Microsoft Ignites a new Focus on Security (Part 3)

If you would like to read the other parts in this article series please go to:

In Part 1 of this article series, I discussed how Microsoft held its very first Ignite conference the first week of May, in Chicago, with many of the sessions focused on security in the cloud. We talked about the announcement regarding more flexible patching cycles (and the possible end of Patch Tuesday as we know it) and the introduction of Windows 10 Device Guard. In Part 2, we started to look at more of the new security features, products and services, beginning with one that has been getting a lot of attention: Microsoft Advanced Threat Analytics.

In this, Part 3, we’ll look more closely at the Ignite presentations regarding what Microsoft is doing about security in the cloud and specifically in Office 365.

Adapting to the new paradigm

The cloud, by almost all accounts, continues to be a disruptive technology. That terminology gets thrown around a lot and has become a popular buzzword in the industry, but not everyone knows what it really means. In general, a disruptive technology is one that not only creates a whole new market but also displaces the old one. The automobile was a disruptive technology that displaced the horse and buggy industry, and television was a disruptive technology that displaced radio. In some cases, such as the telephone’s displacement of the telegraph, the old technology almost completely disappears. In others, such as the TV, the old one adapts and changes (or shrinks) as story-based radio shows such as The Avengers, Buck Rogers and Hopalong Cassidy moved to the new visual medium and radio became a venue for music, news and talk/opinion formats.

The cloud hasn’t yet replaced on-premises computing completely and probably never will. But it has affected the markets for such things as hard drives (cloud storage means less local storage is needed), server sales (cloud services mean more and more organizations are shrinking the number of servers in their own data centers), and some would even say it’s eventually going to make the IT pro – at least in its current form – obsolete.

One area in which the cloud has brought about and is still bringing about significant change is in the arena of security. In the beginning of the cloud era, security was the great stumbling block for many organizations as they considered moving resources off premises. Now that the cloud is maturing, orgs and individuals are realizing that cloud providers in many cases are capable of providing better security than most businesses can afford to implement on premises.

Still, opinions vary as to whether cloud security is ready for prime time. Some surveys indicated that Security is No Longer a Major Concern in Cloud Adoption, but that doesn’t seem to hold true in all sectors. As recently as June 2015, a study from the Cloud Security Alliance (CSA) found that “a large number of security concerns are [sic] keeping financial firms on the sidelines looking in at cloud computing.

Cloud providers know that customers care very much about security issues and that this is one of their top criteria in selecting between competing cloud services. Microsoft, in aspiring to lead the market in cloud services, has made security a priority in their cloud services, including what they hope will eventually replace on-premises Exchange servers for business email and traditional local instances of Microsoft Office applications: Office 365. So we’ll look now at what the company is doing to ensure that users of the service don’t have to worry about the security of their messages and the documents and files they create with Office Online apps.

Advanced Threat Protection in Office 365

One of the most highly rated presentations at Ignite was given on the first day by Jeremy Chapman and Vishwa Shobhit Sahay, and titled First Look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and Phishing Attacks. Jeremy Chapman is a Director of Office and Office 365 technologies at Microsoft who hosts a weekly web show about Office 365, Office Mechanics. Shobhit Sahay is an Office 365 security product manager.

The presentation discussed the diversity of threats to which Office 365 is subject: known threats such as viruses and malware that have already been identified and for which definitions are available, unknown threats (zero day exploits), and phishing attacks and spam attacks. They demonstrated some typical attacks from the perspective of the attacker, and then showed how Microsoft’s advanced threat protection technologies protect against them. You can watch the video of this talk here.

Office 365 Security and Control

In another presentation, Sara Manning Dawson (Group Program Manager for Office 365) talked in depth about Office 365 Security and Control. She began with a discussion of Microsoft’s philosophy regarding their online Office services: “It’s your data; you own it and control; we just run the service for you and we are accountable to you.” This is, of course, the essential starting point for establishing trust and creating an environment in which customers can feel safe about putting mission-critical data and applications into the cloud. She pointed out that Microsoft literally has hundreds of billions of items to protect in Office 365, and offered assurances that the company is in fact “invested accordingly.”

