Office 365 vs. Your Information Security Program

As you compare Office 365 versus your company’s security program, you should evaluate both internal and external threats.  Many security professionals focus on external threats, but data shows that internal threats are more common than external threats.  I have found that that NIST has a lot of great resources that can be leveraged to build your information security program.  Microsoft and many other cloud vendors are very transparent about their security and privacy policies in the Trust Center.  Below are six factors that should be part of your evaluation of Office 365 services versus applications hosted by your organization.


  1. The Team

Most of my security discussions with customers start with asking the customer to bring in their security team in to discuss their security program versus Office 365.  If they have a large team, the discussion may continue, if not, I point out that Microsoft has invested more than a billion dollars in security and has thousands of security professionals.  Microsoft has two teams of security experts, one known as the red team and, one known as the blue team.  The job of the red team is to break-in and the blue team is tasked with stopping them.


  1. Secure Score

If you already have Office 365, we recommend evaluating your secure score.  This is a gamification tool provided with Office 365 that makes recommendations and allows your organization to see the affects of security improvements in your environment.  Secure score is available to all Office 365 customers.


  1. Continuous Monitoring

If your organization is considering going all-in with the Microsoft cloud, you should consider Microsoft 365 E5.  This SKU is still called Secure Productive Enterprise, but will change in Microsoft documentation soon.  This includes Advance Security Management.  Advanced Security Management can also be purchased as an add-on SKU for $3 per user per month if you don’t want everything in the suite.  Since this tool comes with multiple templates, it is better than many of the tools purchased by our customers that don’t often get used after they are installed.  Buying best-of-breed security solutions can be an effective strategy, just make sure you have the staff and budget to integrate best-of-breed security systems.


  1. Device Protection

If your network and applications are secure, that won’t be enough if your devices are not secure.  Windows 10 is the most secure operating system ever offered by Microsoft.  We are upgrading many customers from Windows 7 and implementing Windows Defender for virus scanning and BitLocker for encryption.  System Center Configuration Manager can help keep your systems patched and updated.  Intune (included in Microsoft 365 E5) is an integrated mobile device management solution that enforces policies including what to do if a device is lost or stolen.  Again, buying best-of-breed security solutions can be an effective strategy, just make sure you have the staff and budget to integrate best-of-breed security systems.


  1. Data Loss Prevention

Office 365 provides integrated options for encryption, data loss prevention, and information protection.  These solutions protect against employees sharing personal identifiable information and sensitive/confidential data.  Policies can be created by the compliance team to align to industry standards.  Here is an example of the new policy template for Personally Identifiable Information supporting content in email, collaboration, and personal storage:


To classify documents at the user level, templates for common scenarios exist and can be customized for organizational needs.

Recently I received a confidential email from a partner and the email was setup so I could not forward, print, or event screenshot the information:


  1. Authentication

Recently our team completed an security audit for an organization with several hundred users of which 18% were Active Directory Domain Administrators!  They did not have any Single Sign-on applications, so they had a tough time forcing password resets when an administrator left the company.  Office 365 with Azure Active Directory Premium makes it easy to enforce password policies and allows users to have a single login to both on-premise and cloud applications.  At a minimum, I would recommend two-factor authentication for administrators and implement just-in-time admin access.  At Xgility, we have enabled two-factor authentication for all users.  We find the Microsoft Authenticator app to be the best way to implement two-factor authentication.  On our Windows 10 devices we have enabled facial recognition using Windows Hello.



If you are looking for help comparing Office 365 to running collaboration workloads in your data center, make sure you consider the true cost of providing enterprise class security in your data center.  Don’t assume that just because you can see the server that it is more secure than the cloud.  If you are looking to build a custom return on investment (ROI) analysis for your organization, Microsoft has funding that pays for Xgility experts to assist.  If you would like to learn more, please contact us.


Author:  Kurt Greening

Editors:  Alex Finkel and Chris Ertz

Top Azure Consulting Companies

Below is a list of what I believe are the top Azure consulting companies in the DC Metro area including Maryland, Northern Virginia, and Washington D.C.  The ratings are based mostly on industry insider knowledge, including factors such as satisfaction of known customers, consultant turnover, and experience with key 3rd party solutions from the Azure Marketplace.  Top companies can do more than just migrate virtual machines to Azure, but offer services to transform applications using the power of the cloud.

The top Azure consulting companies are active speakers in local user groups, Microsoft Gold Partners, Cloud Solution Providers, and participate in Microsoft programs such as Azure Everywhere Assessments/Pilots/POC, Go Fast, and Software Assurance Planning Days.

Azure is new and is rapidly evolving.  As Microsoft customers move installing packaged software on servers to the cloud, this creates opportunities for new partners and may change trusted relationships with customers and vendors.  You should expect this list to be updated frequently.  The list below is in no particular order (so don’t email me to complain if your company is #9, we can still be friends).


Booz Allen Hamilton

These guys have a pretty large Microsoft practice focused primarily in the Federal government.  Their customers include most of the intelligence community and the Internal Revenue Service (IRS).  Dan Usher is as active in the Azure technical community as he is in the SharePoint community.



These guys are large, national, and prefer to work on the biggest projects.  They have a large presence in the Federal government, including DHS, and Fortune 1000.  Our team regularly sees Accenture consultants and local Azure user groups.



Xgility started as a SharePoint consulting and application development company.  Over the last few years we have recognized that Microsoft cloud reduces the time to market and deploy technology solutions for our customers.  Recent projects include developing mobile field agent reporting apps, proof of concept (POC) lab for a government customer, migrating virtual machines to Azure for a large trade association, and modernizing an ecommerce application for a major insurance company to take advance of Platform as Service.  Xgility is a Gold partner, CSP, GSA schedule holder, and a certified small business.



CSRA traditionally has been a provider of general IT program management services.  In the past they have hosted customers in their data center and implemented mostly provide cloud (virtual servers) environments.  Recently they have stepped up their commitment to Microsoft and Azure specifically.   Our team has had the opportunity to work with them on past projects in the Federal Government.



AIS, also known as Applied Information Sciences, grew out of small business status by performing mostly on government contracts.  While not as active in the user group community as some, they still have a good (mostly federal) customer base in the DC metro area.


Planet Technologies

Planet Technologies is a Microsoft partner headquartered in Montgomery County, MD.  They have a good presence in the state and local government and also do federal work.  Patrick Curran, one of their consultants, is an active speaker in Azure and SharePoint community.



If you have implemented SaaS solutions like Office 365 and SalesForce, it may be time to evaluate moving the servers in your data center to a public cloud.  Have you worked with another Azure consulting company else you really like?  Drop us a note.



Author:  Kurt Greening

Editor:  Alex Finkel