At its Build 2017 conference in May, Microsoft announced that commercial Office 365 is running on 100 million monthly active devices, up some 15 million in about six months. A year earlier at the Build 2016 confab, the vendor disclosed that there were 60 million monthly active Office 365 commercial customers and that it was seeing 50,000 small business customers added to Office 365 each month.
As presented, those are pretty heady growth figures. In that regard, it’s no surprise that researcher Gartner has built what it calls an SaaS security framework for security and risk management leaders in Office 365 deployments, based on the premise that more and more third-party tools will continue to emerge for the platform.
"Organizations must contend with a proliferation of disparate devices that access Office 365, many of which are unmanaged," wrote Gartner analyst Steve Riley. “Traditional security tools, designed for protecting on-premises systems, can't offer visibility and control when enterprises move email, content creation, file sharing and collaboration to the cloud, making the detection of inappropriate behaviors difficult,” he said.
Gartner’s thinking: Even as Microsoft has consolidated and improved native 365 security controls, not all are available in every subscription plan. Thus, security and risk management leaders must be careful to pick the right plan and also determine if they need any third-party tools.
To set the stage, Gartner made two predictions:
- By 2018, 40 percent of Office 365 deployments will rely on third-party tools to fill gaps in security and compliance, a major increase from less than 15 percent in 2016.
- By 2020, 50 percent of organizations using Office 365 will rely on non-Microsoft security tools to maintain consistent security policies across their multivendor "SaaSscape."
Here’s Gartner’s security to-do list for Office 365 environments:
- Examine whether Microsoft's native capabilities are sufficient and for which use cases.
- Evaluate third-party alternatives when gaps prevent them from implementing their policies.
- Begin with an identity, access and privilege management strategy, on which all other controls rely.
- Implement appropriate visibility, data security, threat protection and device management controls using native Office 365 capabilities, enhanced with third-party products, where necessary.
- Use a cloud access security broker to achieve the most consistent security policies across all Office 365 services and other non-Microsoft SaaS applications.
Let’s look a little more closely at the list with MSSPs’ in mind, not only at that last item but also for the preceding four. It certainly appears that Gartner has made the case for MSSP engagements in Office 365 environments.
To use Office 365 securely, IT security should build a framework to examine the required security controls, Gartner concluded. The full report is here.