Ironically, security is barely ever at the forefront of considerations driving an organisation’s transition from running SharePoint on-premises to using its cloud counterpart – SharePoint Online. If nothing else, it is quite often seen as a deterrent – as IT managers, compliance officers and business data owners alike worry about moving company information from the ‘safe haven’ of their inner perimeter to the ‘big unknown’ of a public cloud service.
How justified is this on-prem-leaning view? Well, while we do not purport to dispel all of the aforementioned concerns in this post, we try to highlight the chief reasons why your InfoSec team should be rooting for the move to the cloud.
Integration with the Enterprise Mobility + Security suite
Before talking about the benefits of Microsoft’s Enterprise Mobility + Security suite (which is a separate offering, licensed independently from Office 365) it is worth pointing out that even without extending your cloud transformation budget to include EM+S licenses you will be able to benefit from a single identity for each user across your enterprise.
The free edition of Azure Active Directory – which is the principal identity management solution behind Office 365 – allows for synchronisation of user and group objects from your on-premises Active Directory to the cloud. It also makes possible sign-in methods such as Seamless Single Sign-On and Pass-through Authentication, which not only streamline users’ experience but can also help reduce the load on your IT administrators.
The addition of EM+S to the picture introduces such capabilities as Conditional Access (based on a user’s group membership, location or device) and multi-factor authentication. With EM+S E5 licenses you can create Conditional Access policies based on risk, and use privileged identity management (PIM) for your SharePoint administrators.
Most importantly, the integration of those capabilities with SharePoint Online is native and straightforward, not requiring any extra infrastructure effort. Whereas achieving a similar result with SharePoint on-premises would require the implementation of such components as Active Directory Federation Services (AD FS) and MFA Server, which require extensive planning and design, and are not exactly a walk in the park to deploy either.
Native DDoS protection
This is the part where a lot of readers will say “Huh – I don’t really care about DDoS, as my SharePoint farm is only available internally”. We hear you. But how confident can you be that your business needs will not change tomorrow?
Yes, providing external access to your own users is easily achievable with a VPN connection – but what if the business calls for collaboration with other parties? Even if your SharePoint service is not exposed, maybe some other services in your data centre are. Can a successful attack on any of them also bring SharePoint down, by virtue of a shared infrastructure?
Those of you who are already exposing on-premises SharePoint to the wider world have some tough questions to answer, too.
Have you designed the farm with sufficient capacity to absorb an attack long enough for you to detect it? Can you continue delivering the service from elsewhere if your primary datacentre is affected? Have you taken the time and effort to even configure SharePoint’s built-in throttling capability? And even if the answer to all of the above is ‘Yes’ – what does this mean for your bottom line?
Microsoft own and operate the second largest private network in the world and continue to invest extensively in the research and development of attack detection and mitigation techniques. The sheer scale of their operations allows them to approach network security in ways that most smaller organisations would not be able to even dream of.
Not only do they protect the network with advanced means such as purpose-built edge firewalls, global equal-cost multi-path (ECMP) routing and the hyperscale Azure DoS correlation and detection system – they also replicate your data between redundant global datacentres.
On top of that, SharePoint Online implements per-user throttling (with no configuration required from your part), which automatically throttles back excessive requests from the same source.
If you would like to know more, Microsoft have published an excellent whitepaper on this topic.
Intelligent Security Graph
Graphs have been all the hype in data processing software in the last few years. It is not a particularly easy concept to get your head around (unless you are a data scientist), but if you are curious we would recommend you start with the somewhat more approachable A Gentle Introduction To Graph Theory.
What you really need to know about the Intelligent Security Graph is that some very clever people at Microsoft have created a graphs-based intrusion detection system that allows them to rapidly detect unauthorized access by applying advanced data analysis algorithms to terabytes of telemetry information gathered daily.
This information is then accessible to the Office 365 security teams to aid their proactive threat mitigation efforts. Some of it is also available to you through the Threat Management section of the Office 365 Security and Compliance portal.
An interesting (albeit not exactly up-to-date) account of how graph analytics help keep Office 365 services secure can be found in the blog post Defending Office 365 with Graph Analytics.
Simplified Rights Management
Even though the capability to protect documents in SharePoint with Information Rights Management (IRM) has been available for years (you may even be using it), setting it up is quite an involved process as it requires the deployment of Active Directory Rights Management Service (AD RMS).
In addition, extra effort is required if protected documents need to be opened outside of the corporate network – and AD RMS is not so great for scenarios where information needs to be shared with external parties.
SharePoint Online, on the other hand, achieves persistent data protection by means of native integration with the Azure Information Protection (AIP) service. Only minimum initial configuration is required before document libraries can be protected as anyone can obtain a free Azure RMS for Individuals license. Worrying about sharing with external users becomes a thing of the past!
For more information, check out How Office applications and services support Azure Rights Management.
Unified audit log
Last but certainly not least, Office 365 provides a unified audit log, accessible and searchable through the web interface (as described in Search the audit log in the Office 365 Security & Compliance Center), via PowerShell or the Office Graph API.
Unlike auditing in SharePoint on-premises, which only tracks 10 event types, Office 365 does literally hundreds, including events relating to external sharing and offline synchronisation.
More importantly, it allows for a holistic view across the entire SharePoint Online tenant – which is something that, as you might know, not available in SharePoint on premises; where search is only possible in each single site collection, and results have to be collated manually if desired.