Office 365? There's risk in them thar clouds

Orlando Scott-Cowley, cyber security strategist at Mimecast, explains how to reduce the risk inherent in a cloud-first strategy

There's no doubt we're on the verge of a revolution in the way our enterprises approach IT. None of us was around to witness the industrial revolution, some of us saw in the internet revolution, but we're all going to be part of the productivity revolution. In particular, services like Microsoft's Office 365 or Google for Work are examples of productivity suites that would have us shift our entire IT infrastructure, budget and strategy into the cloud.

On their own, single cloud services represent a greater exposure to risk as we flatten all our protections, services and applications into a single vendor in the cloud. As an organisation, when you do that you're essentially being asked to accept that risk by Microsoft or Google - you shouldn't.

Managing the risks presented by a single cloud vendor strategy is essential.
An excellent example of this can be seen with our email security infrastructure. Historically we've adopted a defence in depth strategy for email security, ensuring we have layers of technology each providing a different security service. Each layer was built up over time to solve a specific problem for the business. Anti-spam, anti-virus, malware detection, anti-phishing, email encryption, disclaimer management, data loss prevention and other security gateways all applied protection to our inbound and outbound email.

Risks of a SaaS monoculture
In the case of Office 365 this flattening would be Exchange Online Protection (or EOP). We're essentially subscribing to the idea of a SaaS monoculture when we migrate to Office 365. From a security perspective that monoculture presents us with many new risks to address. A few years ago, if I were a consultant in your business and suggested the same single vendor strategy, you would have politely shown me the door.

Previously your security stack presented a well mitigated set-up, with overlapping technologies from different vendors to ensure protection for services like email. As a result of the ‘belt and braces' approach we're all familiar with, your security was comprised of many environments running on many code-bases, attackers had to circumnavigate all of these ‘locks' and pick them one at a time, in series, in order to compromise your users. You managed risk well.

By contrast, the reliance on a single vendor security strategy in the cloud and subscribing to a SaaS monoculture presents attackers with a single environment running on a single code-base from a single vendor. Our many locks have been swiftly dumbed-down to become a single lock to pick. And when that lock is picked (or brute forced) all the tenants on that service could be affected. You become one of many interesting targets co-located on a significant cloud service, rather than a small target in a sea of small uninteresting single IP ranges.

One lock to pick
So how do you solve this problem, how do you ensure that single lock isn't easy to pick, or at least you overlay other controls to protect your users? Defence in depth has been given a bad rap recently; it sounds a lot like the 90s called, wanting its security strategy back as we learn how to deal with new threats and problems. But in a cloud-only world we can still apply some of the thinking that drives defence in depth as a way to helping us protect our cloud productivity suites like Office 365.

From an email security perspective we need to replace all the solutions, or layers, we once had on the LAN or from a variety of cloud providers and ensure we can map that technology one to one into our single cloud vendor. If we can't, then applying an additional cloud security overlay, from a specialist cloud security vendor that works with Office 365 is vital. We need to ensure we reinstate the defence in depth we're leaving behind as we migrate to Office 365 or Google for Work, and we're protecting their single locks with more security, more technology and more protection than the default.

Default is a single cloud vendor strategy, a single lock to pick and the acceptance of risk. Default as we know is a weakness. Reducing those risks removes the default and protects you on your journey into this cloud productivity revolution.

Orlando Scott-Cowley is a cyber security strategist at Mimecast