Office 365 Security Concerns

Office 365 Security Concerns


Microsoft has come a long way in providing security for Office 365 customers looking to bolster office 365 security.

Microsoft Office 365 is one of the most powerful business productivity suites housed in the public cloud today. Many businesses today are either already running business-critical services and applications in Microsoft’s Office 365 environment or they are considering the move from on-prem to public cloud by way of Office 365. Office 365 certainly touts some really great benefits for organizations looking to move to the public cloud. As with any technology solution used for business today, it must be scrutinized for any potential security risks.

Are not public cloud environments immune to the common security risks to business data that lives on-prem? Hardly! There exists a huge misconception among many today that simply moving to the cloud eliminates many of the major security concerns that exist in on-prem environments. Microsoft has taken a few steps in the right direction in terms of security for its Office 365 customers. However, there are still concerning security gaps that exist in Microsoft’s Office 365 environment that businesses need to be aware of. Let’s take a look some of the security concerns as they exist in Office 365 today and why it is important for organizations to not take these lightly.

On-prem vs. Cloud – No more security risks, right? Wrong!

A common misconception among many when considering moving to the public cloud is the security concerns such as Ransomware that can have significant impacts with on-prem environments do not apply to public cloud. Many may think that since the servers do not exist in your own enterprise datacenter, the data that is contained on public cloud servers is untouchable by threat actors that may utilize Ransomware or other means to compromise data. However, this is an extremely dangerous assumption to make comparing security of on-prem with the public cloud.

As is obviously the case, public cloud architecture is vastly different from on-prem enterprise datacenters. However, attackers can still prey upon basic security holes as well as utilize phishing techniques to lure unsuspecting end users into running executables or installers that ask for permissions to their public cloud stored data or emails.

Also, important to consider is the threat vector of file synchronization. Most public cloud environment providers such as Google and Microsoft provide utilities for synchronizing files from on-prem devices up to cloud storage. Microsoft’s One Drive on an on-prem device synchronizes changes to the cloud. It is easy to see how with file synchronization, security events affecting on-prem environments are easily extended to the public cloud. If Ransomware starts encrypting files on-prem, One Drive simply views the files as “changed” and would trigger a synchronization with the One Drive public cloud.

There is no doubt that attackers today are shifting their focus to public cloud environments. After all this is where businesses today are storing more and more of their data. Adding to the challenge of public cloud security, the native public cloud security mechanisms that do exist are either misunderstood, underutilized, or improperly configured. Traditional security models that have worked for years on-prem are simply not good enough with the complex and easily accessed public cloud resources that today’s providers make available.

The security risks and dangers associated with public cloud is only going to evolve with today’s attackers targeting these treasure troves of data and potential for exploit. What about the native tools that public cloud vendors such as Microsoft provide for public cloud customers that utilize services such as Office 365? Is the security mechanisms provided good enough to protect organizations today from the potential for data loss or data leak? What about cybersecurity in general? Let’s take a look at Microsoft Office 365 native security tools and features and explore just how much protection these afford to Office 365 customers.

Microsoft’s Cloud App Security

Microsoft offers its own native security solution for protecting Office 365 environments called Cloud App Security. Cloud App Security is Microsoft’s comprehensive cross-SaaS solution that is engineered to bring deep visibility, data controls, and enhanced threat protection to cloud apps. Through this offering, Microsoft wants to allow customers to gain visibility into Shadow IT and other potential security risks to Microsoft public cloud environments.

Microsoft makes a distinction between Cloud App Security and Office 365 Cloud App Security which as it describes is a subset of Microsoft Cloud App Security that provides enhanced visibility and control for Office 365. As it describes, the Office 365 Cloud App Security variant provides threat detection based on user activity logs, discovery of Shadow IT for apps that have similar functionality to Office 365 offerings and control app permissions therein.

Microsoft places this as a critical component of the Cloud Security stack and is positioned to help organizations with the challenge of moving from on-premises environments to cloud hosted solutions by providing the tools to gain control and visibility in cloud applications and is set to protect critical data across cloud applications.

