September 12, 2016

How secure is Office 365?

By SpiderGroup

For many companies, security is a vital aspect of their IT system so its important that we have a proper look at what Microsoft is doing to secure Office 365. The TL;DR (too long; didn’t read) answer to this question is that they are doing everything that they should be but nothing is quite 100% secure. The likelihood is that its much more secure than anything that you are using at the moment, especially if you have an onsite system.

What do Microsoft do to keep me safe?

Security is quite a complicated subject and can get very technical at times so I’ll address some of the high level concepts to begin with. Microsoft have four key pillars:

1. Prevent breach

This includes port scanning and remediation, perimeter vulnerability scanning, operating system patches, network level Isolation/breach boundaries.

DDoS (Distributed Denial of Service) detection and prevention. Just-in-time access, live site penetration testing, and multi-factor authentication for service access.

2. Detect breach

System and security alerts are brought together and correlated with an internal analysis system and then are put through machine learning algorithms to enhance the detection over time.

3. Respond to breach

This is used to mitigate the effects if a system is compromised. Standard operating procedures are then used to provide the ability to deny or stop access to sensitive data. Identification tools then identify the parties involved to make sure mitigation has been successful.

4. Recover from breach

This contains the operating procedures to return the service to normal operation. This involves updating the security principles, auditing the current state and trying to identify any anomalies.

What does this actually mean?

In depth defence

The idea behind this is that you have multiple layers of security that have to be breached for an attacker to reach the data. Think of this as a castle with a moat, draw bridge, high stone walls and boiling tar.

Microsoft have the following layers:


Data Centres:

• Custom built with restricted access 24 hours a day

• Multiple authentication and security processes, including badges and smart cards, biometric scanners

• Monitored using motion sensors, video surveillance, and security breach alarms


• Controlled devices at the edge of the network

• Only allowing connections that are necessary and blocking everything else (a deny by default policy)

• Access Control Lists (ACLs)

• Edge router security allows the ability to detect intrusions and signs of vulnerability at the network layer

• Segmented networks providing physical separation of critical back-end servers and storage devices from the public-facing interfaces


• Automated operations (removing human error)

• Restricted admin access to data

• Role based access control

• The servers in the Office 365 service have a pre-determined set of processes that can be run using Applocker

• Auditing and review of all access

• Anti-malware, patching, and configuration management


• Office 365 is designed to host multiple customers in the service in a highly secure way through data isolation

• Data storage and processing for each tenant is segregated through Active Directory and capabilities specifically developed to help build, manage, and secure multi-tenant environments

• Active Directory isolates your data using security boundaries. This safeguards your data so that the data cannot be accessed or compromised by co-tenants

• All customer-facing servers negotiate a secure session using SSL/TLS (Secure Sockets Layer / Transport Layer Security) with client machines so as to secure the data in transit

• Bit locker is one of the mechanisms used to encrypt data at rest

• Certain services also use file level encryption (e.g. Skype for Business Online Web Conferencing server)

Human Factor

Whilst Microsoft invest millions of dollars into securing the actual platform that is Office 365, normally the weakest link is the people that are using the system. Passwords are the method used to gain authorisation but some people don’t know how to deal with this properly and end up writing passwords down next to, or near, their computer or give them away in exchange for chocolate.

My suggestion would be to use the Multifactor authentication, as this requires more than just a password. Luckily this is a built-in part of Office 365 and I would recommend turning it on to reduce the “human factor”. Another more general way to reduce the human factor is to employ a password manager like LastPass or 1Password as this means the users only have to remember one password. That said, they still need to be educated as this system alone won’t stop the lure of chocolate.


Office 365 has achieved a lot of industry accreditations and standards that give you confidence in Microsoft’s security technologies and best practices. Office 365 has been independently verified to show adherence to standards embodied in ISO 27001, SSAE 16 SOC1 Type II and HIPAA.

Office 365 is a great organisation productivity enabler and can provide your staff with an evergreen computing setup to ensure that technology doesn’t hold them back from achieving your business goals.

We help a lot of customers embrace Office 365 and provide guidance on how to get the most from this great system. If you would like some more information on our Office 365 support or management in Bristol or the South West, please fill in our contact form or you can give us a ring on 0117 933 0570.

More Thoughts