News

Microsoft 365 Users Getting a Bunch of Security and Compliance Perks

• By Kurt Mackie
• 02/01/2019

Microsoft this week announced a number of security and compliance improvements that mostly apply to users of its Microsoft 365-licensed products.

Organizations subscribing to Microsoft 365 plans have access to Office 365 applications, Windows 10, Azure Active Directory, and the Enterprise Mobility and Security suite, which includes the Microsoft Intune mobile management service. For these organizations, Microsoft announced new features and product enhancements that mostly began rolling out as early as at the end of January.

On the new features side, Microsoft unveiled two new portals it added for privacy and compliance monitoring. Microsoft also added alert improvements to the Office 365 Security and Compliance Center. Enhancements to a solution for supervising corporate communications were announced. Other additions included Advanced eDiscovery improvements, records management updates and data sensitivity labeling capabilities for Office apps on the Android, iOS and Mac platforms.

Security and Privacy Thinking at Microsoft
Perhaps not coincidentally, Microsoft published a Jan. 29 Web presentation, called "Championing Privacy Rights To Drive Differentiation," that featured talks by top Microsoft executives. The presentation also included commentary by Forrester Analyst Enza Iannopollo, who weighed in on the overall milieu for privacy and compliance considerations by organizations.

Iannopollo recommended that organizations treat privacy as "a value" that can be used to inspire customer trust, while also noting the rise of regulatory efforts worldwide, such as the European Union's already established General Data Protection Regulation (GDPR), along with more recent privacy legislative efforts that have popped up in places like California and Brazil.

In general, Microsoft has been getting more strategic about including a privacy and compliance focus across its engineering teams, according to Kurt DelBene, executive vice president for Microsoft corporate strategy, during the presentation.

Bret Arsenault, corporate vice president and Microsoft's chief information security officer, described the relationship between security and privacy, according to Microsoft's thinking.

"Security is the foundation on which we build the capability to have privacy and therefore drive trust with our customers," Arsenault said during the talk. "You can have unbelievable security without good privacy, but you have to have really good security for the privacy thing to actually work … and drive trust in our products and services."

Microsoft wants to make the GDPR a global standard, Arsenault added, not just for the European Union. Microsoft's teams are working to address such matters in its products and tools from the beginning, rather than bolting them on later.

"Security and privacy have always been somewhat separate, but now we're starting to merge how we think about those together -- not organizationally, but functionally," Arsenault later added. "We want to actually combine and get the accretive value of the two capabilities."

In that context, Rudra Mitra, partner director for Microsoft engineering, introduced Microsoft's two new portals for monitoring security and compliance during the talk, as well as other improvements. Also this week Microsoft described compliance improvements in Microsoft Teams, an Office 365 collaborative workspace solution, which was highlighted in this announcement by Kirk Koenigsbauer, corporate vice president for Microsoft 365.

Microsoft 365 Security and Compliance Additions
The two new portal additions, the "Microsoft 365 Security Center" and the "Microsoft 365 Compliance Center," perhaps were most noteworthy for IT pros. These portals will start to appear for Microsoft 365 subscribers "beginning late January and through March 2019," according to this Microsoft document. The portals will eventually replace the Microsoft 365 Security and Compliance Center portal, the document explained:

After this change is fully rolled out, we plan to retire the former Microsoft 365 Security & Compliance Center (https://protection.microsoft.com). The administrator experience will change, but this won't impact your current security and compliance configurations.

Microsoft decided to go with two portals instead of one because "most organizations have different teams working in these two spaces," Microsoft's announcement explained regarding the new security and compliance portals.

The switch to using the two new portals will affect IT pros access, depending on their Office 365 administrator roles -- namely, global administrator, security administrator, security reader or compliance administrator. Access mostly will change for compliance administrators, as shown in a table in Microsoft's document.

Even though the Microsoft 365 Security and Compliance Center portal is slated for replacement, Microsoft nonetheless announced enhancements to it this week. It's getting the ability to deliver Microsoft Cloud App Security alerts, for instance. This capability is currently available for "Office apps and services."

As for the alert improvements, Microsoft made Office 365 alerts available via its Management Activity API. This enhancement "means that you can now consume Office 365 alerts in your own way by simply integrating it with your SIEM or self-created solution," Microsoft's announcement explained. The alert signals also can be searched using the "Search-UnifiedAuditLog" commandlet.

The Management Activity API also is getting the ability to retrieve so-called "insight signals," which warn against things like phishing campaigns and spam e-mails. IT pros can configure their own alert policies based on the Management Activity API and get them delivered by e-mail, a capability that's also rolling out.

Alerts in the Microsoft 365 Security and Compliance Center will soon follow a roles-based access scheme, a change that's now getting implemented. This change specifically will affect compliance administrators, who "will no longer have permission to see Threat management alerts in [the] 'View alerts' page," Microsoft's announcement explained.

The last highlight, perhaps, of Microsoft's security and compliance announcements this week concerns improvements to a "Supervision" Office 365 Advanced Data Governance compliance feature. Supervision reached "general availability" production-ready status more than a year ago and can be used to monitor "internal or external Exchange email, Microsoft Teams chats and channels, or 3rd-party communication in your organization," according to Microsoft's announcement.

Microsoft is now previewing an "intelligent filters" capability in Supervision that checks for offensive language in communications using "machine learning and artificial intelligence" capabilities. Supervision also now checks for sensitive information types, namely "financial, medical and health or privacy," for things like credit card numbers or social security numbers used in communications. Microsoft also is delivering an auditable reviews capability, which can be accessed from the Office 365 Security and Compliance Center, among other improvements.