Office 365: Securing data throughout its lifecycle
In today’s world, we are moving towards a cloud first mentality when it comes to data and technology. Cloud-centric applications clutter our daily lives allowing easy and virtually anywhere access to our data. This leads to increased security concerns regarding corporate data. Many people have a habit of using Shadow IT, or the use of unapproved or unsecure apps to access or transfer their data because it is easier for them. It is important to understand how to properly secure your data throughout the data’s lifecycle to meet your company’s regulation requirements. With Office 365 all your data is stored in Microsoft’s cloud. Microsoft offers a wide variety of options to secure your data depending on its state, either at rest or in transit.
Data at Rest
Microsoft Office 365 provides a high level of protection automatically while data is at rest. When data is at rest Microsoft provides three areas of secure built-in encryption capabilities:
Secure Identity is based on the well-known Active Directory concept. All access to data requires some form of identity. These can be synchronized, federated, or cloud identities. In addition, when a document is shared externally, a guest account is created in Azure AD to provide access. If this guest account is deleted, the access to the document is removed. Secure Infrastructure is the use of the most secure encryption protocols in the industry including TLS/SSL, IPsec, and AES. Finally, with secure Applications, Office 365 deploys BitLocker with AES 256-bit encryption on all servers that hold data.
Data in transit
When data is in transit Microsoft also encrypts connections between customers and its datacenters. The challenge comes when data is in transit between two individuals, internal or external. Two options provided in Office 365 are Data Loss Prevention and Rights Management Service.
· Data Loss Prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. Unified DLP policies can be setup and applied across SharePoint, OneDrive, and Exchange to allow or block content. In addition, you can use Exchange specific DLP policies to utilize the power of transport rules to manipulate the data further.
· Rights Management Service (RMS), part of Azure Information Protection, provides persistent protection. The data itself carries the protection. This ensures data is always protected – regardless of where its stored or with whom its shared. RMS allows you to utilize either Office 365 Message Encryption (OME) and/or Information Rights Management (IRM)
Office 365 Message Encryption (OME) is a simple, user friendly form of encryption. No special client software is required other than a web browser. Administrators can setup rules to automatically apply OME, such as for DLP matches, or using keywords, such as Encrypt. With OME, you can send encrypted email to just about any email address in the world. When a message is received, the email contains an HTML attachment.
The recipient then opens the attachment, which redirects them to an Office 365 portal requiring either a sign in or use of a one-time passcode. The viewing portal can be customized to reflect your organization’s brand. All attachments, forwards, and replies are encrypted as well.
However, OME doesn’t let you apply usage restrictions to messages. For example, you can’t use it to stop a recipient from forwarding or printing an encrypted message. Also, attachments have no protection after decryption allowing the recipient to save the attachment to their local hard drive.
Information Rights Management (IRM) is an encryption solution that also applies usage restrictions to email messages and documents on OneDrive or SharePoint. It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. IRM also provides offline protection for email messages and documents. With IRM you can create templates providing access to an explicit list of users and contacts. Templates can be manually applied by users or automatically applied by DLP policies, transport rules, or classification labels (part of Azure Information Protection licensing). The following shows the list of rights that can be assigned to a template:
Exchange Online provides an additional unique template called Do Not forward. To users this looks like another RMS template, but really it is not a template, but a set of rights that dynamically get applied to users based on the recipient email address that the sender selects. This is the primary difference between Do Not Forward and RMS templates. RMS templates have statically assigned rights. The following shows the rights that are assigned with Do Not Forward:
There are several limitations with IRM as well:
· Some applications may not support IRM emails. Additional software may be required for some.
· Templates require configuration of a defined Rights and Scope. Any external recipients must be known in advance and have a contact created in Exchange Online
· Microsoft accounts or personal email accounts (such as Gmail) are currently not supported
Determining which options to use is the hardest challenge. Enabling recommends using a combination of Microsoft’s offerings to provide the best end user experience while maintaining secure data. For example, IRM should be used in the following scenarios:
· Sending highly confidential documents as attachments
· Any information that if leaked could cause huge financial loss or risk the safety of others
OME can be used when you want to send sensitive information to people outside your organization in more common scenarios with information that can change often such as:
· Banking statements
· Medical records
· Legal information
Ultimately each organization is unique and has their own criteria when it comes to data security and compliance.
You can check out our security landing page at http://www.enablingtechcorp.com/Solutions/Secureit!.aspx