Office 365 Security and Compliance Tools for Collaboration Apps – Are You Covered?

Mike Shea
By Mike Shea

Office 365 Solutions Architect Sr. Advisor, Dell EMC Consulting November 12, 2018

Microsoft has an ever-growing list of Security & Compliance tools for Office 365. With the multitude of tools and rapid pace of new releases, it can be challenging to keep track of everything. Ensuring security and compliance in the cloud is top of mind, especially with so many organizations moving to Office 365.  After all, it’s the cloud productivity platform of choice. Therefore, you’ll want to ensure your organization is protected by understanding the most relevant security and compliance features for Office 365 collaboration services.

Security & Compliance Center

In the on-premises version (and earlier days of Office 365), SharePoint had its own features for security & compliance, including document deletion policies, in place record management, site closure / deletion, information management policies, and the eDiscovery Center. These features would allow you to manage the retention or modification of files; however, they only applied to content within SharePoint. In Office 365, content and data may be stored in multiple applications including Exchange, Teams, Skype, OneDrive, and of course SharePoint. As a result of this connected ecosystem of collaboration tools, Microsoft has built features that allow you manage retention and modification of files across all these services from a single place – the Security & Compliance Center. Instead of using the SharePoint-specific features, you should plan and implement retention policies and/or labels for more inclusive protection. Retention policies apply to ALL content within a selected service/area. Labels can be manually applied to individual items (or libraries) – or automatically applied (based on conditions) if you have an Office 365 E5 license. The auto-apply feature is particularly valuable when your business doesn’t want to leave this decision up to the content owners.

Another note on labels – the future of labels (starting to roll out now) also includes Azure Information Protection (AIP). Previously, this was a separate feature that also included “labels” to classify, protect, and/or encrypt content regardless of where it was stored (even outside of Office 365). As announced at Microsoft Ignite 2018, the AIP “labels” are soon going to integrate with Office 365 labels so that you can manage retention, records, and encryption/protection all through the same feature (labels) in the Security & Compliance Center.

Below are some of the other Security & Compliance Center features and how they relate to collaboration:

Using DLP, you can setup policies to search through content (no matter where it lives in Office 365) for sensitive information like credit cards, SSNs, drivers, licenses, etc. You can then complete some sort of action such as display a tool tip, send an incident report, block sharing, etc. when sensitive information is discovered.

eDiscovery allows you to complete searches across all Office 365 services to find content that may be related to a litigation or specific worker. Once discovered, you can then place that content on hold (and export) in the event it needs to be preserved for legal reasons or potentially as part of a worker termination.

Alerts utilize the Office 365 audit log to trigger messages when certain events occur in the environment. These can be used to notify administrators or compliance officers when workers complete an action (i.e. create/delete eDiscovery hold) so that they can follow-up.

Identity Protection with Azure Active Directory (AAD)

AAD has a plethora of features and tools that can be used to help secure your Office 365 environment.  Some that you should consider as part of your collaboration services design are:

  • Conditional Access Policies – using conditional access policies, you can alter the experience for workers based on certain conditions, including which device the worker is connecting with (Windows, Mac, iOS, etc.), the location (corporate network, public network), the app being used (browser, Office app), or even the device state (compliant, non-compliant). This can be paired with Multi-Factor Authentication (MFA) and even Azure Identity Protection to force workers to use a 2nd form of authentication when accessing from certain scenarios, including outside a trusted network, on a non-trusted device, or even from situations considered “risky” (i.e. anomalous).
  • Privileged Identity Management (PIM) – PIM is an administrative feature that allows you to create a request/approval workflow process for obtaining administrator access in Office 365. This means that your administrators could be standard workers most of the time and elevate their permissions only when needed – to complete a help desk ticket, for example.
  • Office 365 Group Policies – Office 365 Groups are becoming the backbone of the modern collaboration experience. They are created with any new SharePoint team sites, Yammer groups, Outlook Groups, Planners, or Microsoft Teams. To prevent these features from becoming unmanageable, consider using governance controls including naming policies, expiration policies, classifications, usage guidelines, and provisioning.
  • Idle Session Timeouts – these timeouts can be configured to warn and then eventually sign workers out of SharePoint and/or OneDrive if there has been no browser activity in a pre-defined period.

Many of the AAD features above require you to have either Office 365 E5 or EM&S E3/E5 licenses.

Tools with Linkages to Collaboration Apps

Below are a few other security and compliance tools with specific tie-ins to the Office 365 collaboration apps are particularly noteworthy.

  • Office 365 Secure Score – this tool provides a calculated score for your Office 365 tenant based on services in use and features available for securing the environment. Note that not all the security recommendations within this tool are applicable to every organization due to differing requirements and licensing. However, this it can be used to find some collaboration related recommendations and assistance on how to configure them.
  • Office 365 Cloud App Security (CAS) – CAS is a tool that can be used to monitor and take action on all of the cloud apps used across the organization. It has features that can alert an administrator of anomalous and potentially risky behavior, block usage of certain cloud apps (to fight “shadow IT”), or even apply conditional access policies or AIP labels to content that lives in other collaboration apps such as Box, Dropbox, and G-Suite.
  • Office 365 Advanced Threat Protection (ATP) – ATP is primarily focused on protecting workers from cyber-threats in email; however, the Safe Links and Safe Attachments features can also work with content stored in SharePoint and/or OneDrive. These features will scan the link (within a file) or the file itself in a “detonation chamber” to ensure it is not malicious before allowing the worker to open it on their device.
  • Compliance Manager – this tool helps you create and manage your compliance against certifications including GDPR, NIST 800-53, ISO 27001, etc. You can create assessments to document and test your implementation plans against all the controls in each of your compliance policies.

Note that Office 365 CAS and ATP require either Office 365 E5 or add-on licenses.

Adopt Cloud Collaboration Services with Confidence

As with any release that impacts the features and functionality for your workers, ensure you have a communication and education plan in place – or adoption will suffer. Most of these features will impact your workers. They need to understand what’s coming, why it is important, and where they can go for education and help. Dell EMC offers services for every step of your Office 365 journey, so if you need assistance planning or deploying Office 365 security, reach out to your Dell EMC representative to learn how we can help.  Or if you prefer, leave a comment here and I’ll be happy to respond.