Despite the Microsoft security tools in Office 365, the analysts from Gartner recommend adopting a more effective cybersecurity strategy by supplementing the Microsoft tools with those from third parties – especially for protecting and monitoring email.
In November 2017, Microsoft finally released a patch with its Patch Tuesday to fix a vulnerability in Office and Office 365. It was linked to a piece of vestigial code dating back to 2000, which the publisher kept to ensure the backward compatibility of documents. The world trembled in retrospect at the presence of such a vulnerability, paranoia set in at the idea that hackers were exploiting it to step up their threats, and Microsoft pointed out that even its newest products might pose risks. And all this despite the efforts made by the vendor to continue to improve security.
The puzzle of Office 365 security
The Gartner report, “How to Enhance the Security of Office 365,” published in 2017, beyond noting the improvements made by Microsoft to Office 365, took stock of the opportunities for future improvements with third-party tools”. The first finding by the analysts confirmed that a solution in the cloud is better protected than its local version, offering native security capabilities far beyond those of the on-premises version. And yet they’re clearly not enough to protect against ever-increasing threats—threats that also attack devices linked to the cloud, mobility and new uses of digital media!
The enrichment of the Office 365 suite with ever more applications– Office, Exchange, Sharepoint, Skype, OneDrive, Project, OneNote, Power BI, Teams, Yammer, etc. – might suggest that attacks will veer towards these tools, which are proving to contain vulnerabilities. That’s true in theory, except that we need to factor in another dimension in our security vision of Office 365: the usage value. In concrete terms, a module that’s poorly protected but little used presents fewer risks than a module that is well protected but widely used.
Microsoft’s security tools are not enough to protect Office 365…
According to another Gartner study, “How to Work With (or Compete Against) Microsoft Office 365,” the usages of Office 365 users fall into two blocks: Office 365 ProPlus, the heir to the Office suite; and first and foremost Exchange/Outlook, which largely dominates the usage value. This very simply translates into email, which remains the top use for Office 365 and inevitably the prime attack vector for threats!
Microsoft’s work on the security of Office 365, combined with dedicated cybersecurity tools, might lead you to believe that the solution for protecting users of the office suite is actually available from the vendor. But faced with the explosion of threats and the dramatic consequences attacks can have on companies – in 2016, the Chamber of Commerce and Industry (CCI) Occitania revealed that, short term, 60% of SMEs hit by cyberattacks go out of business! – the analysts at Gartner recommend using non-Microsoft tools to maintain security. Microsoft itself has no problem with this. In 2020, 50% of all organizations that use Office in SaaS (Software-as-a-Service) mode, will enhance their security with tools from third-party providers.
Protect the email systems, and protect and be protected from email
Gartner laid down its vision of protection of applications and services offered as SaaS, available in the cloud like Office 365, in the form of a security framework, the “Gartner Framework for SaaS Security Controls,” which has the merit of offering a global vision of security, access and threats. We note (see below) that the protection against threats supported by emails (spam and malware) tops the list of the analysts’ recommendations. Microsoft’s internal security controls on its cloud can be considered sufficient to protect its subscribers from each other. On the other hand, the Gartner analysts place less emphasis on protecting the vendor’s cloud than on deploying antispam and malware scanning capabilities as well as sandboxing for administering proactive protection.
Analysts suggest studying the suitability of data security features and protections on the Office 365 platform based on risk tolerance, compliance requirements, and content storage and delivery requirements. The idea is to calibrate the protection according to both the company’s and the data’s vulnerability to cyberattacks. But can we consider an enterprise-wide anti-malware and anti-spam protection based on lists of authorized or blocked senders offered by EOP (Exchange Online Protection) and built into Office 365 to be sufficient? Gartner reminds us that sophisticated attacks will find a way to get around these reputation-based defenses. What’s more, Microsoft doesn’t offer SLAs for secure attachments.
Substituting a third-party email system hygiene service
This is why, for the protection of email systems and email, and noting that some of their its customers “systematically” report their dissatisfaction with Microsoft’s EOP and ATP security solutions, the Gartner analysts advise using third-party tools, which are broader spectrum, more powerful and faster than Microsoft’s capabilities. Moreover, these tools can thwart some particularly dangerous attacks by comprehensively analyzing the message’s envelope and content, including links and attachments, using artificial intelligence.
Microsoft offers several supplementary fee-based tools from its application catalog. But can we content ourselves with “calibrating the protection” when the integrity of the email systems remains threatened by the use restrictions of Microsoft-labeled products? When it comes to cybersecurity, the need to protect your email system – the key vector for threats and attacks affecting the whole company, can’t be met in an approximate way. The Gartner analysts were unanimous in advising those for whom the Microsoft offer is not suitable to “substitute a third-party email system hygiene service”. Advice that is all the more critical when the company uses several SaaS applications. Because the software world doesn’t end with Microsoft.