If you would like to read the first part of this article series please go to Are Free/Low Cost Web Apps Secure Enough for Business? – Part 1: Google Apps.
Introduction
In Part 1 of this two-part article, I discussed the evolution of the web from static content provision to application delivery, and how the impending rise of cloud computing will drive more and more businesses and individuals to a new model of accessing their data, applications and even operating systems. We discussed some of the security issues involved in online application services, and then took a more specific look at Google Apps, how they handle user data, and the measures they’ve taken to address security concerns. In Part 2, we’ll turn our attention to Microsoft’s Office Web Apps and its online productivity suite, BPOS, which has recently morphed into a new product called Office 365 that incorporates Office Web Apps and integrates it with the local Microsoft Office suite.
Sorting out Microsoft’s Online Office Offerings
A common issue with Microsoft is that often, they have several different products that seem to do essentially the same thing. Now when you dig deeper, you usually find that there are important differences and the products are aimed at different markets, and/or one of the products is a superset of the other, or the products are designed to work together. In the case of their online productivity products, it’s a little bit of all of those.
Office Web Apps are free for personal use, the web-based version of Microsoft Office that includes online versions of Word, PowerPoint, Excel and OneNote, which was released along with the 2010 version of Microsoft’s traditional Office suite. You can use IE 7 and above, Firefox 3.5 and above, Safari 4 or Chrome to access the web-based applications. The Web Apps also integrate with Windows Live SkyDrive, Docs.com, Hotmail and the new Facebook messaging system, so that you can access the Web Apps through those other services.
BPOS (Business Productivity Online Suite) is an online service that offers “cloud” versions of Exchange, SharePoint, Office Live Meeting and Office Communications Server. Office 365 is the latest incarnation of BPOS, which is currently in beta testing and will become available in 2011. It is built on the latest versions of the server products named above (with Office Communications Online renamed to Lync Online) and adds Office Web Apps. It works with the popular browsers, and can be accessed via mobile devices, as well. I recently wrote an article explaining Office 365’s features in more detail, which should be published soon on our sister site, WindowsNetworking.com.
What are the Security Issues?
Many of the security concerns are common across all web-based services, and we discussed those in Part 1: lack of control over where the data is stored and who has access to it, how deleted data is handled, what encryption methods are used to protect data in storage and as it travels across the network. There are further concerns related to the integration of Office Web Apps with a social networking platform such as Facebook, which will allow one-click access to Web Apps documents through Facebook messages.
In October, Microsoft released Security Bulletin MS10-079, which included a security update for Office Web Applications 2010 that related to a vulnerability that could allow remote code execution via a Word file. This vulnerability also affects the traditional Office suites, from Office XP SP3 to Office 2010, and Office 2004/2008 for Mac. The takeaway from this is that in many cases the Web Apps are likely to be vulnerable to the same exploits as the comparable locally installed applications.
A big security advantage is that business customers with a volume licensing plan can run Office Web Apps on an on-premise server (on SharePoint 2010 or SharePoint Foundation 2010). When deployed this way, the organization maintains control in a way that they don’t with a consumer oriented service such as Google Apps. This way, the Office Web Apps server runs behind your corporate firewall.
An interesting issue is that Office Web Apps doesn’t work with documents that are in libraries protected by Information Rights Management (IRM). You get an error message if you attempt to open an IRM protected document in the Web App. You’ll have to open the document in the local Office application instead.
If you have deployed Office Web Apps on an on-premise SharePoint server, you can configure whether browser-enabled documents will open in the browser or in the Office client application by default. This is done either in the SharePoint Central Administration interface or with a PowerShell cmdlet. You can find out more about how to do that here.
BPOS/Office 365 Security Mechanisms
BPOS and Office 365 are designed for the business world, and Microsoft recognizes the importance of security for critical business data. Office 365 incorporates a number of security mechanisms to make business customers feel more comfortable about moving to the cloud for essential IT services such as email, collaboration and communications. 128 bit SSL/TSL encryption is used to protect transmissions when users access the Office 365 applications. Antivirus protection is also run and definitions kept up to date. Forefront Online Protection for Exchange (FOPE) protects email from malicious software and viruses, using multiple AV engines as well as anti-spam filtering.
