This may or may not come as a surprise to you, but security is not inherent in the cloud.
If you’re one of the touted 60+ million Office 365 users taking advantage of Cloud based Exchange services, without physical (or hopefully, virtual) machines under your nose in your infrastructure you may be lulled into believing that someone else’s hardware means someone else’s job to make sure it’s secure. While you could argue this is true with regard to physical security and data integrity, there is still plenty for you to do to ensure your potentially sensitive mail data is secure.
Helpfully Office 365 has many features to help you keep your mail safe, so here’s a quick guide to what you need to look out for. It’s also worth noting here that cloud-hosting anything does not exempt you, and your users from what is still the biggest threat to your data and your business: You, and your users. Anything you do either on-premises or in the cloud to secure your data can be quickly and devastatingly negated by a lack of process, training and awareness in information security for every single one of your staff or user base. This should always be taken care of, no matter where your data is.
So, what can you do to make your Office 365-based mail more secure? So glad you asked!
All email data in Office 365 is encrypted when at rest, leveraging BitLocker Drive Encryption. The physical hard drives in all Office 365 datacenters are encrypted to protect your data against unauthorized access, great so no worries there. But what about when your mail is in transit?
By default, Office 365 will use ‘opportunistic’ TLS which basically means it’ll start by attempting to negotiate connections with the most secure version of TLS first, then step down through the ciphers until it finds a compatible version then use that. Great, however this means that unless you configure O365 to enforce TLS then your emails could end up being sent unencrypted, luckily you can force TLS by setting up Connectors to secure communications between servers (requires a CA signed cert), or configure a mail flow rule applied to all or specific domains or addresses (self-signed cert can be used for this).
So you do have options for encryption, just remember to configure it appropriately for your needs.
Message Rules and Mail Scanning
You can create message rules based on specified criteria to automatically encrypt messages to specific domains, append a disclaimer or apply rights protection for example.
There is even the option to quarantine messages, so any inbound emails containing executable content can be automatically quarantined. In addition to the above mail scanning capabilities Exchange Online Protection provides AV and anti-spam protection by default, but O365 will allow you to integrate the mail gateway servers with third party scanning services such as Mimecast or Symantec to further enhance your protection. This is definitely something to consider- put it this way, how many Enterprises are comfortable with just running Windows Defender for AV? Apply the same thought to mail. Not only do the third party services offer enhanced and more granular protection, you can also configure O365 to ONLY accept mail from your services’ mail servers, reducing the risk of spoofing, or the enterprise mail servers being used to send or relay mail directly which could open the door to spambots and malware proliferation.
Protecting not only mail but also the entire business is as much a consideration with O365 deployments as with on-premises Exchange. Just because the mail servers are elsewhere, mail still traverses the same world wide web and will still be vulnerable to the same risks as on-premises.
A hybrid deployment allows you to configure an on-premises Exchange server and an Exchange Online service to share a single domain namespace, sharing a common GAL, calendars and EAC management leveraging Windows Azure Active Directory. You can only create a hybrid environment with a trust, brokered by MS Federation Gateway or Azure AD Authentication and secured by certificates. One thing to consider is that if you have multiple servers in your environment you should have a separate certificate for each server as opposed to having one wildcard to cover all- this way an expiration, renewal or replacement of one of the certificates won’t cause a DoS, especially if you stagger the certificate expiration dates.
In addition, hybrid deployments are automatically configured to force TLS encryption between the on-premises and Exchange Online servers to ensure mail is protected by default.
Hybrid deployments also give you the option of Single Sign-On, either synchronizing credentials to the cloud using the Directory Sync tool or using fully federated identity SSO through Azure AD Connect. From a security point of view the latter is preferable as users will be authenticated against the Enterprise directly, and you are not creating a secondary synchronized set of credentials outside of your Enterprise.
For full details on the features of Office 365 security, see the online Office 365 security and compliance resource.
No matter where your data lies the creation and adherence to an appropriate security policy and education of all users are key to keeping your data secure and protecting the business, and it remains the responsibility of the business to manage and implement.
Stay safe out there!