I often hear stories on my travels from IT teams who repeatedly face barriers related to security when implementing cloud services. The reality is that cloud services often include features that enhance security and reduce risk compared to legacy systems. Within this blog post, I will call out a small selection of the many features within Office 365 and the Enterprise Mobility Suite that can be used to help enhance security and reduce risk.
Encryption of E-mail with Office 365 Message Encryption
In the past, sending encrypted email to external contacts has required complex configuration and the prior exchange of certificates. Office 365 Message Encryption enables e-mail to be sent in an encrypted format without any prior arrangement with the recipient. To access the encrypted email, the recipient logs onto a secure website using an Office 365, Microsoft account or one-time password. The encrypted email is submitted to the website, decrypted and can then be viewed. The recipient can reply to the email and the reply is also encrypted.
This solution is useful for sending occasional emails that include sensitive data to external contacts. One scenario that we have recently implemented Office 365 Message Encryption for is a law firm that needs to e-mail sensitive documents to it’s clients.
Find out more about encryption of e-mail on TechNet
Encrypt and control documents usage with Azure Rights Management Services
Azure Rights Management Services (Azure RMS) is included with selected Office 365 subscriptions and as part of EMS. In addition to email messages, documents can also be encrypted and access to them controlled. RMS policies can be applied using an “enlightened” application, such as the Microsoft Office Suite, or the Microsoft Rights Management sharing application. The recipient must also access documents via an enlightened application. The service works by verifying a user’s access rights with Azure RMS prior to granting access to the document. Protection that can be applied includes:
- Prevent e-mails from being forwarded
- Grant each recipient change or read permissions on a document
- Set an expiry date on a document. After this date the document will no longer be accessible
- Prevent printing of a document
- Prevent copying of content within a document
Azure RMS also allows access to documents to be tracked via the Azure RMS tracking portal. It is possible to see who accessed a document when, and in addition revoke a user’s access to that document.
Find out more about encrypting and controlling documents on TechNet
Mobile Device Management with Office 365 MDM or Microsoft Intune
The ability to control data when it is on devices outside of the organisation is extremely important, both Office 365 and Microsoft Intune contain Mobile Device Management functionality. Microsoft Intune has a more comprehensive set of features, a comparison of the two can be found on TechNet.
Ensure only compliant devices are able to access data with Security Policies and Conditional Access
Security Policies enable administrators to control the security configuration of devices, such as encryption and password policies. If a device does not meet the applied security policy, then access Office 365 data can be denied until it becomes compliant.
Erase your organisational data from a lost or stolen device using Remote Wipe
Should a device be lost or stolen, or if an employee leaves the organisation, a remote wipe may be needed to reduce the risk of data getting into the wrong hands. A remote wipe can be carried out in one of two ways:
- Full Wipe - All data on the device is erased and the operating system restored back to factory defaults.
- Selective Wipe - Only data belonging to the organisation is wiped. All personal data and applications are left intact.
Azure Active Directory Premium
If you are still unaware of what Azure Active Directory is, now is the time to start learning. Azure Active Directory Premium includes additional features, many of which are security related. Two of my favourites are:
Azure Multi Factor Authentication
Before accessing a resource Azure Multi Factor Authentication (MFA) ensures the user is in possession of a device, not just their password. Possession of the device is verified by phone call, SMS or via a mobile app. This reduces the risk of data being accessed due to brute force hacks and stolen passwords. Azure MFA comes in two flavours:
- Azure MFA for Cloud Users - Used to protect Azure Active Directory user accounts that are used to access applications secured by Azure Active Directory. This could be a Microsoft service such as Office 365, Azure Remote App or a wide range of third party applications.
- Azure MFA Server - Used to protect on premise services such as IIS, VPN, ADFS and Remote Desktop Gateway accessed using Windows Server Active Directory Accounts.
Self Service Password Reset
Correctly verifying a user’s identities prior to resetting their password can be difficult. Self-service password reset enables users to reset not just their Azure Active Directory password, but also their Windows Server Active Directory password. Prior to resetting their password users must verify their identity by using one or more of the following methods:
- Security Questions - On initial log on users are prompted to answer a set of questions configured by the Directory Administrator. To reset their password, the user must respond with the same answers.
- Alternate Email - An email is sent to a preconfigured alternate email address that contains a verification code.
- Phone Call - A call is made to verify the user is resetting their password.
Find out more by visiting the Azure Active Directory Passwords getting started guide.
Microsoft Trust Centre
Not really a security feature, but worth a mention as it is a very useful resource when overcoming security concerns. The Microsoft Trust Centre can help to answer many questions related to security when utilising Microsoft Cloud Services such as Office 365 and Intune.
Microsoft Virtual Academy - Built in security and controls in Office 365 to stay protected
Microsoft Virtual Academy - Encryption in Office 365