I was in a presentation earlier this week where a senior person from a rather idiosyncratic but large public organisation talked about their experiences of migrating to Microsoft Office 365. There were interesting and honest reflections, and many people asked if it was possible to get a copy of the slides that had been shown. “Yes, but we can’t share things outside of our tenant. We’ll get it emailed.” was the response.
If you’re not familiar with the lingo, let’s unpack that a little bit.
Microsoft Office 365 is an internet-hosted platform on which customers rent space (a “tenant”) which offers them email, calendaring, file storage and a host of other online applications. Because it is internet-based, it is possible to configure Office 365 so that end users are able to share resources with people outside of their organisation.
For example, say you are working on a document with an external lawyer. You could give the lawyer access to the document based on their (email) identity, and work collaboratively on that document avoiding the ping-pong of email and attachment traffic that typifies most inter-organisation interactions today. Not only does this have the opportunity to make workflows more effective, but also because the one master document is accessed from one place, the ability to control the data is greatly enhanced. It is possible for the lawyer to download the document, and still I believe not possible to prevent that, but you have “one version of the truth” that is pretty irrefutable.
However, in a huge proportion of the organisations I encounter in my work, that flexibility and opportunity is turned off. “I can’t share outside of my tenant”.
Why is this happening?
Well, because (I think) of a combination of deeply held prejudice that things on the internet are somehow inherently unsafe, and also that giving access to IT resources to someone outside of the organisation is inherently risky. Both of these belie a fundamental misunderstanding of how the modern world of technology works.
Roll back a bit.
Traditionally organisations have adopted what is sometimes known as a “citadel” model of security, where there is a hard perimeter (firewalls) around an assumed “private” network on which it is assumed that all things and people connected are relatively known and relatively safe. This model wasn’t really by design, it kind of evolved from a time (decades ago) when commercial organisations weren’t connected to the internet.
The citadel model is fairly efficient, but has some major challenges. Assumption that everything within the hard walls is relatively safe leads to sloppy behaviours, and allowing someone from the outside in relies on having to build trust in them quite quickly and absolutely.
Imagine you work in an office that has security guards and gates and you have to show your pass every morning to get into the building. You’ll probably happily leave your personal belongings on your desk when you pop to the loo. Then there is a spate of thefts, and it turns out that the thief is someone who has been working part-time for a contractor. Contractor recruitment rules get bumped up, everyone is a bit more paranoid for a bit, and then things quickly return to as they were.
Now imagine you are in a busy city-centre pub. Whilst you are sitting at a table, you’ll be quite happy to have your wallet or your phone on the table in front of you, in plain sight. In fact, they’re probably safer there than in the pocket of a coat the back of your chair. You probably wouldn’t leave them there, though, when you popped to the loo (unless you are with other people, in which case it would probably be fine). You change your behaviours.
So what’s happening with the way in which organisations are implementing Office 365? Well, they’re thinking that they need to implement it in the way that they would if they were in a citadel model. They’re thinking that they’re in a secure office, when actually they’ve moved to the pub. They are implementing models and thinking that aren’t appropriate for internet-based services.
But why is this an issue? Why can’t they pretend that Office 365 is no different to the world they know?
Well, because they are then peddling a lie. Part of the pitch for moving to an internet-based service like Office 365 is changing working behaviours to become more productive and more collaborative. Increasingly people are working in teams that span organisations. Refusing to allow users share outside of the tenant forces one of two outcomes:
- they continue to have to rely on email to share and collaborate outside, and because that pattern is so common, they continue to use email as the primary means for doing everything.
- they shift to “shadow” channels to get their jobs done, out of sight and mind of IT governance
Both of these outcomes are less secure. Sharing documents and other resources from internet-based services isn’t like doing so in the old citadel model. They are designed that way and you’re not making anything more vulnerable as a result. An email sent is an email out of control of the organisation entirely. Shadow channels, often on free or freemium platforms have their own hornet’s nest of issues.
Setting up services like Office 365 to be restricted to the tenant organisation’s people alone fundamentally misunderstands the opportunities and threats of modern internet-based platforms. It counter-nudges people in to maintaining existing working practices, or shifts them to use platforms to get their jobs done. Information security and IT professionals really need to start thinking differently.