After a brief overview of a few of the many high-profile data breaches that have occurred in the past few years and a breakdown of the motivations behind them – ideology, espionage and financial gain, the latter being the most prevalent and thought to be responsible for almost three quarters of the attacks – she offered some specifics as to the “street value” of different types of stolen data. According to the information presented, this can range from three dollars for a social security number to a thousand dollars for a valid user name and password to an online banking account. The presentation further pointed out that criminals often use a third party vendor’s or contractor’s or an employee’s compromised credentials to get into these networks and access customer data.

Next Ms. Dawson presented information from Microsoft’s Enterprise Focus Group, showing some of the top concerns of enterprise customers regarding the cloud services and data centers. Data privacy, data security and general security were at the top of the heap with ninety-five percent rating this as a top priority. But general assurances aren’t enough; only do customers want to be told that their data is safe, they want to know specifically who has access to it and what visibility they have into the activity surrounding their data. They also want to be able to use encryption to protect it, and they want to know what steps they can take to achieve more defenses and lower risk.

She explained and illustrated the attack surface for Office 365. As a Software as a Surface (SaaS) offering, this includes networking, storage, servers, virtualization, the operating system, middleware, runtime, data and applications. Of course protecting all of this from the many possible modes of attack requires a defense-in-depth approach. That means:

  • Content control and transparency, with encryption being the primary means of protection at the data level.
  • Physical security to control and prevent unauthorized access to the servers and data storage facilities where the data is housed.
  • Intrusion detection and prevention and vulnerability detection on the network.
  • Hardening configuration, change management and patching on the host systems.
  • Application security and access controls.

Next, the presentation goes into some details about how Microsoft accomplishes each of these:

  • Physical security: includes perimeter protection, fire suppression, multi-factor authentication for physical access, extensive monitoring, 24/7 onsite security staff, backup power that will last for days, and server redundancy with tens of thousands of physical and virtual machines. There is even seismic bracing to protect against damage in the event of earthquakes.
  • Network security: The Office 365 network is isolated from other Microsoft networks and protected by edge router Access Control Lists (ACLs) from the external traffic on the Internet.
  • Host/Application security: Microsoft uses a wide variety of protections to provide security at the host and application levels, including timely patching, malware protection, whitelisted processes, and auditing of all operator access and actions. Automated tooling is used for routine activities, zero standing permissions in the service, and the protections of the Security Development Lifecycle (SDL) in the development of the software help to protect against attacks at this level.

Microsoft’s investments in Office 365 security go way beyond just implementing a few “set and forget” security measures. They continuously monitor for emerging threats and conduct “war game” exercises to prepare for the worst. They use red teaming – the process of detecting vulnerabilities and testing their security by taking the approach of a criminal hacker – and blue teaming, whereby another group defends the network. In addition, they have the Online Services Bug Bounty program to incentivize researchers to find and report security vulnerabilities for cash compensation.

The incident response process for Office 365 is well established and includes follow-through from event detection to customer notification and process, engaging DevOps, the security team and investigation and analysis to determine the scope of the incident and contain it, then determine the impact on customers and which customers are affected in the case of a breach.

At the content level, Microsoft’s cloud services use different encryption technologies to protect data files and entire drives (data at rest) as well as information as it moves across the network (data in transit). Technologies include TLS/SSL, Bitlocker, and file and message level encryption. OneDrive encrypts the data stored there on a per-file basis and Exchange Online encrypts on a per-message basis, using the Azure key vault to protect the crypto keys that lock and unlock the mailbox database.

Summary

In this, Part 3 of our look at the focus on security that permeated this year’s Ignite conference, we started looking at Microsoft’s many mechanisms for securing cloud services – Office 365 in particular. In Part 4, we will continue with that discussion and finish the recap of those sessions.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top