Initially, when moving to using cloud services many organisations look at individual services, not a full lift and shift. Many larger organisations can not migrate in a big bang approach due to time, resource and cost. The typical first step is email - and then more often than not, Microsoft Office 365 (O365.)
O365 is the most widely used Cloud service - more popular than G-Suite with 1 in 5 corporate employees now using it. Its communication and conferencing hub, Teams, is now used by 500,000 companies with 90% adoption by the Fortune 100.
66% of organisations are already using O365, and 75% of those admit to having multiple cloud solutions (I would guess this is closer to 100% in reality though).
Users now want the freedom to access corporate data and information from anywhere, anytime and on any device. This brings with it new risks to your organisation, in terms of data loss, account hijacking and the threat to business reputation.
Plus, a lot of your data and tech solutions are outside Microsoft, so a Microsoft security approach can be limiting. The traditional approach can often create more problems, e.g. the re-use of username and passwords, or needing claims rules to prevent unsecured home PC access, and the usual Azure Active Directory (AAD) and notably ADFS challenges (especially for non-O365 integration.)
Consider this: A user needs to access cloud email on a work device, seamlessly and securely. Another user needs to access cloud services from their home PC as an urgent request, while another is trying to access the O365 from an unauthorised device and gets their credentials incorrect. How can you make sure your data is safe and protected from cyber attacks?
There is much to consider here. For starters, is Microsoft EOP suitable as a mail gateway solution? Secondly, we spend a great deal securing desktops, but what about Mobile Application Threats? Mobile Advanced Threats? Man-In-The-Middle threats? What happens if there is an account hijack or brute force attack on O365? Or what about somebody or service inside your Cloud instance crossing over services to take data?
The traditional approach is not working
The challenge with the traditional approach is that claims rules checks the connection and where it’s coming from, which can then determine if you will allow access to data from certain locations. So if you want to access the data from anywhere else than in the office, you’d need to VPN into the network, which many organisations do easily. But you also need to have a valid device that’s configured with your VPN for this to work, meaning you can’t use a home device.
Encouraging remote users to connect to this office network then back out again causes a trombone effect. But it is much faster to download than to upload, so why would you want employees to VPN back to your expensive connection to come all the way down to then come all the way back again to collect some data and go all the way back out again. It makes things very slow and expensive to deliver properly. It makes much more sense to lock down access to Office 365 and other cloud services at the same time by other means.
Another potential issue is Azure Active Directory (AAD), which can only link with a subset of service providers. In addition, how can you ensure that along with the identifying the right user, you have also ensured that the right device, the right security posture and the right applications?
Alternative solutions are needed to be able to truly secure both Office 365 and other cloud services to ensure you have no potentially lethal cracks in your security posture. You need to able to ensure and verify the right user, on the right device with the right applications to be fully secure.
Find out more about how to secure your organisation in today's world in our latest webinar, Modern Authentication for Office 365 and Beyond, 30 January, 2:00pm.