Office 365: How to Mitigate Security and Compliance Shortcomings

February 10, 2015
Proofpoint Staff

Here’s what you need to know about Office 365 security limitations

Many organizations are making the leap to Microsoft Office 365, a set of cloud-based email and collaboration tools, as they look to achieve cost benefits and offload a commodity service such as email to a trusted partner.

Because security is included in Office 365 at no extra cost, companies see this as a great benefit. But trusting Microsoft with email is different from trusting the company with email security.

While Office 365 offers a flexible set of application services that can deliver benefits such as lower and more predictable costs, faster deployment of services and the ability to quickly and easily upgrade or downgrade capabilities, the security features provided with the offering might not be sufficient for the enterprise.

The platform has a number of security limitations, according to the report, “Office 365: CXO’s Guide to Security & Archiving Challenges,” produced by Osterman Research Inc. and sponsored by ProofPoint.

The report notes that Microsoft offers several security capabilities in Office 365, such as anti-virus and anti-spam filtering, physical access controls and employee access that is restricted by job function. But in some areas security is clearly lacking. Here are some of the drawbacks cited in the study:

  • All Office 365 plans offer administrator management of the spam quarantine, but some plans allow this only via direct access to the Exchange Admin Center management interface.
  • Office 365 doesn’t directly support the deployment of redundant spam filters in parallel with Office 365’s built-in spam protection.
  • Office 365 does not offer more advanced and targeted threat protection techniques, such as real-time link following and sandboxing technologies, in addition to reputation checks.
  • The platform also does not support taking an action on an email containing a link strictly based off the URL reputation alone.
  • The platform does not help users on mobile devices determine whether a Web link in an email is safe or malicious.
  • The email encryption capabilities of Office 365 are missing key features, such as end-user revocation of messages that might have been sent to an unintended recipient.

IT and security executives need to address these challenges before their organizations launch Office 365 initiatives. This includes adding layers of protection to make sure that data remains secure.

For example, they can deploy solutions that provide an additional layer of advanced threat protection and compliance functionality. Companies running Office 365 need this in order to stop phishing attacks and comply with a variety of regulations, including Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act and PCI Security Council standards.

Having layered security in place lets organizations fully leverage the benefits of Office 365 without jeopardizing information security or compliance efforts across different areas of exposure.

For instance, advanced threat protection tools can combine with Microsoft Office 365 email security features by protecting sensitive data from targeted spear-phishing and zero-day malware attacks.

In terms of compliance, privacy tools available on the market can provide regulatory compliance functionality that automatically identifies a range of sensitive data such as credit card numbers and healthcare records. Finally, eDiscovery technology can improve legal discovery capabilities with features such as rapid search insight, legal hold capabilities and granular retention policies.

Office 365 offers compelling potential benefits for organizations. But without sufficient security provisions, the risks might outweigh the rewards.

Learn More