Now that we’re moving more and more applications to the cloud, the big question becomes how secure they are. This involves two deeper questions: What is the vendor doing to achieve the best security in its operations, and what can you do to use the application in the most secure manner?
The second question is particularly important, because if you experience a security breach or other issue because of something you could have prevented, whose neck will be on the block?
Microsoft is setting a good example for cloud providers in answering both of these questions. It’s doing it through the Office 365 Service Trust Portal. Here, if you can’t learn everything about Office 365 Security, you can come pretty darn close.
The Office 365 Service Trust Portal is not for everybody. To get to it, you have to be a subscriber to either Office 365, Azure Active Directory or Dynamics CRM Online. Even if you are a subscriber, you either have to be a global administrator for Office 365 for business or Azure AD, or you have to get your global administrator to “onboard” you to the portal.
Instructions on how to do this are available at https://support.office.com/en-us/article/Get-started-with-the-Service-Trust-Portal-for-Office-365-for-business-Azure-and-Dynamics-CRM-Online-subscriptions-f30e2353-0bd6-41ed-8347-eea1fb8d2662?ui=en-US&rs=en-US&ad=US.
Inside the Portal
Once you’re in, however, you have access to a lot of interesting and helpful stuff, most of which is in two sections, Compliance Reports and Trust Documents. Compliance Reports is a long list of all the official documents describing how Microsoft has complied with various security requirements. You can search the list by global region, industry or keywords in the document name.
For example, if you type “ISO” into the keyword search, you will discover that Microsoft has recently received full ISO 27001 certification for Office 365. This is a big deal, because ISO 27001 is one of the most demanding and comprehensive overall security management systems out there. You can see Microsoft’s ISO 27001 manual and its Statement of Applicability (SOA). The SOA is a spreadsheet that lists all of the ISO 27001 controls and how Microsoft is addressing them. This is a nice way to see the ISO controls without having to buy them from ISO.
Microsoft has more than 100,000 employees, and it’s involved in almost every IT activity you can mention, so it’s no surprise that it has chosen to address all of the ISO controls. This is probably more than any reader of this blog would want to do, not working for a huge company. Nevertheless, it’s instructive to our own efforts and well as learning about Microsoft.
Lots of other stuff is there, too. Searching for HIPAA, for example, brings up Microsoft’s HIPAA Business Associate Agreement. So Microsoft has done well in answering the “What is the vendor doing to achieve the best security?” question.
The stuff addressing what you can do is in the Trust Documents section. There are lots of white papers, FAQs, end-of-year reports and other Microsoft Confidential resources that are available to subscribers under the non-disclosure agreement you signed when you subscribed.
As Microsoft seems always to do, there are so many alternatives available here that you can get lost. But there is hope! Microsoft has developed two (relatively) simple ways to assess how good your Office 365 Security is and what you can do to improve it.
One is a new feature, the Office 365 Secure Score. This is a tool you can download that examines your Office 365 instance and gives you a report on how secure it is. It provides an overall score, like a credit score, but it also gives advice about what needs improvement. Using this tool requires genuine Office 365 administrator chops, such as knowing how to use Power Shell, so if you’re a management type with administrative privileges, get a techie involved. The tool is also still in preview, so expect possible shortcomings.
The Security Considerations Reference Guide
The second really useful thing is the Office 365 Customer Security Considerations Reference Guide. Two documents in the Trust Documents section address this, a PDF with instructions about how to use the Guide, and the Guide itself, which is in an Excel workbook.
The workbook is divided into control scenarios, including Data Resiliency, Access Control, Data Leakage, Security and Compliance Investigations, and Incident Response and Recovery. Clicking on any of these will lead you to a spreadsheet discussing the relevant considerations. The Guide also sorts controls by Risk Assessment Scenarios, including Malicious Customer Administrator, Former Employee, Credential Theft, Malware, Trusted Device Compromised, Attacker Foothold and Microsoft Operators.
Once you get to a spreadsheet for either a Control Consideration or a Risk Assessment Scenario, you will see rows dedicated to particular considerations, their descriptions, a link to where address the consideration in Office 365, etc. For example, in the Incident Response and Recovery Section, there is a consideration for Exchange to detect administrator role group changes, which you would use to “verify that high-privileged roles have not been assigned to any unauthorized users” and to search the logs to discover what changes administrators recently made.
There is quite a bit of information to digest here, but it is helpful and can be sorted in many ways with the Excel sort function. The workbook is a nice checklist to see if you’re using all the possible security functions in Office 365. It is a work in progress that is being updated, as well.
All in all, for the serious Office 365 administrator concerned about security, this is a must see. It goes a long way to help you keep up your organization’s end of Office 365 security.