Microsoft works relentlessly to get financial institutions that utilize Microsoft Office to migrate to Office 365. It is clear that the day will come when a non-subscription version will no longer be offered by Microsoft (current estimates are 2025 or sooner), so institutions usually seriously consider making the move. We occasionally get asked our opinion of Office 365, and we try to help our customers understand the security decisions that go along with an Office 365 migration. This week, we provide a list of five considerations before making the move to Office 365. This list is by no means complete, but is designed to give just a taste of what a migration requires:
- Federation: To ensure that users are actually who they say they are, Office 365 users need to authenticate to Microsoft for Office 365 to keep working. Most companies that move to Office 365 will make this easier for users by connecting their Windows domain to Microsoft, allowing users to utilize the same credentials that they use to login to their internal network. This is called “federation” and is implemented using what is called “Active Directory Federation Services” (ADFS). Implementing ADFS requires that you implement at least one server internally to provide a way for Microsoft to communicate with your network. You will also have several important implementation decisions to make regarding how credentials are passed, such as whether you wish to store your passwords in the cloud or not. We urge our customers to perform risk assessments when making these decisions.
- Updates: Office 365 keeps itself automatically updated, which can ease the patching burden if implemented properly. Make sure you understand the bandwidth requirements of Office 365 patching, as the patches can easily saturate a network link. Research ways to place updates on a local file server to conserve your Internet bandwidth. In institutions that have many branches and minimal bandwidth between offices, it might be necessary to place files on a server in each physical office.
- File Storage: Office 365 wants to store user files in OneDrive by default. You need to decide whether you want user files to be in the cloud on OneDrive, or on your local file shares as they have always been. When making this decision, make sure that you understand how security, backups, and retention work in OneDrive, as you may find that there are significant projects to complete or technologies to implement to safeguard these files. Also make sure that if you do not wish users to place files on OneDrive that you know how to enforce this, as it is not easy to configure.
- New Apps: Office 365 comes with an ever-growing list of web-based applications that your users will have access to by default. Some of these may be a risk to your institution of not managed properly. Make sure you look at each of these to determine if you want these to be used in your organization. Access to these can normally be controlled by removing a license for the application from users. Remember to review the applications regularly, as Microsoft is constantly adding new applications.
- Consider MFA: Microsoft includes a free multi-factor authentication (MFA) framework with Office 365 that can utilize a number of different MFA technologies (including text messages, voice messages, and a mobile authentication app). We recommend that institutions consider making this mandatory for all users.
Bedel Security regularly helps banks and credit unions make informed technology decisions and would be happy to help you assess the risk of Office 365 or any other technology you may be considering.