On a call earlier today (with an end-user client) I was discussing enterprise security norms around cloud-based productivity suite offerings. Like many IT Decision Makers who are taking the leap to the cloud, our client (based in the APJ region) is also currently evaluating cloud-based productivity suite options including both Microsoft Office 365 and Google Apps for Work. During our conversation I ran a quick Poodle Attack Vulnerability check (on www.ssllabs.com) and the results were worrisome. More below.
The Background – what is the POODLE attack & why it is relevant? To give some context, the POODLE Attack is a vulnerability that takes advantage of web browser encryptions. It gives attackers the access to the web traffic between a user’s browsers and a HTTP Secure website, which can cause serious repercussions such as decrypting sensitive user information like authentication cookies.
The Result – Microsoft Office 365 continues to rate weak on SSL3.0 Security Vulnerability. In October 2014, Microsoft issued an advice on a Secure Sockets Layer (SSL) 3.0 security flaw that was discovered in their Azure and Office 365 exchange servers. Microsoft stated that SSL 3.0 is an aged protocol and now replaced by Transport Layer Security (TLS) protocol, which is devoid of the POODLE flaw, as also validated by US-CERT. However, we ran the Qualys test for few mail servers, only to find that the vulnerability still affects the Office 365. The tests for Office 365 as compared to Google Mail are below.
The BIG Question – Can Such Vulnerabilities Be Better Managed? 6 of 10 IT Decision makers we engage with state their concern of being vulnerable to cyber-attacks. This number is higher (8 of 10) for Small and Medium Businesses (SMBs) – they often do not have proper security measures in place hence make for easier prey. With players like Google (Apps for Work), Microsoft (Office 365) and IBM (Verse) increasingly catering to organizations with cloud-based productivity suite, this space is only expected to get more complex.
Greyhound Research believes that IT Decision makers cannot have an escapist attitude to security while evaluating such cloud-based offerings and need to check for such vulnerabilities to ensure safety for its data (and brand). Basis our on-going conversations with leading IT decision makers in Emerging Markets, Greyhound Research has compiled a list of critical questions that every IT decision maker must address when implementing a cloud security strategy for their organization.
- Are my peers in other organizations adopting, planning or exploring Cloud delivered services?
- Is my on-premise infrastructure more secure than cloud?
- How different is Cloud security to the previous on-premise and hosted scenarios?
- Is Private cloud more secure than Public cloud?
- How should I assess my cloud provider?
- How can I better manage data privacy for cloud delivered workloads?
- What industry certifications should I look out for?
- What are the key compliance requirements I need to adhere when using cloud for my org?
- Are there any industry bodies certifying cloud providers?
- Do I need to re-skill my team to better manage cloud providers and security?
- My peers tell me Cloud is both a legal and contractual nightmare. How true is this?
Greyhound Research Standpoint
Greyhound Research believes it’s important for IT leaders to not rubbish cloud services only based on perceptions and spend time understanding security measures implemented by cloud providers. Cloud offers multiple benefits through automation (higher efficiency) and shared resources (economies of scale) and cloud providers like Google, Salesforce.com and others are investing heavily in people and assets to better manage security. However, in instances like Microsoft Office 365, Cloud-based delivery only stands to increase security related concerns for an organization.
What’s your Standpoint?
Do you think Microsoft needs to re-evaluate the security strength of its Office 365 offering and offer further guidance on the existing lapses?
If you are a key IT decision maker in your organization and need guidance on devising a cloud security strategy best fit for your organization, leave a comment or send me an email on sgogia@greyhoundgroup.com.
Note for Technology Users – Join Our Exclusive Community!
Greyhound Research values your opinion and invites IT decision makers and business leaders involved in IT projects to join our exclusive, vendor-free research panel, Greyhound Golden Gate. If your story if exclusive and we have your permission, we will write a post about you and the project to share it with the larger community. Over and beyond, this also gives you access to some of our thought-leading research and experts. Please write to me on sgogia@greyhoundgroup.com and we’ll take it further from there!
Note for Vendors and Providers – Did you see our Research Agenda?
Do check out our extensive research schedule that covers a vast variety of topics including new-age business themes, disruptive technologies, business and technology roles. Please write to me on sgogia@greyhoundgroup.com and we’ll gladly share a copy of the research schedule with you.
Related Material On This Topic
- CIOs Need A Broad Outlook For Developing Security Strategies
- The Cons Of Microsoft Office 365
- Enterprise Mobility – Value Lies in Data, Not Device Alone!
Wish To Use This Material?
Greyhound Research is happy to provide reprint rights and official reprints in PDF format. Please send us a note on connect@greyhoundgroup.com.
Copyright © 2015 Greyhound Research. All rights reserved.
About The Author: Sanchit Vir Gogia is the Chief Analyst & CEO of Greyhound Research, an independent IT & Telecom Research & Advisory firm. He also serves as Founder & CEO of Greyhound Knowledge Group that operates under four brands – Greyhound Research, Greyhound Sculpt, Greyhound Technocrat and Greyhound Vivo. To read more about him, click here.