Cloud Technology Specialists ask@cambridgesupport.com 01223 901 900

The simple ways to implement Office 365 securely

Posted on

With Office 365 you get to leverage the power of the cloud to do your work wherever you are and on any device. This connectivity enables collaboration and productivity boosts, which is awesome – but how do you know that Office 365 is secure and doesn’t leave your critical communications vulnerable?

Let’s take email for example, it’s still the backbone of work communications (sorry Slack) – so how does Office 365 ensure these critical communications are secure?

Office 365 comes with tools designed to keep your mail secure, and with the right implementation you can get the benefits of the cloud without having to sacrifice security.

But, what are these tools and how do they work?

Multi-factor authentication

One of the simplest and most effective ways to secure your organisation is to implement multi-factor authentication (MFA). This creates another wall around access to your business, and so even if an intruder has gained someone’s password they’ll still need to receive a further passcode to gain access, but that passcode will only be sent to the phone of the legitimate user.

Creating rules to block ransomware

Office 365 allows you to create mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email.

A good rule of thumb is set up rules to warn users of attachments containing macros as they are usually a common source of malware. 

Set up Sender Policy Framework (SPF) with your domain in Office 365

SPF is simply a way to validate that the email has been sent from your domain and is legitimate. The SMTP protocol which is normal email has no validation on the “From” field of your email which means unauthorised actors can impersonate you.

SPF determines whether a sender is permitted to send an email on behalf of your domain, if they fail the SPF check then the spam policy enforced on the receiving server will decide what to do with it.

It’s not as complicated as it sounds, the SPF check is as simple as verifying the receiving email server only accepts mail from a set of authorised sending IP addresses found in a DNS TXT record for your domain. 

If you’re not using a custom domain then you don’t have to do anything as this is already set up in Office 365.

DomainKeys Identified Mail (DKIM)

This actually is kind of complicated but it’s a very powerful way of ensuring mail authentication. Unfortunately due to its greater difficulty fewer senders have adopted it but it is absolutely recommended that you do so alongside SPF as it is a much stronger form of authentication.

Fortunately, Office 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Office 365 will use its default policy and keys it creates in order to enable DKIM for your domain – something anyone who cares about security should love.

But how does it work? Put simply you use a private key to encrypt the header in your domain’s outgoing email. They basically sign that part of the email which is then encrypted via a hashing process that converts the readable text into a unique textual string.

You also publish a public key to your domain’s DNS records that receiving servers can then use to decode the signature.  They then use the public key to verify that the messages are really coming from you and not coming from someone spoofing your domain.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) to validate email

DMARC is a record type that tells recipient mail servers what to do with messages that pass or fail their SPF and DKIM checks. It works with SPF and DKIM to provide additional protection against spoofing and phishing email.

To pass DMARC, a message must pass SPF authentication and DKIM authentication. With DMARC you can set what is done with messages that fail the check by recipient mail servers from sending the message to spam or outright rejecting it. 

You can also receive reports generated about your domain, this will help you receive reports on fraudulent emails being received that are sent by your domain across the internet.

Want to check how you’re doing with security in Office 365? Or have questions about Microsoft’s solutions, advice on what products would suit your business needs best, and support with any IT-related queries then contact Cambridge Support on 01223 736 200 or ask@cambridgesupport.com.