There are quite a few differences to be noticed as regards to security capabilities between Microsoft Cloud App Security and Office 365 Cloud App Security. At first glance, the Office 365 Cloud App Security offering is a much more lightweight offering when compared to Microsoft Cloud App Security. You can see that Office 365 Cloud App Security is not as fully featured and robust as the Microsoft Cloud App Security offering via the official comparison made by Microsoft.

CapabilityFeatureMicrosoft Cloud App SecuritylOffice 365 Cloud App Security
Cloud DiscoveryDiscovered apps16,000 + cloud apps750+ cloud apps Cloud apps with similar functionality to Office 365
Deployment for discovery analysisManual and automatic log uploadManual log upload
Log anonymization for user privacyYes
Access to full Cloud App CatalogYes
Cloud app risk assessmenYes
Cloud usage analytics per app, user, IP addressYes
Ongoing analytics & reportingYes
Anomaly detection for discovered appsYes
Information ProtectionData Loss Prevention (DLP) supportCross-SaaS DLP and data sharing controlUses existing Office DLP (available in Office E3 and above)
App permissions and ability to revoke accessYesYes
Policy setting and enforcemenYes
Integration with Azure Information ProtectionYes
Integration with third party DLP solutionsYes
Threat DetectionAnomaly detection and behavioral analyticsFor Cross-SaaS apps including Office 365For Office 365 apps
Manual and automatic alert remediationYesYes
SIEM connectorYes. Alerts and activity logs for cross-SaaS appsYes. Office 365 alerts only
Integration to Microsoft Intelligent Security GraphYesYes
Activity policiesYesYes

There are three main components to the Cloud App Security platform that comprises the Security Framework for the solution which enable organizations to map out and identify cloud apps, sanction and unsanction apps in the cloud, deploying app connectors, and configure policies.

  • Cloud Discovery – A discovery mechanism for all the apps in use in the organization
  • Data Protection – Monitoring and control mechanism for increased visibility, DLP policies, alerts, and forensics
  • Threat Protection – Detects anomalies in user activity, behaviors and other activity related metrics as well as provides advanced investigation tools that help to configure policies and alerts.

The architecture of the Cloud App Security platform as outlined by Microsoft:

Cloud App Security Architecture (image courtesy of Microsoft)

With the Cloud Discovery mechanism, Cloud App Security uses traffic logs to discover and analyze cloud apps found and utilized within the organization.

Cloud Discovery

With the Cloud Discovery mechanism, Cloud App Security uses traffic logs to discover and analyze cloud apps found and utilized within the organization. It allows manually uploading log files from firewall, proxies, and other devices for analysis. Log collectors can be configured which allow continuous upload of these types of logs to Cloud App Security.

Sanctioning and unsanctioning an app

Microsoft maintains an ever-growing list of apps by way of a Cloud app catalog. These apps are ranked and scored based on industry standards and risk is assessed based on several metrics including these standards and other factors.

App Connectors

App connectors leverage APIs provided by cloud app providers to allow tight integration with Cloud App Security. These integrations extend control and protection between third party cloud app providers.

Conditional Access App Control Protection

Microsoft Cloud App Security Conditional Access App Control Protection uses reverse proxy architecture which allows real-time visibility and control over access to resources and activities performed by end users in the cloud environment. These capabilities include:

  • Data Leak protection by blocking downloads
  • Enforce encryption rules with downloaded content
  • Ensure visibility with endpoints that are unprotected or unmanaged
  • Control non-corporate network access or filter dangerous IP addresses

Policy Control

Administrators ca set policies to define what users can and can’t do in the cloud. This includes detecting risky behavior, and suspicious data downloads. Remediation processes can be set in motion that allow mitigating risky user activities.


Microsoft’s Cloud App Security is available for purchase a subscription for $3.50 per user per month retail. It is also included as part of the Microsoft Mobility + Security E5 offering.

