistical perks, not to mention a vital boost to employee productivity.

But, what about Office 365 security, you ask. Microsoft offers an impressively rich array of security features built into Office 365, equipping security professionals with tools to protect their critical data assets.

“You can transfer workloads to the cloud, but not liability.” –Forrester Research. (2015, March). Market Overview: Cloud Data Protection Solutions

Office 365 Security

Built-In Office 365 Security Features

Microsoft has developed an extremely comprehensive security strategy around their cloud offerings, as detailed in their Office 365 Trust Center. Most notably, the compliance center within the Office 365 product to offer administrators a suite of security tools, including data loss prevention (DLP), eDiscovery, and archiving capabilities.

Simply put, Microsoft’s Data Loss Prevention (DLP) solution for OneDrive and SharePoint Online is powerful, capable of detecting the existence of sensitive information within the Microsoft ecosystem.

Preloaded with a number of templates for DLP policies or “rules” – many based on compliance regulations such as HIPAA, and PCI DSS – security and IT pros alike will undoubtedly come to love its simplicity and ease of use.

Administrators can tune policies to their liking, controlling a number of policy conditions, such as the threshold required to trigger a violation, i.e., there must be x matches of a credit card within a file.

Additionally, admins can tweak what Microsoft refers to as the confidence percentage of a policy, allowing security professionals to configure extremely tight policies with a very high true positive rate, or broaden their tolerance to ensure any potential incident worth investigating is captured.

Beyond their DLP solution, Office 365 offers three encryption solutions:

  • Rights Management Services allow users to control the way content is used, i.e., preventing forwarding or printing of a document.
  • Office 365 Message Encryption enables individuals to send encrypted content to any SMTP address – a handy feature when users are looking to send health records or sensitive financial information.
  • Finally, often used by government employees, S/MIME offers additional communication security in the form of public key encryption.

Additional Office 365 Security Considerations

Unified Multi-SaaS Control. Increasingly, today’s organizations are deploying multiple cloud applications. One of the most significant opportunities to compliment Microsoft’s security capabilities comes in the form of unifying security efforts across the entire SaaS portfolio.

Rather than relying on a solution comprised of the (highly variable) capabilities of individual SaaS providers or a number of point solutions, a unified multi-SaaS cloud cybersecurity solution offers a higher level of strength and efficacy – allowing security professionals to create and deploy data governance policies across multiple cloud applications. Incident management is also greatly simplified, allowing security admins to visualize the Office 365 activity feed in a single integrated console.

Account Compromise. As cybersecurity threats continue to grow, organizations must obtain rapid insight into potential threats through user behavior monitoring and threat protection. This can include anything from detecting activity from suspicious locations to alerting on a high frequency of user behaviors, potentially indicative of a malicious script.

While many platform providers offer behavior monitoring services (with an admittedly wide variance in the strength of such offerings from provider to provider), organizations continue to express a need to aggregate information across SaaS platforms and exercise control over what actions trigger an incident.

Sensitive Data Exposure. Whether exposed unintentionally by employees or externalized via cybercriminals, sensitive data within Office 365 must be protected. Continuously monitoring cloud environments – without impacting the end user experience – is critical to reducing the risk of exposing sensitive information.

Information governed by compliance regulations such as PCI DSS or SOX provides an obvious example, though security teams also need to keep an eye on far more: intellectual property, corporate roadmaps, and internal financials, to start.

Shadow IT and Connected Apps. Third-party applications play a large role in adding functionality to Office 365. Microsoft offers well over 1,000 opportunities to integrate with third-party SaaS providers (and many more in the Azure store), ranging from productivity apps, to sales and marketing tools, to visualization apps, and beyond.

Enabled by users through corporate credit credentials, these apps connect directly with corporate cloud applications, raising concern over their permission scope and the possibility of unintentional data exfiltration. To enjoy the benefits of third-party cloud applications securely, be sure to:

  • Discover apps connected to Office 365 and Azure AD via OAuth
  • Automate risk mitigation actions through policy-driven whitelisting and blacklisting
  • Leverage the insights of peers to determine what may constitute risky applications
  • Limit the access of the application, to ensure only necessary or appropriate access

It Looks Like You’re Trying to Secure Your Cloud Applications

Office 365 SecurityI can’t be the only one with fond memories of Clippy, arguably the best part of using Microsoft Office (versions ‘97 through 2003). Unfortunately, we don’t incorporate everyone’s favorite Office Assistant in our solution (RFE, anyone?).

We can, however, offer a no-strings-attached personal assessment to show how CloudLock can help you embrace the power of Office 365 and other cloud applications within your organization securely. If you’re not quite ready for an assessment, take a look at what CloudLock offers for Office 365 on your own time.

CloudLock Security Assessment



Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser