One of the most consistent questions that we get from clients evaluating Office 365 is around security.
A primary business benefit of moving to Office 365 is the ability for IT to deliver access to services from more devices and platforms. While this is a benefit to end users, this broader access makes security management more challenging. Each endpoint represents a potential attack surface and another point of management for security professionals. As more content moves to the cloud—versus being stored locally, end users assume the burden of ensuring the security of their content. Microsoft has made several announcements recently in their commitment to provide organizations the ability to control and customize security in cloud services.
Multi-factor authentication
Various Microsoft services already provide multi-factor authentication, but Microsoft recently added this security feature to . Before that, multi-factor authentication was only available for administrative roles, but that function has now been extended to single users.
Multi-factor authentication provides extra steps to obtain access to services so that accounts can be validated by more than just a single password. Extra steps often include acknowledgement of a phone call, text message or other notification to authenticate the account to the service.
The change today only affects Office 365 web apps and not the locally installed Office 2013 client applications. But, Microsoft is promising that multi-factor authentication will be available for Office 2013 client applications directly sometime in 2014 along with smart card support.
Encryption
In February, Microsoft announced , a new service that allows you to send encrypted mail to anyone. Office 365 Message Encryption is an enhanced version of Exchange Hosted Encryption (EHE), with the addition of a new set of features. Later in the month, they added that as part of their ongoing focus on encryption, S/MIME capability will be part of Office 365 and Exchange Server 2013 Service Pack 1.
S/MIME allows a user to: (1) encrypt an email and (2) digitally sign an email, and thus provides cryptographic security services such as authentication, message integrity, and non-repudiation of origin (using digital signatures). It also helps enhance privacy and data security (using encryption) for electronic messaging