Microsoft’s Cloud App Security provides a good step in the right direction. However, are there security gaps that exist, even with using Cloud App Security and in particular Office 365 Cloud App Security? There are certainly Cloud App Security shortcomings and security concerns that organizations need to be aware of when relying on Microsoft’s solution for providing cloud security for their environments, especially Office 365. What are some areas where Cloud App Security fall short and why should organizations be concerned about this?

Microsoft Cloud App Security Shortcomings

Microsoft’s solution for cloud security certainly has merit and is a solution that ones can easily take advantage of natively with Microsoft’s cloud ecosystem. However, for businesses looking for the best solution for Office 365 security, Microsoft’s Cloud App security may come up a bit short as it relates to Office 365.

As stated from Microsoft, the Office 356 Cloud App Security offering is a subset of Cloud App Security. Being a subset means that it does not include all the functionality and features as the parent Cloud App Security solution. Be sure to review the table above for a detailed listing and comparison of features and functionality between the two. Let’s focus on the following areas and gaps that exist in the Office 365 Cloud App Security option for businesses housing resources in Office 365:

  • Limited App Discovery and Risk Assessment
  • DLP capabilities are limited
  • Limited Threat and Anomaly Detection
  • Threat Remediation and Response can be lacking
  • No Backup and Recovery Capabilities

Let’s take a look at each of these a bit closer to see in greater detail the security gaps that businesses need to know when using Microsoft’s Cloud App Security to protect Office 365 environments.

Limited App Discovery and Risk Assessment

One of the components of public cloud environments with today’s cloud enabled workforce that can pose tremendous security risks is the integration that comes from third-party applications integrated with Office 365. End users tend to blindly grant permissions to requested data and other resources when prompted by third-party applications. This can easily allow integration with corporate data for risky third-party applications.

With Cloud App Security, Microsoft documents visibility to more than 16000+ cloud apps. However, with Office 365 Cloud App Security, only 750+ cloud apps with similar functionality to Office 365 are documented as part of the cloud discovery capabilities of Office 365 Cloud App Security. So, with the Office 365 variant, businesses get a much cut-down version of the cloud discovery capabilities with Cloud App Security.

The governance actions as will be discussed later depend on these app integrations with Office 365 and Cloud App Security to be used for effective security remediation. This certain leaves room for a gap in protection when it comes to supported applications integration with Office 365 Cloud App Security.

DLP Capabilities Are Limited

Data Loss Prevention or DLP is a huge concern for businesses today. Data leakage can literally cost businesses their existence with potential financial and reputation damage amounting to more than the organization can bounce back from. With new data protection regulations such as General Data Protection Regulation or GDPR, businesses must be vigilant and proactive when it comes to protecting customer data.

With Office 365 Cloud App Security the DLP solution is only available to businesses who are utilizing the E3 subscription and above with Office 365. Those businesses with lower Office 365 subscription levels do not have access to the DLP functionality provided by Cloud Access Security. This leaves organizations that do not have the business needs for the Office 365 Enterprise E3 and higher subscriptions with the dilemma of cost vs. security which generally never turns out well for the security side of things.

Not having the option for effective DLP as a service in the lower level subscriptions with Office 365 leaves a major security gap for smaller and SMB organizations looking to bolster data leak protection across their Office 365 landscape. In some cases, organizations can bolt on individual pieces of the DLP solution, however, this leaves businesses paying more for bits and pieces of a true all-in-one DLP solution.

Limited Threat and Anomaly Detection

Microsoft’s Office 365 Threat Intelligence offering helps security analysts and administrators protect their organization’s Office 365 users by helping to identify and monitor attacks from threat actors, address threats in Exchange and SharePoint Online.

However, again, with Office 365, the advanced threat management that you get is tied to the Business and Enterprise plans that organizations are subscribed to. What Microsoft describes as “Advanced Threat management” which includes customer lockbox and threat explorer for phishing campaigns is tied to the Office 365 E5 subscription. Basic “Threat Management” is described as mail filtering and anti-malware only can be had with subscription levels from office 365 Business Essentials, all the way to the Office 365 Enterprise E5 subscription.

