Office 365 security review

Does the SaaS provider protect external data in transit using TLS?

Yes

According to their Trust Centre Documentation Office 365 uses TLS. Even though it isn’t explicitly stated, hands-on testing suggests that this is using TLS 1.2.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

Office 365 meets the recommended cryptographic profiles for TLS as published by the NCSC. In addition the Office domain currently gets an ‘A’ rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?

Yes

According to their Trust Centre Documentation Microsoft encrypts all traffic in transit within their network using TLS and IPSec.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Yes

According to their Azure encryption overview Microsoft uses TLS to protect all traffic in transit between services.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes

All API requests must be authorised by the user and use OAuth.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes 

Users can have one of several roles with varying levels of permissions. Microsoft provides a set of prebuilt admin roles. This is described in the Office 365 documentation. If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

Yes

Office 365 currently provides multi-factor authentication via SMS or the Microsoft Authenticator app. This can be enforced by Administrators for users within their domain. Office 365 also integrates with Single Sign On (SSO) options each of which may provide 2FA options.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Yes

As stated below, Microsoft stores a variety of logs – these are made available to a domain administrator. It is unknown as to the extent of internal logging. Does the provider make logs available to the client?

Yes

Microsoft makes a variety of logs available to administrators, this is all collated into an “audit log” including areas such as login and administrator actions on various individual parts of Office 365.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

Microsoft has a dedicated security team, they also have a public bug bounty program. Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes Microsoft publishes details of their security architecture in their white paper and within the FAQs and TechNet articles on their site.

Source: NCSC