Microsoft monitors the systems running the Office 365 applications continuously for any suspicious activity. If such is detected, they respond according to their established incident response protocol. In addition, security audits are conducted on a regular basis and the development, deployment and maintenance of the online services are all subject to Microsoft’s Security Development Lifecycle (SDL).
The SDL process includes developing threat models for each component of the service and categorizing threats (denial of service attacks, elevation of privilege attacks, information disclosure threats, malicious modification of data, identity spoofing). After the specific risks are identified, the developers will develop countermeasures for those risks, with priority placed on the risks that are judged to be most severe.
Microsoft operates the Online Services Risk Management Program (RMP) to ensure that the services meet or exceed industry-accepted standards and comply with best practices. This includes third party audits.
There is an education process in place whereby managers and employees who operate the online services are updated on security issues, policies and processes, and performance in those areas is evaluated on an on-going basis. The “defense in depth” layered security strategy addresses both physical and logical security. Microsoft’s data centers meet the standards for “carrier class operations.” This includes physical security of the building itself, access controls to limit physical access to authorized personnel, motion sensors, video camera surveillance and alarm systems, as well as redundant power supplies, multiple fiber trunks and other redundancies.
Data center personnel have restricted access based on their job tasks and security mechanisms for authenticating their identities include smartcards and biometrics. Ongoing video surveillance helps detect unauthorized access and security officers are stationed on the premises to investigate any suspicious happenings. For those employees who have remote access to the data center servers, it occurs over a 128 bit encrypted connection that utilizes a two factor authentication (smart card and PIN). There is a segregation of duties so that access to various facets of operations is tightly controlled. Development teams are not allowed routine access to the production environment, and operations staff is not allowed access to the source code. The principle of least privilege is followed, granting users (and systems) only the minimum permissions they must have to perform their jobs.
The network is segmented to isolate internal servers and storage from the machines that face the public network, and the servers themselves incorporate redundant power supplies, NICs, and full failover, with hot swappable hardware so as to minimize disruptions in service for repair and maintenance.
All of the Office 365 hosted services support authenticated, encrypted communications and support for S/MIME and Rights Management Services (RMS), as well as protective measures such as client side blocking of email attachments, restriction on relaying, real time block list (RBL) and device policies for smart phones and other mobile devices that support remote wipe and PIN lock.
Servers are scanned to detect incorrect/insecure configuration and vulnerabilities. Intrusion Detection Systems (IDS) continuously monitor for intrusions and are set up to immediately notify personnel if suspicious activity is detected. Servers are also monitored by Microsoft Systems Center Operations Manager and the administration model is tri-level. This is role-based administration that controls access to administrative tasks depending on the administrator’s level of administration.
The servers are all hardened, with unnecessary services disabled and file shares secured. Data Execution Prevention (DEP) performs memory checks to prevent the running of malicious code. Of course, all servers in the data center have security updates applied in a timely manner.
The network connections from customers’ networks to the data center use SSL certificates and are protected with 128 bit encryption. Security policies are in place and firewalls and filtering routers at the edge of the Online Services network inspect the packets that arrive there before they can enter the network.
Microsoft follows the ITIL (Information Technology Infrastructure Library) framework for management of the software services, as well as Microsoft’s own operations framework (MOF), both of which prescribe best practices to ensure both security and reliability. These govern change management, incident management and problem management. Compliance of security implementations is assessed based on the ISO 27001 guidelines.
Summary
You can find out more, including details of Microsoft’s security incident response protocols and service continuity program, and more information about the compliance assessment and audits, in this 33 page whitepaper, Security in the Business Productivity Online Suite from Microsoft Online Service.
If you would like to read the first part of this article series please go to Are Free/Low Cost Web Apps Secure Enough for Business? – Part 1: Google Apps.
