Tip

Exchange Online security setup requires joint effort

A company that moves to Exchange Online must coordinate the efforts of its email administrators and its security team to maximize protections and meet compliance requirements.

Some administrators focused on migrating to Exchange Online should not overlook the need to develop a comprehensive security strategy for the platform.

It takes time to understand the range of the Exchange Online security offerings. Hosted email in Office 365 has several robust layers of protection that Microsoft continues to refine and expand.

But an Exchange administrator must understand the scope of the security offerings before they can begin to tailor those protections. As part of the Exchange Online migration process, administrators must evaluate the level of security they need and determine if they should invest in more advanced features.

Each organization must develop its own security implementation. What each Exchange administrator must do to protect the email system might be different for a variety of reasons, such as the type of industry or the nature of the data in the email.

In general, there are five areas where security teams and Exchange admins should collaborate to define and develop protections once email moves to Microsoft's cloud.

Identity protection and management

Some Exchange administrators might not consider identity management one of their responsibilities when developing an optimal Exchange Online security framework. They should, however, because detecting and blocking unauthorized access to the email platform can help prevent data exposure.

Microsoft offers conditional access controls and multifactor authentication as part of the Microsoft 365 Enterprise suite or as add-ons to existing Office 365 subscriptions. Administrators should work with the security team to restrict access to the Exchange Online email service based on country, IP range or even device type. Microsoft recommends implementing policies around access controls to deter unauthorized access to email if hackers obtain user credentials.

Intelligent threat detection and prevention

Most Exchange administrators have vast experience with common security tools, such as antispam, antivirus and antimalware products. At one time, these offerings blocked most malicious attacks that spawned in email, but their effectiveness is on the decline in the face of ransomware.

Today's constantly evolving attacks evade most signature-based detection systems and require administrators to look beyond standard protection tools.

Today's constantly evolving attacks evade most signature-based detection systems and require administrators to look beyond standard protection tools. Microsoft attempted to answer this need with intelligent threat detection features, which are available with the Enterprise E5 plan or as an add-on called Advanced Threat Protection.

Once activated, Advanced Threat Protection lets Exchange administrators customize URL detonation, Safe Links features and some of the Office 365 Cloud App Security -- formerly Office 365 Advanced Security Management -- features to the company's requirements through the security and compliance admin portal.

Content classification and data management

Content labeling and classification in Exchange offers administrators ways to create specific content classifications for sensitive information. It might be as simple as defining generic data classification policies in the data loss prevention section within Exchange Online to flag or block outbound content that contains Social Security numbers, medical records data or any other personally identifiable information.

Organizations that work in the healthcare and finance fields, or companies that must meet General Data Protection Regulation (GDPR) requirements, will most likely use this feature. But, in general, most administrators will build standard policies using Exchange Online security tools to block some types of data to avoid data leaks.

Security scores and compliance management

Some organizations must meet specific compliance requirements that may be federally mandated or industry-specific. As a result, they must undergo routine audits and assessments. To address this specific need, Microsoft released two products that can show an organization's compliance level.


Understanding the security rating
system

The first tool, called Secure Score, is included with all Office 365 subscriptions and generates a security score based on the organization's security and compliance configuration. This feature runs an analysis of the services configured for the tenant and offers security improvement suggestions.

Another product, called Compliance Manager, addresses the needs some organizations have to control compliance activities and tasks. Microsoft offers the tool as an add-on for administrators who need to manage HIPAA, GDPR and other compliance requirements for Office 365, Azure and Dynamics 365 workloads. Compliance Manager tracks the status of the company's compliance efforts using automation to take over some of the workload from the IT staff.

Incident monitoring and response planning

Even with all the software tools available to protect email data, don't overlook the human element when it comes to Exchange Online security. The administrator is responsible for managing the different security configurations and policies for each area, but he or she must also allocate resources to monitor the different alerts and notifications with the appropriate predefined responses and actions.

To address security incidents properly, the IT staff must choose who monitors the reports and notifications, as well as how to address them. For organizations in the healthcare field, any email data breach that affects more than 500 patients must be reported to a federal agency. This highlights the importance of knowing the level of response.

Dig Deeper on Microsoft messaging and collaboration