This article was originally published on Linkedin on August 22, 2016 @ https://www.linkedin.com/pulse/office-365-does-eliminate-saas-application-risks-alexander/
There appear to be some misinformation or misconception out there about what office 365 (O365) is and what it isn’t.
O365 is a cloud based subscription of Microsoft office suite of productivity tools as opposed to desktop or locally installed versions. Essentially it is a SaaS application with potentially all of the inherent risk in a typical SaaS application.
Office 365 however have a lot of built-in security capability compared to others but it is just one application, a productivity tool in its own right. It has a number of default security settings but there’s a lot more that requires tweaking. For example, auditing, logging and monitoring for policy violations, threats and vulnerabilities.
Some of the comments I’ve heard recently include: I have O365 I don’t need to do anything else my data is secure; I don’t have any risk around SaaS apps; my users will do as they are told and only use O365 (when has that ever happened?); and much more.
There’s no question that O365 has far more security capabilities out of the box nonetheless, the responsibility for identifying and classifying data still reside with the customers because without these O365 DLP cannot be enabled or expected to function as required. There’s also the use of encryption of sensitive data and the associated key management – these are not out of the box!!
In a typical organisation where there are hundreds of SaaS applications, what about the security of the tons of corporate data already within them? Has that risk suddenly evaporated?
Of course there’s good old Microsoft Azure through which you can gain visibility into and control access to other cloud apps in use in the environment. All of these is not out of the box and there are dependencies. It needs thinking and context. How do you plan to tackle 3rd party (partners and suppliers) who your staff collaborates and their disparate identities?
While Ms Azure may provide a mechanism for “enterprise” (as opposed to external extended enterprise users) level visibility and control, it is doesn’t provide a risk rating capability that help you decide which application to sanction or block. We all know what happened the last time security decided to implement arbitrary blocking – we birthed ShadowIT.