Mail protection in Microsoft Exchange Online (Office 365)
Lately I have been asked how we see mail protection when migrating from an on-premises exchange solution to Office 365 (Exchange Online).
Before we begin, we should observe what is what when discussing these new services.
What is it
When we talk about mail in Office 365, we are actually referring to Exchange Online that is a SaaS in the Office 365 suite of products. Also, important here is that the service backing all this is Azure Active Directory (AAD).
So even though you don’t sign up for Azure, you will always get an AAD that keeps track of your user objects.
This is all subject to change as Microsoft tends to rename and merge/split/discontinue products ever so often.
How it used to be
In the “old” days, when we were to architect protection for an 100% on-premises solution we would typically recommend a solution that would scan the mail on the server, then at the client and lastly have some kind of edge protection to offload for the rising amount of spam. Typically, a hosted solution that would also offer scan for virus and in the latest versions, scan for malware and potentially offer sandboxing.
In general, that recommendation has not changed. The only thing that have changed is where the services are located and what we can install on these services.
What about the built-in protection
So, talking about Exchange Online, Microsoft already has a solution for the edge in place to take on the massive amount of spam received these days, namely Exchange Online Protection.
I often hear discussions around the quality of Microsoft’s security services – the one that seems to get repeated is that they catch 100% of know malware – while this is certainty true, I’m actually sure they do a better job than that.
Microsoft is in the cloud race to stay and they know security must be a priority for them to earn the customers trust.
While some of their advanced features remain subject to license, more and more of the “old ones” are trickled down to the base license. Not only as a benefit for the customer, but also because it will take a load of their infrastructure.
That being said, it is clear that basic protection in Exchange Online won’t cut it – the threats become more and more sophisticated and demands solutions that can counter that. We also have to be able to respond to a more diverse attack vector as users can access their mail, not only from the corporate computer, but also from their phone, home/hotel pc and even smart TV where we can’t reach with the corporate endpoint protection software.
That don’t mean we should disregard the endpoint software as it still fulfills an important function to keep the computers safe, but we can’t trust them to protect us for malicious software in the mail.
What we recommend
As mentioned earlier, the recommendations have not changed – we still need the “server” protection, endpoint protection and edge protection.
As for the server protection, we would recommend a product that can integrate with Microsoft’s API and scan the mails as they appear in the users’ mailbox.
There are many options for the edge protection. Often you can choose to keep an existing hosted solution, but you can also opt-in for the extra licenses for the advanced features that Microsoft offers in the Exchange Online Protection product.
In a hybrid setup, you should still keep you exchange security software running while applying the above recommendations.
For the endpoint protection software, we would recommend an intelligent solution that are aware of threats arriving from email along with being able to respond efficiently to these new advanced attacks.
In summary, we still recommend a layered solution consisting of different scanning engines in order to provide the most complete protection of your email.