Safely Enabling Office 365:

A Requirements Checklist
Requirements for Security is an important consideration when it comes to rolling out Office 365. Safely
enabling Office 365 requires a comprehensive approach that addresses several
safely enabling key areas. This guide was developed to assist you with assembling the security
requirements for your Office 365 project.
Office 365.

Focus on: Access Control

1 Ability to distinguish between managed and unmanaged devices (like
n Access Control encryption enabled on end device) and perform policy enforcement based
on that classification
n Data Governance 2 Support for device profiles, enabling you to categorize and inventory
devices
n Cloud DLP 3 Ability to set admin-level policies at a granular level. For example, don’t
allow SharePoint admins to get access to Exchange email. Addresses the all
n Real-time Policy or nothing limitation of admin access.

Control

n Visibility Data Governance

Finding sensitive data in Office 365 should be at the top of your list when it comes to
n Anomaly safely enabling Office 365. For many organizations, getting visibility into what data
is where and what your exposure is to potential data leakage is a key requirement for
Detection securing Office 365. Start building your RFP with these seven requirements in mind.

n Forensics 4 e-Discover and classify content (e.g., PHI, PCI, PII, source code, and custom
RegEx) for files that are already uploaded to O365

n Risk Management 5 Filter and search files by exposure, file size, file type, date created, date
edited
n All Apps and Data 6 Ability to filter files in O365 that external users (search by individual name)
may have access to

7 Automated policies to control files that already exist in Office 365

8 Quarantine files that already exist in Office 365 (tombstone original file)

9 Encrypt files that have already been uploaded to Office 365

10 Scheduled reports for e-Discovery

1
Noise-cancelling cloud DLP
On-premises DLP technologies have been around for a long time. Cloud DLP is relatively new, but
with many technologies out there, how do you determine what is best for Office 365? The first set of
requirements should be focused on ensuring that the DLP technology includes capabilities that result
in fewer false positives. You also want a DLP engine that is robust, but also not overly complex where
everything needs to be customized. Here are the key requirements that will help ensure you have a solid
solution for DLP.

11 Enterprise class DLP for O365 (minimum 3,000+ data identifiers, 500+ file types)

12 Signature-less DLP via Fingerprinting

13 Ability to perform secondary DLP analysis for content leveraging on-premises DLP solution via
REST API

14 Proximity analysis for DLP

15 Customizable DLP signatures (regular expressions)

16 Context-aware DLP (e.g., DLP while sharing a document with bob@acme.com)

17 Predefined DLP policies

18 DLP ‘AND’ plus ‘OR’ rules

19 DLP severity levels

20 DLP global identifiers

Visibility and real-time policy control

Discovering sensitive data is the first step. Providing real-time policy control to limit your risk exposure
is a critical next step. A real-time policy means that you can stop risky activities in their tracks before bad
things happen. There are several requirements in this area that ensure your policy enforcement covers
you 360 degrees.

21 Visibility and real-time policy control for Office 365 activities (create, delete, download, edit,
send, upload, view, view all, share)

22 Policy action to change access and sharing permissions for files in Office 365 (based on identity,
DLP, activity triggers)

33 Legal Hold for files uploaded to O365

24 Ability to incorporate enterprise-readiness levels in policy-setting (e.g., don’t upload to apps

rated ‘medium’ or below)

25 Ability to change weightings of enterprise-readiness criteria in overall enterprise-readiness levels

26 Policy enforcement for both users and admins

27 Policy enforcement - user groups

28 Policy enforcement - organizational unit

2
Visibility and real-time policy control (continued)
29 Policy enforcement - geolocation of both user and app

30 Policy enforcement - IP address/range

31 Policy enforcement - Object/file transacted

32 Policy enforcement - Constraint profiles (from/to user in cloud app, e.g., “don’t share if
recipient is outside of the corporate domain”)

33 Policy Action - Block Activity

34 Policy Action - Encrypt data objects

35 Policy Action - Coach end user

36 Policy Action - Email notifications

37 Policy action - Quarantine file

38 Policy action - Bypass inspection

Extend visibility and real-time policy control to endpoints

Your users are using Office 365 and ecosystem apps from anywhere on any device. You need to ensure
that your security solution for Office 365 extends visibility and real-time policy control to these endpoints.
Here are the endpoint requirements.

39 Native Client Windows

40 Native Client for Mac OSX support

41 Native/Mobile Client for iOS support

42 Native/Mobile Client for Android support

Anomaly detection, forensics, and risk management

Understanding and controlling risky activities using anomaly detection and forensics combined with risk
management is a key requirement for securing your Office 365 environment.

43 Machine learning based anomaly detection

44 Usage and activity based risk rating

45 Determining password breaches of users in enterprise

46 Detection of account hijacking

47 Behavioral anomaly detection (e.g., excessive downloads, uploads, shares, edits)

48 Detection of activity from risky countries

3
Govern all apps and data
Now that you have tackled Office 365 data governance, data loss, and real-time policy and access control,
the next step is to ensure you extend your secure perimeter to cover the Office 365 ecosystem apps as
well as any cloud apps that may interact with Office 365. There are a number of requirements that will
cover you in this key area.

49 Discover all Office 365 ecosystem and surrounding cloud apps

50 Assess the risk of the discovered apps based on an enterprise-readiness score consisting
of multiple vectors including product capabilities, legal, financial viability, vulnerabilities,
auditing & certifications and SLAs

51 Extend all Office 365 policy capabilities to ecosystem and surrounding cloud apps

52 Policy enforcement of thousands of cloud apps

53 Bring in enterprise-readiness score into policy enforcement

54 Policy enforcement - Application Instance

55 Policy enforcement - Application groups (e.g., single policy across all Cloud Storage apps)

About Netskope
Netskope™ is the leader in safe cloud enablement. Netskope gives IT the ability to find, understand,
and secure cloud apps. Only Netskope empowers organizations to direct usage, protect sensitive data,
and ensure compliance in real-time, on any device, for any cloud app so the business can move fast,
with confidence.

©2015 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Discovery, Cloud Confidence Index, and
SkopeSights are trademarks of Netskope, Inc. All other trademarks are trademarks of their respective owners. 07/15 WP-79-1