Features vs. Risks of the Office 365 cloud platform

Years ago, I was an IT consultant specializing in an industry well known for the sensitivity of its documents and communications. One these companies, which had gone to great lengths to control any potential data leakage, tasked me with auditing their IT security.

During the course of the audit, we quickly found a weak point: Documents on their newly deployed Windows Terminal Services servers could be simply copied and pasted to remote computers.

We quickly created a policy to disable this capability, and examined how such a large security hole had been missed in a company that prided itself on keeping tabs on its data. But once it became known that the technology existed to work remotely via Terminal Services, important people within the company began to demand it, which hastened its rollout. And who could blame them? The technology provided a very real benefit — the ability to work from home and maintain a better work/life balance.

Adopting a new technology often forces difficult choices. On one hand, users are excited by new capabilities, new means of collaboration and less friction in their work. But on the other, organizations have a very justifiable concern that misuse of these exciting new capabilities could lead to exciting new problems.

The rapid adoption of Office 365 by organizations both big and small makes these choices even harder. Microsoft continuously updates Office 365 with new features that end users are usually eager to start using.

This leaves your organization with a difficult choice: Disable or slowly roll out Office 365 capabilities, or open the floodgates and provide new features immediately.

That choice becomes a little easier with Quest® On Demand Policy Management. From a single SaaS interface, your organization can enable Exchange Online and Skype for Business Online capabilities in a systematic, audited way. Let’s look at an example.

Skype for Business Online is open federated by default. This means your users can instant message (IM) and transfer files to other organizations that use Skype for Business, and IM with any of the 75 million users of the consumer version of Skype. That’s an enormous conduit for information flow — and one that often skirts established data loss prevention systems.

You could easily disable this capability for all Skype for Business users. But this ignores the very justifiable business reasons for users to IM contacts outside your organization.

On Demand Policy Management for Exchange Online and Skype for Business Online provide an elegant solution for this challenge. Using On Demand Policy Management, administrators can very easily associate Skype for Business and Exchange settings with groups of users. It doesn’t have to be all or nothing.

You could also create a policy that enables federation with external contacts for most users, but restricts it for users in high-sensitivity positions such as human resources or legal — and those restrictions will be kept up to date as users move in and out of those roles.

Another option would be to develop training on how to properly use instant messaging with outside contacts. Once a user completes that training, they could be added to an Office 365 group. That group could then be associated with an On Demand policy that enables the appropriate features to its members. As membership in that group changes, so do their capabilities in Skype for Business Online.

The tension between users eager to use new features and organizations concerned about the potential ways technology could be misused will always exist. Using tools like Quest On Demand Policy Management make it easier to provide the right capabilities to the right users, and continually keep those capabilities up to date. End users can get new features and capabilities faster, and your organization can make sure they are being deployed in a systematic and controlled manner.

About the Author
Matthew Vinton
Matthew Vinton spent thirteen years consulting in the Microsoft Platform technology space before joining Quest in 2013. While he specialized in Active Directory engineering and migration, he has also...