Threat Response and Remediation

When considering the capabilities of any threat protection or security add-on for Office 365, the power displayed by any solution often comes from its ability to perform automated responses and proactive actions to provide security within the public cloud environment. Microsoft has built in alerting that can be triggered from the Cloud App Security module that can notify on suspicious types of activity such as external sharing of sensitive files or download of sensitive files. Custom alerts can be created that contain the following policies:

  • Activity policy
  • Anomaly detection policy
  • App discovery policy
  • Cloud Discovery anomaly detection policy
  • File Policy

Governance actions can be taken based on the specific type of policy being implemented. An example of configuring a governance action on a Cloud App Security policy below.

Governance actions with Cloud App Security applications

Governance actions with Cloud App Security applications

However, a point to note here is that governance actions or remediation actions as described by Microsoft use the cloud provider APIs and might vary from one app to another. A security note to be made here and a potential gap as well – it is less than desirable to rely on third-party app APIs as these will vary from vendor to vendor to determine the governance action that can be taken.

One of the other security responses documented with Cloud App Security allows triggering a user to login again when suspicious activity is detected on an account. The logic here is that when an attacker gains unauthorized access to an account, simply disabling the account does not invalidate the currently logged in sessions, so potentially an attacker still has access. Requiring another login forces authentication on the credentials again. While requiring a user to reauthenticate is a good first step, it would be nice to see additional capabilities here.

The capabilities to contain or prevent Ransomware with Cloud App Security are limited as well. As demonstrated by security professionals, an unsuspecting user can easily have their entire Office 365 email inbox encrypted by allowing app permission integration with email such as a fraudulent WebEx plugin. By impersonating a legitimate app an attacker can deliver a ransomware payload that encrypts all emails in a user’s mailbox. There is no built-in process with Cloud App Security that can restore email data once the process begins which leads into the next security gap – no backup and recovery options.

Limited Backup and Recovery Options

One of the glaring security gaps with most of the security add-ons from public cloud vendors themselves and third-parties is the lack of effective backup or recovery options. While there are many other crucial components of security that are generally covered by third-party solutions, backup and recovery typically is one area that is missed time and again or it is tossed off as the responsibility of a “backup solution”.

Many may not think of backups as part of security. However, backups should prove to be a cornerstone in design when architecting any security solution. For instance, if Ransomware activity is detected, this does not “undo” the damage to files caused by Ransomware affecting OneDrive Storage or even email. Even if the progression of the ransomware infection is stopped, the downtime that could result due to already damaged or encrypted files could be catastrophic.

With Microsoft’s Advanced Threat Protection or Cloud App Security, there are limited backup and recovery features for Office 365. With OneDrive for Business, customers can restore files up to 30 days that have been deleted, infected, or otherwise corrupted. However, business customers can only restore OneDrive files with this restore option and not other Office 365 services. The granularity of restores is also limited.

Organizations must have the ability to take effective backups of all business-critical services that are hosted in Office 365 infrastructure and also have the ability to recover files and services as part of their overall security strategy. Data protection must be a requirement for businesses looking to house business-critical data in the public cloud, including Office 365. There will never be an impenetrable security solution. Businesses must plan for and expect the day when data in the public cloud must be restored.

Concluding Thoughts

Office 365 is a powerful platform for today’s businesses looking to migrate data and services to the public cloud. Microsoft has come a long way in providing security for Office 365 customers looking to bolster security. With the introduction of Cloud App Security, Microsoft has introduced a platform that allows customers to have some basic security features and functionality that allows for protecting Office 365 environments.

However, businesses should be aware there are gaps in the security coverage provided by Cloud App Security and other Microsoft security offerings including the Advanced Threat Protection module. The effectiveness of automated responses and governance lies in the hands of the integration between the app and Office 365. Aside from lacking Apps integrations with Office 365, Cloud App Security provides businesses with limited abilities to restore data that may have been corrupted or damaged due to a security event such as ransomware. Data protection should play a key role in the security of Office 365 or any other public cloud environment. Additionally, threat responses and alerting provide only basic capabilities. While native Microsoft tools have come a long way, it is evident that more is needed in terms of securing Office 365 environments.