Office 365 is a robust platform that (mostly) represents a win-win for both Microsoft and its customers: Microsoft benefits by moving its customers to the cloud where it can earn anywhere from 20 percent to 80 percent more per customer over the long term, and customers benefit by reducing their cost of ownership (for many, only in the short term) for email and collaboration by reducing the investments in the labor, power, and other costs required to manage on-premises systems. The result has been a major and continuing shift of on-premises Exchange (and other on-premises platforms) to Office 365 to the tune of several tens of thousands of users per month, a trend that Osterman Research expects to continue for at least the next two years.
Native Capabilities Provide Some Protection
Office 365 offers a range of native and add-on (for a fee) data protection capabilities that will archive and encrypt content generated and stored in Office 365, and it offers advanced threat protection capabilities designed to thwart more sophisticated security problems. While these capabilities offer some level of utility and can enhance the data protection capabilities for Office 365-enabled organizations and users, the use of third party archiving, encryption and security solutions will offer better protection. Here’s why:
Microsoft's Current State
Exchange Online Archiving (EOA) delivers a basic archiving solution for some Office 365 customers, but there are some serious limitations in EOA. These include indexing of only a limited number of file types, retention and archiving of emails based on relatively simple policies, limitations on the complexity of eDiscovery processes, index latency, the potential for modification of archived content, and other issues. At a higher level, while Microsoft has taken pains and invested significantly in new features and functionality in the infrastructure that supports Office 365, it’s important to keep in mind that the platform that supports customers’ archives is the same one that supports Office 365 itself, leading to a lack of true redundancy that can protect archived data.
Microsoft offers Office 365 Message Encryption (OME) for an additional fee per user per month, and it does provide some basic encryption functionality. However, OME does not allow usage restrictions to be applied to messages, does not allow messages to be revoked once they’re sent and has a message size limitation of 25 megabytes. It also has a challenging user experience. Non-Office 365 recipients or those without a Microsoft account must either create an account or use a one-time passcode to read an encrypted message. Mobile users must download a viewer or read the encrypted HTML attachment in a mail client that supports Form Post.
- Advanced threat protection
The Advanced Threat Protection (ATP) offering from Microsoft is included in the E5 Plan and is available for an additional fee in the less expensive Office 365 plans. ATP provides supplemental capabilities beyond the more or less conventional anti-virus and anti-spam protection available in Exchange Online Protection using two key capabilities: Safe Attachments and Safe Links. Safe Attachments attempts to protect users from potentially malicious attachments, but it imposes a five- to 15-minute delay in the delivery of email as one might expect from a sandboxing approach to attachment-focused security. Safe Links replaces the links in an email with Microsoft links, but this prevents message recipients from seeing the original link in the tooltip (the pale yellow bar that appears when hovering the mouse cursor over a link), thereby preventing users from acting as a key line of defense against malicious links.
It’s important to understand that these observations are meant to educate organizations on the current state of Office 365. It’s important to keep three things in mind:
- No platform can be all things to all users, and Office 365 is no exception. While the data protection capabilities in Office 365 around archiving, encryption and security are not deficient per se, they will not meet more sophisticated or specialized needs. The result will be that most mid-sized and large organizations (as well as many smaller ones) will need to employ third party solutions to supplement and enhance at least some of the native functionality within Office 365.
- Decision makers need to become well-versed in the minutiae of what Office 365 will and will not do so that they can understand the limitations inherent in the offering as it applies to their specific needs. In short, a high level “check box” approach simply won’t work – it’s essential to dig into the details of what Office 365 can provide compared to more capable third party solutions.
- Finally, it’s important to understand that an Office 365 environment in which third party solutions are used will not necessarily be more expensive than an Office 365-only environment. In fact, an Office 365 deployment of less expensive plans plus third party solutions can often cost less than higher level Office 365 plans alone.
Ultimately, the key is to fully understand what Office 365 – and trusted third party solution providers – can and cannot do and make decisions accordingly.
Michael Osterman is President of Osterman Research, Inc., which helps vendors, IT departments and other organizations make better decisions through the acquisition and application of relevant, accurate and timely data on markets, market trends, products and technologies.
To learn how Zix enhances email security for Office 365, please visit www.zixcorp.com/office365.