Office 365 vs. Your Information Security Program

As you compare Office 365 versus your company’s security program, you should evaluate both internal and external threats.  Many security professionals focus on external threats, but data shows that internal threats are more common than external threats.  I have found that that NIST has a lot of great resources that can be leveraged to build your information security program.  Microsoft and many other cloud vendors are very transparent about their security and privacy policies in the Trust Center.  Below are six factors that should be part of your evaluation of Office 365 services versus applications hosted by your organization.


  1. The Team

Most of my security discussions with customers start with asking the customer to bring in their security team in to discuss their security program versus Office 365.  If they have a large team, the discussion may continue, if not, I point out that Microsoft has invested more than a billion dollars in security and has thousands of security professionals.  Microsoft has two teams of security experts, one known as the red team and, one known as the blue team.  The job of the red team is to break-in and the blue team is tasked with stopping them.


  1. Secure Score

If you already have Office 365, we recommend evaluating your secure score.  This is a gamification tool provided with Office 365 that makes recommendations and allows your organization to see the affects of security improvements in your environment.  Secure score is available to all Office 365 customers.


  1. Continuous Monitoring

If your organization is considering going all-in with the Microsoft cloud, you should consider Microsoft 365 E5.  This SKU is still called Secure Productive Enterprise, but will change in Microsoft documentation soon.  This includes Advance Security Management.  Advanced Security Management can also be purchased as an add-on SKU for $3 per user per month if you don’t want everything in the suite.  Since this tool comes with multiple templates, it is better than many of the tools purchased by our customers that don’t often get used after they are installed.  Buying best-of-breed security solutions can be an effective strategy, just make sure you have the staff and budget to integrate best-of-breed security systems.


  1. Device Protection

If your network and applications are secure, that won’t be enough if your devices are not secure.  Windows 10 is the most secure operating system ever offered by Microsoft.  We are upgrading many customers from Windows 7 and implementing Windows Defender for virus scanning and BitLocker for encryption.  System Center Configuration Manager can help keep your systems patched and updated.  Intune (included in Microsoft 365 E5) is an integrated mobile device management solution that enforces policies including what to do if a device is lost or stolen.  Again, buying best-of-breed security solutions can be an effective strategy, just make sure you have the staff and budget to integrate best-of-breed security systems.


  1. Data Loss Prevention

Office 365 provides integrated options for encryption, data loss prevention, and information protection.  These solutions protect against employees sharing personal identifiable information and sensitive/confidential data.  Policies can be created by the compliance team to align to industry standards.  Here is an example of the new policy template for Personally Identifiable Information supporting content in email, collaboration, and personal storage:


To classify documents at the user level, templates for common scenarios exist and can be customized for organizational needs.

Recently I received a confidential email from a partner and the email was setup so I could not forward, print, or event screenshot the information:


  1. Authentication

Recently our team completed an security audit for an organization with several hundred users of which 18% were Active Directory Domain Administrators!  They did not have any Single Sign-on applications, so they had a tough time forcing password resets when an administrator left the company.  Office 365 with Azure Active Directory Premium makes it easy to enforce password policies and allows users to have a single login to both on-premise and cloud applications.  At a minimum, I would recommend two-factor authentication for administrators and implement just-in-time admin access.  At Xgility, we have enabled two-factor authentication for all users.  We find the Microsoft Authenticator app to be the best way to implement two-factor authentication.  On our Windows 10 devices we have enabled facial recognition using Windows Hello.



If you are looking for help comparing Office 365 to running collaboration workloads in your data center, make sure you consider the true cost of providing enterprise class security in your data center.  Don’t assume that just because you can see the server that it is more secure than the cloud.  If you are looking to build a custom return on investment (ROI) analysis for your organization, Microsoft has funding that pays for Xgility experts to assist.  If you would like to learn more, please contact us.