How do I make sure that the Office 365 security is what I want and need?

Office 365 does have some security measures embedded in it. However, security software is not a Microsoft core competence, so whilst it goes so far, it is often not enough for what you need for your business. You need to talk to a security specialist, one that is at the leading edge of security innovation to cover areas from multi-factor authentication, to cloud application control, to email security and web filtering, with the dashboards and reports that you need to be sure that everything is working just as it should be.

So what do each of those security areas do? Multi-Factor Authentication (MFA) ensures that the users are who they claim to be. CensorNet's Multi-Factor Authentication solution (formerly known as SMS PASSCODE) takes a number of factors into account, hereunder: the user’s location, whether he has logged in from this location successfully before or not, the time of log on, etc., before the MFA solution decides if a One-Time Passcode (OTP) should be sent to the user’s phone as text message, voice call or to an app. By embedding these multiple factors in to the login scenario you increase the security significantly. This security increase comes from those various factors but also due to the OTP being session specific and therefore linked to the user’s device and thereby preventing a hacker in case of capturing the passcode, to use on any other device than the one initiating the login. These factors are important but not part of Microsoft’s built-in two-factor authentication.

Easy configuration and control
Cloud Application Control means that you can see what cloud applications are being used, when and how. You will be able to see and stop a file from being downloaded from OneDrive or prevent a user from attaching files to emails and send them to a personal email account. If you are in a regulated industry or are responsible for safeguarding, then setting up word alerts across applications means that you can identify suspicious activities. If your business uses Facebook for marketing purposes then you need to allow access, but Cloud Application Control allows you the granularity to authorize or decline specific actions in Facebook. It could be preventing certain people from deleting an event or post; or it could be preventing others from uploading files, photos, etc. In this way you will be protecting productivity, your data and your network. Furthermore, CensorNet’s Cloud Application Control can provide Office 365 administrators with an easy way to configure a very granular control feature set that can even e.g. prevent Office 365 administrators from deleting groups or domains or prevent them from starting Office 365 setup.

Advanced threat protection
Email security with Office 365 is obviously key. Microsoft updates every 15 minutes for KNOWN viruses, but that isn’t enough to prevent spear-phishing attacks for example. You also want to make sure that your email is secure from malware, ransomware (the fastest growing form of attack today) and polymorphic threats in addition to phishing and spear-phishing attacks. At the same time you want an effective archive, you want links embedded in emails to be scanned (link scan), you want a quarantine system that means that end users can safely review emails without involving IT administrators and of course you want an emergency online inbox for the worst cases. All of this is built into the email security offering from CensorNet which is an advantage over the built in feature set and security from Microsoft.

Real-time link scanning
Using Link Scan, each URL, whether in email, SharePoint, OneDrive or indeed typed directly into the web, is checked as it is clicked in real-time against URL threat intelligence. If the link is not genuine or goes to a malicious site, then it is blocked in real-time. There is no way to override this, unlike in some solutions where employees can click continue, so the protection against ransomware, malware, phishing attacks, botnets and so on is as high as it can be.   

How can I trust the cloud access?
Of course you want to make sure that only your approved users can access your data in the cloud. By using CensorNet MFA (Multi-Factor Authentication) you can use the phones that your employees carry to send a challenge based and session specific One Time Passcode (OTP) via SMS, email or voicemail as they prefer. Of course, you don’t want to inconvenience your users when they are in the office with such things, so CensorNet MFA looks at the user’s location, maybe supplemented with the time of day and based on the rules you’ve set up to determine if a OTP is needed or not. This enforces a unique high level of security while still ensuring the smooth usability for the users. In CensorNet MFA you will find lots of advantages against Microsoft’s built-in two-factor authentication. Not only from a security point of view but also from a usability and stability point of view. For example, CensorNet MFA can provide automated fail-over between different passcode delivering mechanisms and the delivery can be based on the user’s location. An administrator can configure for example, so that if a user is logging in from e.g. the US they will receive a voice call and if they login from Europe they will receive an SMS.

How can I make sure that my data is not shared where I don’t want it to be?
In the good old days, your data was on a server in your premises behind physical lock and key with  firewalls in place in case someone tried to break in. Office 365 is stored on servers behind lock and key, but how do you monitor that your data isn't being shared where it shouldn’t be by the users? With in-house servers you’d be able to see access audit trails - how to do that when you don’t have those records?

The answer is a combination of multi-factor authentication (MFA) for accessing the data and the controls that Unified Security Service (USS) offers through its cloud application control and web and email security components.

MFA ensures only the right people in the right context can access your data.

