Microsoft has long been the undisputed leader in home and office productivity software. In June 2011, it launched Office 365, its cloud-based software that enables you to use Word, Excel, PowerPoint, Outlook and other applications from multiple devices.  O365, as it’s typically abbreviated, is at the heart of Microsoft’s mobile-first, cloud-first mission. Yet, as Microsoft would be among the first to concede, something important has been missing from O365, and the company has been hard at work, through partnerships and acquisitions, to close the gap.

O365 is analogous to a wonderful playground. The swings, monkey bars and seesaws are state-of-the-art and perform well, just as you would expect from the Office suite you have come to know and love. Yet, as constructed, IT administrators have had very little sense about what’s exactly going on within the playground.  What are the all the different kids doing at any given time? Are they playing nice in the sandbox or are they trying to take some of that sand (i.e. sensitive data) home with them against playground rules?  Who is that sketchy guy (Mr. Anomalous Behavior) standing in the corner with the sunglasses and raincoat? He doesn’t belong there, and should be called out. In terms of transparency regarding data activity within O365, companies have been operating somewhat in the dark.

The large and growing trend toward the use of software-as-a-service applications (SaaS apps) within companies is associated with innovation and agility, but it also creates security vulnerabilities as well.  O365 is not alone is wanting to assure users that the use of SaaS apps is safe; as Salesforce.com, Box, Dropbox, ServiceNow and many other SaaS apps have similar incentives to offer the necessary visibility and control over network activity, especially with the growing specter of security breaches.  The same goes for cloud hosts like Amazon Web Services and Microsoft Azure.

A group of software firms that Gartner calls Cloud Access Security Brokers (CASBs) have sprung up over the past couple of years to address the need for users to get their arms around data as an asset. Their software enables companies to discover, analyze and control the use of their cloud-based services. Aside from seeing inside the known or sanctioned playgrounds like O365, CASBs also shine a spotlight on what’s called shadow IT, where employees, at best, seek forgiveness rather than permission for pulling down apps, many of which are highly risky, without first seeking approval from corporate IT authorities.

On April 21, 2015, Microsoft announced the formation of an O365 Management Activity API for security and compliance monitoring, which basically is a way to make it easy for third parties to write complementary software.  Three CASBs, Netskope, Skyhigh Networks and CloudLock, were invited into the pre-release program, demonstrating Microsoft’s dedication to a safe O365 playground.

On July 19, 2015, rumors of Microsoft’s interest in purchasing Israel-based Adallom, another CASB, started to circulate.  Today, Microsoft formally announced that it had acquired Adallom.

With all of the concerns today about cybersecurity, and the need to be in compliance with a virtual alphabet soup of regulations like HIPAA and FINRA that are designed to safeguard consumers’ personal information, companies need to do more than just harden the dome over their network and secure the perimeter to keep bad things out. Of course, that is no small feat, and it is made even more challenging by the growing use of devices owned by employees, the Bring-Your-Own-Device (BYOD) trend. Employee use of cloud-based services such as SaaS apps and cloud hosts drive data through that perimeter constantly, creating vulnerabilities that have to be managed.  We still have a long way to go to realize the full potential of the cloud.  Microsoft should be commended for moving us in the right direction.

Comment