Preventing Stormy Security Weather in Your Microsoft Office 365 Cloud Environment

July 30, 2019 by Kris Lau


Companies are relying increasingly on cloud service providers for conducting business, including storing data, hosting email, and more. But with the increasing regulatory focus on the risk of cloud data storage, is the forecast for cloud solutions stormy?

ACA Aponix recently hosted the webcast Enhancing the Security of Your Office 365 Environment. Kris Lau, Managing Director at ACA Aponix, along with John Manganiello, Head of Business Development at RFA, and Michael Asher, RFA’s CIO, discussed their thoughts and guidance on the security of cloud solutions, particularly Microsoft® Office 365®, as well as security risks companies should be aware of and specific steps they can take to enhance their cloud security posture. You can listen to the webcast on demand here.

Highlights of the webcast include:

Regulators are Cloud-Watching

It’s increasingly clear that regulators are interested in how companies are securing their data when using cloud solutions.

The U.S. Securities and Exchange Commission’s (SEC), including the SEC’s Office of Compliance Inspections and Examinations (OCIE), have specifically targeted cloud solution security. In May, the SEC commenced a cyber compliance examination sweep of registered investment advisers (RIAs) which included a focus on cloud service provider risk. Also in May, OCIE issued a Risk Alert on cloud and network data storage solutions.

On the cloud service provider side, the U.S. Cloud Act obligates service providers to comply with search warrant requirements regardless of whether the data is stored inside or outside the U.S.

Privacy regulations such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and others extend to data stored in the cloud as well.

Maintaining a secure cloud environment is therefore key, not just for protection of company information, but to stay on the right side of regulators.

Who’ll Stop the Rain?

Gone are the days when companies could rely on firewalls to protect themselves from the storms caused by outside forces. According to the 2018 NSCP/ACA Aponix Cybersecurity Compliance Programs Survey, nearly 70% of firms are using a cloud-based email provider. Combined with employees accessing company data from insecure locations, using their own devices, sharing data and access with outsiders, and more, security is far more complicated than it used to be.

It’s Still Leaky Up There

Office 365, Amazon Web Services, Microsoft Azure, and other cloud services all have their own security features, with many settings enabled by default. Additionally, cloud service providers have their own levels of internal security for their data storage facilities. Further, changes in cloud security structures may be on the way, particularly with a move to more certificate-based authentication schemes that may reduce the need for passwords and move security to an individual machine basis.

But relying solely on protection from the sky is not recommended. Companies must be proactive regarding data security, in combination with the protections that cloud providers afford. Companies should take active roles in due diligence, user management, access controls, auditing, retention, and security configurations.

Blame for the Rain? The Fault is in Default

Office 365 includes some built-in security features (including its “Secure Score” module), but many settings need to be appropriately configured by the system administrator. Moreover, out-of-the-box default settings are typically insecure.

For example, without additional configuration:

  • All services are enabled, even if unused
  • Restrictions on sharing are loose
  • Bypassing of third-party SPAM filtering and archiving may be possible
  • Multi-factor authentication is not enabled
  • Not all auditing is enabled
  • No retention policies are in place

Dive Deep into the Clouds

It’s advisable for companies to go beyond default security settings provided by Office 365 and other cloud service providers. Evaluate possible solutions, assess specific needs, test settings, and identify what works and what can work better.

How We Help

ACA Aponix can help you skydive into a more secure cloud environment. Developed and delivered by our experienced security practitioners, our Microsoft Office 365 security assessment provides:

  • Testing and validation of key controls
  • Evaluation of your Office 365 configuration based on your requirements (e.g., settings for use with third-party security and compliance solutions)
  • Identification of security features that aren’t being used
  • Advisory services

In addition, we offer a wide range of cybersecurity, data privacy, and risk services to help make sure your environment, both in the cloud and on the ground, is more secure.

Contact Us

View the Webcast

To view the webcast on demand, click here: Enhancing the Security of Your Office 365 Environment

For More Information

For more information, contact info@acaaponix.com or your ACA consultant.

About the Author

Kris Lau, CISM Managing Director Kris Lau is a Managing Director based in Seattle, WA for ACA Aponix, ACA Compliance Group’s cybersecurity and IT risk division. In this role, he performs cybersecurity risk assessments, conducts vendor due diligence, staff training, product development, and is a subject matter expert in information security program and policy development. Kris has over 22 years of experience in the Information Security domain and has previously served as the Director of Information Security for CBS News and Head of Information Security for RBC Capital Markets, after several years in the Information Security team at Goldman Sachs.

With a career spanning financial services, manufacturing, and broadcast media, his successes exemplify his ability as a versatile and adaptive leader. Kris obtained his BS in Computer Science from Stony Brook University, is a Certified Information Security Manager (CISM), and has held a Series 99.