nobeastsofierce - Fotolia


An introduction to Microsoft Office 365 security

The Microsoft Office 365 security features are robust, but may not offer the granularity some enterprises need. Expert Dave Shackleford reviews the security pros and cons of Microsoft's cloud-based productivity suite.

With the end of Windows XP, more organizations are migrating to new operating systems, and in turn taking the opportunity...

to explore different service models for applications. While there are numerous cloud-based office applications available today, one that is getting a lot of traction and attention is Microsoft Office 365.

This tip explores the key Microsoft Office 365 security technologies, as well as the potential security issues enterprises should be aware of and how to overcome them.

Office 365 security: Features

With Exchange Online and Outlook 2012, security administrators can develop DLP rules that alert users when they are trying to send email with content or attachments matching well-known or custom patterns for sensitive information.

Microsoft Office 365 runs in a typical multi-tenant public cloud environment. Active Directory containers are used for isolation and segregation of customer data, but Microsoft also makes a separate Office 365 environment available to customers at additional cost.

All access to the Office 365 infrastructure is performed via strict role-based access control (RBAC) techniques that use a "lockbox" approach. This is where engineers request access for specific tasks that are independently verified and vetted each time, with access duration and monitoring applied.

All network connections to Office 365 also use SSL/TLS over the Internet by default. Within the Office 365 environment, stored data is encrypted with BitLocker, Microsoft's encryption feature that leverages the Advanced Encryption Standard algorithm.

Office 365 has customizable encryption policies that can be applied to stored content or used to sign documents. The Windows Rights Management Service allows administrators to specify who can access encrypted content, what type of access a user has and when they can access the content. In addition, Microsoft now offers configurable encryption for email. Office 365 message encryption is built on Azure Rights Management, which allows administrators to flexibly control when and how encryption is applied depending on a number of customizable attributes, including content keywords or internal vs. external recipients.

Spreadsheet editing using the Office 365 Excel Web App
Spreadsheet editing using the Office 365 Excel Web App

Administrators can control all access to Office 365 by taking advantage of the built-in Active Directory identity platform from Azure, or by integrating with internal Active Directory stores using on-premises Active Directory. Other directory stores and identity systems include Active Directory Federation Services and third-party Secure Token Services, like those from vendors SecureAuth or Swivel. More advanced federation can be configured to support true single sign-on, allowing enterprise users to authenticate to Office 365 with their existing domain credentials while also tying in multifactor authentication options and client-based access controls for simple NAC functionality. For example, users trying to access Office 365 from public wireless connections or public computers could be restricted using client access policies.

Office 365 security: Benefits

One of the more compelling features within Office 365 is data loss prevention (DLP) policy control. With Exchange Online and Outlook 2012, security administrators can develop DLP rules that alert users when they are trying to send email with content or attachments matching well-known or custom patterns for sensitive information. Content can be allowed with a warning, allowed with an explicit policy override that notifies administrators, or blocked entirely based on sender, receiver, internal and external addresses, domains and more. DLP is currently being developed for Microsoft OneDrive, a cloud-based storage drive accessed from users' mobile devices, laptops and desktops. The OneDrive DLP features are expected to debut this month.

Office 365 also has a powerful set of e-discovery policies, available within the Office 365 eDiscovery Center. Access to the eDiscovery Center can be delegated to a compliance or legal officer using RBAC, and the tools allow for simple searches across all Office 365 data storage including email, documents and site mailboxes, with the ability to preserve data. Antispam and antimalware controls are also built into Office 365, and administrators can configure some aspects, such as blocking sensitivity and alerting.

Office 365 security: Drawbacks

One downside to the service is the lack of malware and spam email evidence available to customers from Microsoft. As Microsoft blocks attachments and spam emails, it does not provide the blocked content to customers for threat intelligence and malware analysis. For larger organizations seeking to bolster security intelligence by mining spam and phishing data, this may prove to be a big downside to an otherwise valuable security offering.

The DLP service, while admin-friendly, is fairly simplistic, which may prove to be less granular and configurable than some organizations need.

Finally, while Microsoft has met a number of compliance requirements ranging from EU data protection laws to HIPAA and ISO 27001, there is still some risk in placing sensitive data into a cloud environment, and organizations will continue to be liable for their regulatory concerns regardless of the outsourcing model chosen.


Overall, Office 365 aims to offer a powerful and flexible set of cloud application services that include a broad range of security features. As more security features are added, with additional configuration capabilities for consumers, organizations that transition to Office 365 in the coming years will find that its security is more than capable of meeting most enterprises' needs.

About the author
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft, as CTO at the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Dig Deeper on Public Cloud Computing Security