Looking at Office 365 Security Holistically

  • Article

Editor's Note: The following MVP Monday post is by Windows Expert MVP Mike Halsey.

 

When we think of using a cloud service such as Office 365 in our business, initial thoughts will usually drift towards comforting ones of Microsoft taking the strain with providing the hardware, manpower to keep the system maintained and a backup strategy that will help keep your system working and online.  While all of this is true, and indeed many companies have adopted Office 365 not just for the cost-savings they can make and for the peace of mind that comes with not having to maintain the hardware, operating systems and other software yourself, there are other considerations closer to home that you will need to make.

If we look at Office 365 holistically, which is essential in a modern business, it will soon become apparent that there’s much more to it than this.  Microsoft can and does maintain all the security for the central Office 365 system.  What they don’t control is your own security, and I’m not just talking about maintaining up-to-date anti-virus and malware protection on your PCs (though obviously this is important).

The reason you need to maintain good security is because the information and data you store in Office 365 is valuable and not immune to theft by staff, hackers or malware writers.  It is also sensitive and private information, not only for the work you undertake at your company, but especially if you work with individuals as clients where you are commonly being entrusted with private information.  You need to make certain that you properly protect this and simply relying on Microsoft to secure the back-end Office 365 servers and Internet portal isn’t enough.

So what are these security concerns, and do they need to cause you a headache?  The answer to the latter question is that with a bit of planning and observation they don’t need to cause you a headache at all.  In answer to the former question they are varied and many.

The security of your company’s Internet and computer infrastructure is the first of these.  Do you have a properly secured router for example, with a non-guessable password for both employee Wi-Fi access and the administrator interface?  Are you keeping your computers up to date with Windows Updates and malware protection?

In addition to this, what are your company’s policies regarding the use of removable media devices, such as USB Pen drives, external hard disks and burnable CDs and DVDs?  Within the standard Group Policy controls for a PC running the Professional version of Windows and above you can block these devices on a computer or a user-level without needing to manage your own Windows Server.

When it comes to users, does your staff have the correct permissions for both their PCs and their Office 365 access?  It’s very easy to let user permissions become unmanageable, which is why you should have just a couple of people within your company responsible for overall permissions in Office 365 itself, and why all staff should be Standard users in Windows.

There are other devices we now use with our computers at work.  These can include smartphones, the Windows Phone includes tight integration with Office 365.  Do you know if your staff have passwords set on the smartphones they use to access business information?

This also extends to the computers people use outside of the office to access and store work documents and information.  If staff are using their own computers and laptops you will have very little, if any, control over the security they choose to employ.  Are these computers secure and up to date?  Do children and other non-employees have access to the same user account used to access your Office 365 system?

Much of this falls within the remit of staff training and company policy, but the easier that products such as Office 365 make collaboration and data sharing, the more aware we all need to be of the responsibilities we have in doing so, which include maintaining compliance with data protection and privacy laws.

The good news is that Office 365 does make managing its own security pretty simple and straightforward, especially when it comes to the process of managing users and their permissions.  You don’t need to be an IT Pro to sort users into the pre-defined and clearly labelled groups.  Nor do you need to be an IT Pro to advise staff against using their own computers for work, or to advise them to make sure their computers are up to date and protected.

In my book, Need2Know: Office 365 Security Essentials, I work through all of these aspects and take a completely holistic view of the security required to use Office 365 in a trouble-free way.  It is neither complicated nor difficult to manage, but it can often be seen as initially daunting to identify all the components involved, and to explain these and their importance to employees.

What you’ll find yourself doing is entering into a valuable partnership with your employees where you will, probably inadvertently, be helping to raise their own awareness of computer security and how they can protect themselves and their families.  This will come through the trust that you’re demonstrating you have in them with your company’s data and the roles you provide them for accessing and managing this on your behalf.

With the correct policies, training and outlook, all of which is based on nothing more complicated than common sense, you will find that using Office 365 becomes a truly worry-free process, where you can rest safe in the knowledge that every angle is covered, and that the future of your business is secure.  Not bad for something that won’t cost you anything is it!?

 

Author's Bio

Mike Halsey is a Microsoft MVP (Windows Expert) and the author of Need2Know: Office 365 Security Essentials from Fair Trade DX. He writes regularly on security subjects and is also the author of Troubleshooting Windows 7 Inside Out from Microsoft Press and several forthcoming books on Windows 8. You can follow Mike on Facebook, Twitter and at his website TheLongClimb.

 

MVP Mondays

The MVP Monday Series is created by Melissa Travers. In this series we work to provide readers with a guest post from an MVP every Monday. Melissa is a Community Program Manager for Dynamics, Excel, Office 365, Platforms and SharePoint in the United States. She has been working with MVPs since her early days as Microsoft Exchange Support Engineer when MVPs would answer all the questions in the old newsgroups before she could get to them