Office 365 Security Basics

Office 365 Security Basics

Office 365 is not only the next version of the “Office Package”, but it bundles different applications and services from Microsoft to represent a digitalized office. Central business functions are Microsoft Teams, SharePoint and Exchange. Teams is a chat program, SharePoint is used to manage knowledge within a company and Exchange is the central administration unit, especially for e-mails. All these services are offered as cloud services and are constantly being further developed.

Office 365 completely in the cloud?

Office 365 should not be operated alone in the company, but should be combined with local components to create so-called hybrid environments. The Active Directory in particular is often operated as Azure Active Directory(AAD). This allows user accounts to be managed centrally and services such as two-factor authentication to be provided more easily.

In the past, all protective objects and devices were located within a closed network. Nowadays, users take devices home, bring private devices into the company and are accessible around the clock. The cloud also makes sure that a simple firewall is no longer enough these days. Business data can be made available all over the world with the help of Office 365, which can be a big advantage and disadvantage. These hybrid settings cause headaches for administrators around the world, as questions often need to be answered from a variety of angles.

The AAD in combination with a local AD can help, but it must be integrated without errors, for example to avoid duplicate user accounts.

Security in the cloud

Securing identities via the AAD & AD is a complex process and requires expertise to ensure secure authentication. However, there are always several ways for attackers to compromise a company, so it is also important to observe suspicious or unusual behavior. Office 365 Cloud App Security (CAS) can help you do this if you have purchased the appropriate license. You can automatically prevent suspicious behavior, for example, if a user suddenly sends an unusually large amount of data to external services, or upload and analyze log data. You can also use CAS to block potential ransomware activity or prevent risky IP addresses from logging in.

As admin you can choose between “Notification” and “Intervention”. If you intervene, the user who initiated the action will be logged out and blocked immediately. If you choose “Notification” you will receive a message via a defined channel. For larger Microsoft infrastructures there is also the Microsoft Cloud App Security (MCAS), which is much more powerful and automated.

Encryption in Office 365

Your customer data is encrypted at various points in Office 365. During transmission between the computers running Office 365 and the servers, only TLS connections are established, i.e. the data is encrypted during the entire transport route. This also applies to the transfer between servers. TLS is also used here to send data between servers. The data is then also encrypted in the individual services using Bitlocker and the distributed key manager (DKM). The following services encrypt your data “at rest”:

  • SharePoint Online, OneDrive for corporate and Microsoft Teams files.
  • Files uploaded to OneDrive for Enterprise.
  • Exchange Online mailbox content, including e-mail text content, calendar entries, and content in e-mail attachments.
  • Text conversations from Skype for Business.

The required keys are generated by Microsoft or Microsoft also offers customers to bring their own master key (BYOK). Please refer to the documentation for details on encryption. If you bring encrypted files into Office 365, you’ll face a number of drawbacks, such as content-based search won’t work, browser display and collaborative working.

We are happy to help you with the correct configuration of your Office 365 environment or even more complex architectures.  Contact us via info(at)aware7.de for details. We would also be happy to test the effectiveness of the measures you have implemented in a penetration test or train your users in the security-conscious use of modern IT solutions.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.