Exchange Online Security and Compliance 101 (Part 1)

by [Published on 3 Nov. 2016 / Last Updated on 3 Nov. 2016]

In this article, I will provide you with information about “out of the box” Exchange Online security, compliance and privacy. In addition, I will talk about what you can do to further improve security and compliance for your Exchange Online users and data.

If you would like to read the next part in this article series please go to Exchange Online Security and Compliance 101 (Part 2).

Introduction

Many thousands of customers (currently +85 million active Office 365 users) have made the move to the Exchange Online (EXO) service in Office 365 over the last several years. Just as many are currently planning to migrate from their on-premises messaging solution to EXO in a foreseeable future. Whether you like it or not, this trend will continue. As a matter of fact, from August 2012 through August 2016, Microsoft has seen a growth rate of 3000% in terms of number of Exchange servers that had to be deployed in the service in order to keep up with the number of mailboxes migrated to the service. When it comes to mail flow, it is not unusual to see more than 100 billion messages being delivered in a single month. Just to put things into perspective.

So why is Exchange Online so popular? The short and simple answer is, because it makes sense for most organizations to migrate to EXO instead of maintaining their own hardware and software as well as spend money on storage, cooling, and server footprints in the on-premises datacenter(s). Even more so as time goes by. I typically compare it to leasing a car instead of buying it. You don’t buy the EXO licenses, you lease them. Also, you don’t need to worry about upgrading or migrating to the latest and greatest version of Exchange Server and patching and operating it. That is the responsibility of Microsoft. Instead, you as an IT organization can spend the time on other things that push the efficiency of the business to the next level.

There are of course organizations that have decided to keep their messaging solution on-premises typically because of regulatory compliance or lack of security features they need to adhere to. This is especially true for the governmental and financial sector. However, with new datacenters launched in the United Kingdom, Germany and soon France and because security and compliance is an ongoing process, not a steady state meaning improvements and new features in this area is baked into the service on a frequent basis. For this reason, organizations that couldn’t migrate to EXO one year may be able to re-consider the next year.

Microsoft incorporate security at all levels of the service. That is from the application development to physical datacenters to end-user access. Very few organizations have the ability to match the security of EXO, and the few who can, will not be able to do so at a reasonable cost.

Although security, compliance, and privacy in EXO and Office 365 in general is extremely important to Microsoft and EXO include built-in security features that make it simpler to protect data based on your business needs, you as an organization also need to do your part in order to ensure your Exchange Online users and data is protected in a right fashion.

In this article series, we will take a look at the essential “out of box” security, compliance and privacy features. In addition, we will dive into the features and options, you have at your disposal in order to further improve security and compliance for your EXO users and data.

Exchange Online Service-Level Security

Being a cloud-based service provider, it is vital that you keep your software and hardware technologies up to date using robust processes. But robust processes are not enough on its own. You also need to have the right personnel (skilled and experienced engineers), that are constantly trained to maintain, enhance and verify the software and hardware is up to date using the robust processes.

In order to keep security at the top of the industry, Microsoft uses processes such at the Security Development Lifecycle (SDL), which is a is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost. In addition, Microsoft employ techniques that not only throttle traffic but also prevent, detect and mitigate breaches.

Note:
You can find more information about the Security Development Lifecycle (SDL) here.

Unlike most of the other cloud service providers, Microsoft have many years of experience building enterprise software and for this reason really understands what enterprise-level security, compliance and privacy is all about.

The Exchange Online team at Microsoft uses a so called “defense-in-depth” strategy to protect customer data through three layers of security:

  • Physical layer
  • Logical layer
  • Data layer

By using the defense-in-depth strategy, the team is capable of having security controls present at various layers of the EXO service, and in case one area fails, there are compensating controls to maintain the security at all times.

The defense-in-depth strategy also includes certain tactics such as port scanning and remediation, perimeter vulnerability scanning, operating system security patching, network-level DDos detection and prevention and multi-factor authentication for service access in order to detect, prevent and mitigate security breaches before they happen.

Furthermore, in order to prevent breaches, the service engineering teams also adhere to people and process procedures such as auditing of all service engineer access and actions, zero standing permissions for engineers in EXO, just-in time access and elevation granted as needed and only at the time of the need (i.e. troubleshooting the service), segregation of employee email environment from the production access environment, and mandatory background checks for high-privilege access to the service.

All unnecessary accounts are deleted automatically, such as when an engineer moves to another group, leaves Microsoft, or do not use the account prior to the set expiration.

We all know that humans make mistakes. For this reason, the Exchange Online team are a big fan of automation, whenever possible. This includes when deploying new servers, debugging, diagnostic collection and restarting services. The Exchange Online team invests heavily in systems automation, that helps identify abnormal and suspicious behavior, and responds promptly to mitigate any security risks. In addition, penetration tests are performed on a regular basis (red team versus blue team), so that incident response procedures can be improved.

Final thought

When you decide to move your data to a cloud service, the first thing that concerns you is likely security. Its important you trust your cloud service provider, because that provider will be responsible for doing their part (you also play a role here) to protect your data. When it comes to the service-level security described above, you should feel comfortable using Microsoft as your cloud service provider as they take security very serious and have well-established robust processes in place to ensure your data is protected.

This concludes part 1 of this multi-part article series. In the next part, we will talk more about the compliance and privacy aspects of the EXO service.

If you would like to read the next part in this article series please go to Exchange Online Security and Compliance 101 (Part 2).

See Also


The Author — Henrik Walther

Henrik Walther avatar

Henrik Walther is a respected writer with special focus on Microsoft Exchange and Office 365 solutions. He works as a Principal Architect/Consultant on engagements of all sizes and complexity and have close to two decades of experience in the IT business.