USS gives you the dashboards so at a glance you know all is well. But in case someone does try to do something you don’t allow or something you want to be notified about – you will know. That could be someone downloading some data and then uploading it to Dropbox or someone who emails attachments to a personal email box, you can see it and block that action straight away preventing that data from going somewhere you don’t want it to be. Of course, the system also allows you to be proactive, so you can prevent downloads for example when in an airport, or after a certain time at night. You have a full audit trail for all the actions for compliance and regulatory authorities too.

How do I make sure that I have visibility of what is happening with my data if the admin is outsourced?
Through the Unified Security Service (USS) you have full pictorial dashboards that tell you exactly what threats have been thwarted, what approved and unapproved apps are in use, and so on. Probably more data than you had previously when you monitored your on-premise based solutions.


How can I be sure that the spam levels won’t go up if I roll out Office 365?
Some reports indicate that spam levels have gone up by 25% on the roll out of Office 365. Spam has a cost in possibly bringing in security threats, but at the very least it wastes storage resources and costs employee productivity. There is an email filter included with Office 365, but security solutions are not a Microsoft core competency, so the email filter is not at industry leading levels. To really protect your email from all kinds of spam and the associated threats (including phishing, malware, ransomware) then using the CensorNet Email Security module of Unified Security Service (USS) gives you the peace of mind that you want. CensorNet Email Security protects against spam and viruses as well as giving you a back-up online inbox in case the worst happens so that your business continuity is guaranteed. Spam is directed to a quarantine box that users can check for themselves removing an IT admin chore, plus links in emails are checked before they are delivered to further protect your systems against the most common distribution channel for ransomware.

How can I be certain that my data won't end up in the wrong hands?
The greatest fear of any company putting data in the cloud is that it's perceived as being out of their control. The trust has to be with the cloud provider that they are taking care of the data physically, but if the data is accessed by a web link, how can that be secured? How can you be sure that your staff’s credentials haven’t been compromised? Well instead of relying solely on a username and password (even if the passwords are strong ones, and let’s face it they are not), then add in CensorNet MFA for that added security. In the past you would have used hardware tokens that could give a passcode to log on to VPNs and the such like, but that was only simple two factor (something you know – password and something you have – the hardware token). With multi-factor authentication (MFA) the user’s location, the time of day, the system he is logging in to and more importantly the user’s session ID are all taken into account. Hence performing a very secure user authentication and effectively preventing malicious users from entering your systems. The code is not fetched from a database, but uniquely generated in real-time and therefore it can be linked to the user’s session, which put simply can be translated in to the user’s device at the login moment. Thereby it prevents malicious users/hackers from capturing the OTP and use from any other device than the one the user is using trying to login. The OTP is sent to the user’s phone as a SMS, email or voice message or to an app on the user’s smart phone.

If Office 365 goes down, how does my business continue?
An important factor using cloud applications is that you rely on somebody else ensuring access to your systems and data. But what happens if for some reason the solution is not available? By adding CensorNet’s Email Security module you will have a backup online mail box available for each of your users. This means that they will still get access to their emails and the business can continue with minimum impact for the users. And access to your customers’ communications are maintained even if your Office 365 email system is not available. The online mailboxes have the same high level of threat protection so are not a weak spot into your networks or a base for an attack.

I’m moving from on-premise to Office 365 and I have many exchange security rules set up, will they migrate over?
Unfortunately Office 365 migration doesn't include on-premise rules, so to prevent losing the additional security provided by your on-premise Exchange setup, roll out Unified Service Security (USS) from CensorNet including the Email Security and Cloud Application Control modules. USS offers a higher level of granularity, giving you more control than you had previously so that you know you are very well protected going forward.

I need to archive my emails for a number of years, how can this be achieved with Office 365?
There is a difference between on-premise archiving and Office 365. Your emails can be archived with the CensorNet Email Security module, so that you can be assured that they are there for the prerequisite number of years for compliance in your industry and profession.

Included in the solution is deletion protection (by allowing deletions only from quarantine not from the archives) which is useful, for example, for HR (in case of internal issues), to protect the company against litigation as evidence would still be there, and to help with information access requests, also known as subject access requests. With the latter if anything is kept back, whether in error or not, then as per the GDPR hefty fines can be issued, so having a good archiving system protects both the company's bottom line and reputation, as well as making your Data Protection Officer’s job easier.

Also in Office 365 if a hold is not put on a mailbox before deactivation it will be deleted in 30 days.  Therefore, in order to maintain compliance and retention in the event of human error forgetting to put an “in place hold” on, an alternative mailbox archive is needed.

In Office 365 mailbox owners and admin access audit reports are purged every 90 days, this gives a compliance issue. With CensorNet’s USS the admin audit data is held indefinitely, and user logs are kept for a minimum of 5 years, thus helping your company to remain compliant.

Footnote: All stats from