sb-eu logo
Story image

The good and bad of Office 365 security

19 Sep 2018

Despite the stigma that surrounds cloud security, the adoption of Office 365 is resulting in a positive advancement for security within most organisations. On the flip side, the challenge lies with the way it is being managed.

Running an email service is hard, very hard

Let’s start with the positives. Office 365 adoption, and going cloud in general, is good for security.

Running a mail server involves far more than just configuring user accounts. It means creating policies and managing servers, hardware and redundancy, including the design of the architecture.

That is all really hard. So hard in fact, most companies say “let’s outsource it to skilled architects and designers to get it right”. You need a team of administrators to keep a mail server running, and in this day and age that’s crazy.

At the end of the day, most organisations that run their own mail services it don’t run them well. Unless you are in large organisation you probably don’t do it well.

Cloud providers like Microsoft say “we can do security better than you” and I believe them. Office 365 is on the AustralianSignals Directorate’s cloud certification list, which means it has gone through lot of checking to show the processes are well managed. In fact, next week our company on-premises exchange server gets turned off permanently.

If you are not running a major enterprise with large teams, don’t run your own mail server.

The sky’s the limit for improvement

While Office 365 is a boon for end-users, it is a boon for criminals too.

Previously e-mail was internal to a company and it has slowly been expanding outside the organisation’s wall. Many organisations didn’t allow email access from outside the office and there was an inherent layer of security by excluding most of world. With the uptake of Office 365 we threw all that away.

With cloud-based services anyone can connect and that’s bad because of social networks like LinkedIn. Criminals start by targeting interesting people and these people are interesting because they put their hands up and say they are important.

In the cloud, the criminals can know more about your staff than you do.

Just this last week we had someone send an email to a sales manager purporting to be from the managing director. Luckily, they didn’t do a good job of impersonating the MD, but with Office 365 if someone managed to get hold of a user account there are no barriers to access and account control, so protecting access is imperative.

In another case, criminals read through a company’s emails and tried to scam $350,000 with one email.

If we are going to use Office365 then we need to start caring about user access management and anyone who works for a company gets turned off the day they leave. We need to change passwords often and implement multifactor authentication on cloud-based mail services.

A surprising number of businesses still don’t have forced password changes. If you have ever used a password anywhere it is possible it has been compromised, meaning criminals can log into a system, read emails and spend some time creating fake emails. We have run incident response for this very problem multiple times this year.

Another underused methodology is two-factor authentication and this is available free to Office 365 subscribers.

There is some setup for IT, but if anyone tries to connect to Office 365 from a new system it will send a request back to authenticate on the device. Someone has to say yes on an app to authenticate the user access so even if someone steals a username and password they still have to pass through another loop.

Speaking of two-factor authentication, SMS is another factor, but is not ideal as SMS porting is a real threat. By moving to authenticator apps for Office 365 you have raised the bar significantly for criminals.

Another underutilised technology is logging. There are logs available for “impossible travel”, whereby the service will detect if some has logged into the same account from different parts of the world within hours.

This is where we see all the cybercrime these days and it’s big business. The benefits of Office 365 adoption far outweigh the threats, but we must be prudent with the way cloud services are managed. Moving a service to the cloud does not mitigate every risk, and it is incumbent upon subscribers to demand more cloud security options.

Article by CQR Consulting chief technology officer and co-founder Phil Kernick.

Story image
Zero trust is the way to secure the distributed workforce - Empired
Existing security solutions need to evolve to accommodate the new remote workforce.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Gartner: By 2023, 65% of the world will have personal data covered under modern privacy regulations
“Security and risk management (SRM) leaders need to help their organisation adapt their personal data handling practices without exposing the business to loss."More
Story image
Jamf extends Microsoft collaboration with iOS Device Compliance
Organisations will soon be able to use Jamf for Apple ecosystem management while using Azure Active Directory and Microsoft Endpoint manager to maintain conditional access.More