While Office 365 adoption continues to skyrocket, so do your customers’ security, compliance and other business needs, which all require your expertise.
Within the past three years, Microsoft has made an impressive transformation in its quest to become a subscription company where customers rent rather than buy software. In fact, a survey conducted by Barracuda Networks in April 2017 with customers in North America, Europe, the Middle East and Africa found adoption of Office 365 increased more than 50 percent between April 2016 and April 2017. While companies are becoming more comfortable giving up control of their data and IT infrastructures to a third party, it doesn’t mean they’re completely confident — nor should they be.
While there are many business benefits of going to the cloud, it comes with a whole new set of risks and responsibility, much of which requires your professional IT expertise.
The Shared Responsibility Model
One of the biggest misconceptions companies have about moving workloads to the cloud is where the responsibility of securing the workloads lies. When engaging prospects or customers about any public cloud service, like Office 365, it’s important to make sure they understand that the public cloud is built on a “shared responsibility model.” This means that while the provider is responsible for security, the customer also bares part of that burden, as well.
Where this can become confusing to customers is when they see, for instance, that Microsoft includes antivirus and backup with its operating system, plus Outlook includes a spam filter. At first glance it appears like Microsoft is taking “full responsibility” for security, and that’s what the majority of business users do think, as evidenced by Barracuda’s research. Not only is that not the case, there are five specific areas where public cloud users need additional support in order to ensure their data is protected and their businesses are in compliance with industry regulations:
Endpoint Security — Many organizations use traditional firewalls to secure cloud workloads and applications. Although perimeter-based firewall architectures are highly effective in a datacenter, they can become sources of friction when deployed in the public cloud. One of main problems is that next-generation firewalls are purpose-built for datacenter architectures where everything is tightly coupled and traffic flows through firewalls that scale vertically. However, public cloud best practices dictate building loosely-coupled architectures that scale horizontally (i.e., elasticity). For Office 365 deployments, a cloud generation firewall, which integrates tightly into the public cloud providers’ management fabric and provides security without compromising performance, should be deployed.
Compliance — Many organizations fall under strict email and document retention regulations, where failure to comply can lead to fines or other repercussions. By default, Office 365 data that is deleted becomes non-recoverable after 30 days. Longer retention times are only possible with more costly or expensive editions of Office 365. And, if a client cancels its subscription, its data is automatically deleted after 90 days. MSPs should be aware of their clients’ data storage and archiving requirements and offer backup and disaster recovery (BDR) services that help customers comply with regulations — regardless of which Office 365 edition they’re using — in addition to meeting customers’ recovery time objectives (RTO) and recovery point objectives (RPO), which could exceed their Office 365 service level agreement (SLA).
Liability — The Office 365 terms of service currently limit Microsoft’s liability to $5,000, or an organization’s last 12 months of subscription fees, should anything happen to its data —assuming the subscriber can prove the loss was Microsoft’s fault. In contrast, the liability an organization might face from clients, partners or auditors for losing its Office 365 data could far exceed its compensation from Microsoft. For customers facing this level of risk, it’s important to keep a copy of their Office 365 data in a secure, non-Microsoft repository, either in a second cloud environment or on premises.
Audit Rights — The Office 365 terms of service give organizations no audit rights. This is problematic if, for instance, an organization is required to show the physical location of its data. Maintaining a backup copy of Office 365 data in a secure location that is auditable, may be an acceptable way for MSPs to help customers work around the problem.
Human Error — Despite all the best security measures, users can still perform high-risk actions within cloud-based applications, whether their high-risk behavior is accidental or malicious. For example, regardless of whether they are using Office 365 or on-premises resources, when users click on infected attachments or links to malicious websites sent as part of a phishing scam, they open the door to ransomware and increase the risk of their account credentials being compromised and used by third parties access corporate data. According to research from Skyhigh Networks, the average organization experiences 2.7 threats each month within Office 365 including:
- 1.3 compromised accounts each month, such as an unauthorized third party logging in to a corporate Office 365 account using stolen credentials
- 0.8 insider threats each month, such as a user downloading sensitive data from SharePoint Online and taking it when they join a competitor
- 0.6 privileged user threats each month, such as an administrator provisioning excessive permissions to use a user relative to their role.
In addition to helping customers develop security policies and best practices and providing security training, multilayer advanced threat protection solutions can help mitigate the above risks along with ransomware and other cyberattacks that are on the rise.
As customers continue to shift IT workloads to the cloud, the challenge is not only protecting sensitive information against internal and external threats, but also retaining the same compliance policy enforcement for on-premises applications. With just a few clicks, an employee can share an entire folder containing sensitive data with another user outside the company in violation of a compliance regulation. Under a shared responsibility model, Microsoft takes ownership of security its platform, but Office 365 subscribers are responsible for the safe and compliant use of Office applications. As customers and prospects migrate to Office 365, security, compliance and business continuity are all critical topics that must be addressed to ensure their data is protected.
Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.