Report: Microsoft Leads in Cloud Collaboration – Is Sensitive Data Secure? – MSDynamicsWorld.com
In Microsoft’s ideal world, Microsoft Office 365 and Dynamics would be two halves of a whole; in fact, the company now groups Dynamics CRM and ERP with commercial and consumer versions of Office and Office 365 into one financial reporting entity with the “married name” Productivity and Business Processes.
But does Office 365 with its collaboration platform bring security “baggage” to the relationship?
Skyhigh Networks, maker of an enterprise cloud security platform, has just released its sobering Cloud Adoption & Risk Report Q4 2015, compiled from cloud usage data for over 23 million users worldwide. Some of the findings are very positive for Office 365 and Microsoft, among them:
- Microsoft Office 365 is the most popular collaboration service (rated by active users), followed by Gmail and Cisco WebEx.
- Of the top 20 enterprise cloud services, Office 365 takes the #1 spot, followed by Salesforce and Cisco Webex, Concur and Yammer.
- Windows desktop users access 77.7% more cloud services than the average Mac desktop user and upload 3,056 MB of data in the cloud, more than any other device.
Now, the dark side: Skyhigh found that in Q3 2015, fully 15.8% of all documents uploaded to cloud-based file sharing services contained sensitive information and the majority of these files, 58.4%, are Microsoft Office documents. Some real-world examples are Excel spreadsheets of employee data like social security numbers; PowerPoint files with information on competitors; local database files from programs like Microsoft Access with employee salaries; and draft press releases that could be used for insider trading. After Office documents, Adobe PDF files were second most commonly shared at 18.8%, and the remaining 22.8% is comprised of over 500 different file formats ranging from CAD diagrams to Java source code.
Also true, the percentage of files in cloud-based file sharing services that are shared hit an all-time high of 37.2% in Q3. Cloud usage is growing exponentially; the average company in Q3, 2015 used 1,154 cloud services, and the average user actively uses 30 cloud services.
All the while, Skyhigh finds that the average organization experiences 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. And, the average organization experiences 2.4 cloud-enabled data exfiltration (data removed from the organization with malintent) events each month.
So do Office 365/Dynamics users have all the windows open and the doors unlocked? We asked Skyhigh’s Sr. Product Marketing Manager Cameron Coles to shed some light, along with Microsoft MVP on Enterprise Security Brian Bourne, who is also EVP of products for New Signature which offers cloud management as a service.
Why Windows Users are Cloudier than Mac
What is behind the difference between the environments such that Windows desktop users access 77.7% more cloud services than the average Mac desktop user?
“One possible explanation is that Windows users are more likely to explore and try apps than Mac users who have already settled on their favorite apps,” said Coles.
Bourne offers a simpler explanation: “Think about distribution of Windows versus Mac in corporate accounts,” Yes, newer entrepreneurial companies may be on Mac environments, “And certainly that’s the reason that number’s not 90%.”
Office 365 is Secure; Its Users Less So
Coles describes the amount of sensitive data companies upload to Office 365 as “a strong endorsement of Microsoft’s security, but account compromise is a serious concern. Companies, on average, experience 5.1 incidents each month where a third party logs in to a cloud service with users’ account credentials.”
Still, he goes on to observe that Office 365 is one of the 18.1% of services that offers multi-factor authentication, and Office 365 customers can reduce their risk by enabling that feature.
As Bourne explains it, once multi-factor authentication is enabled, users are required to enroll, using their phones, and receive text messages or use an app to authenticate their logons. “So if someone gets your password they still can’t log in; they need your password and your phone,” said Bourne. And barring a “Criminal Minds”-style kidnapping situation, that’s unlikely.
“Office 365 is very secure, so the biggest threat for many organizations is high-risk user behavior such as inadvertently sharing sensitive data or taking data when they join a competitor,” said Coles. “These ‘insider threats’ occur at least once a month at 89.6% of organizations and the average enterprise experiences 9.3 incidents each month,” per Skyhigh’s findings.
Shared Responsibility: The Provider and the User Company
Most cloud providers operate on a shared responsibility model, observes Coles. “The cloud provider takes care of platform security, but the customer is often responsible for identifying high-risk user behavior, which is why many customers look to third-party security offerings that use the latest machine learning technology to identify these threats.” Skyhigh offers the ability to capture and audit trail of user and admin activity on Azure for reporting and post-incident forensics, and detect insider threats and compromised accounts.
“There’s no reason these days not to be doing machine learning, and a lot of products are baking that in,” says Bourne. “But I would say it’s the early days. A perfect example that is often quoted is that ‘Brian shouldn’t be logging in from Toronto and two minutes later in Vancouver,’ because that’s a five-hour flight. Machine learning would pick that up as an anomalous behavior and create an alert, but because of remote logins I very legitimately can log in from Toronto and Vancouver in two minutes. There’s an extra level of intelligence that says ‘For Brian, that’s normal; but logging in from Europe or Asia or Africa is not.”
Machine learning is also a loose term. Thus far, the Azure Machine Learning built into Dynamics CRM and Dynamics AX 7 is largely for data mining and predictive analytics; the Lotus F1 team uses it to analyze tire performance.
Finally, machine learning targets complex behaviors and patterns, capabilities that Office and Dynamics products lack; still, some behaviors like prohibiting downloads to CDs and thumb drives rely upon simple rules sets that can be turned on in Office 365.
The Company’s Responsibility: Provide a Secure Path of Least Resistance
Bourne shrugs at some of the panic surrounding cloud security.
“There’s a lot of scary headlines about being just a couple of clicks away from sharing enterprise data,” he says. “But there’s a lot of legitimate reasons to share data, and for the last two decades I was just two clicks away using email.
“In some cases, keeping a file in the cloud so just two people can access it is better security than sending an email, which we would have done historically.” Yes, cloud collaboration can be a risk, “But in many cases it’s actually a better behavior than the previous behavior.”
He believes the real corporate challenge is to enable users to share securely, versus blocking sharing. “Users are very clever at thinking up ways around it,” says Bourne. “Their job description doesn’t include security but may include collaborating with five other people to finish a document.”
Is Office 365 that secure path of least resistance? Says Bourne, “It is in a lot of ways. There are a number of technologies out there to encrypt or tokenize data, and they’re appropriate in some cases. But really the security story is as good or better than it was before, and can be made much better with multi-factor authentication.”
The short story is that the Office 365 collaboration platform is secure. Monitoring employee use of the systems is still the job of the companies using it, perhaps best served through ISV solutions.
For its report, Skyhigh analyzed, aggregated and anonymized cloud usage data for over 23 million users worldwide at companies across all major industries including financial services, healthcare, public sector, education, retail, high tech, manufacturing, energy, utilities, legal, real estate, transportation, and business services. Collectively, these users generate over 2 billion unique transactions in the cloud each day. Skyhigh’s cloud service registry tracks over 50 attributes of enterprise readiness and allows it to analyze behavior using detailed data signatures for over 16,000 cloud services.