UK Public Sector to benefit from the new Office 365 security and compliance guidance

By Stuart Aston, National Security Officer, Microsoft UK

07/01/2019

Categories
Education
Health

Public sector employee writes emails at their desk

Public sector organisations are under intense scrutiny to ensure they are secure and compliant – not just by the ruling bodies, but by the public as well. This is why Microsoft is pleased to have worked alongside GDS and the NCSC to publish the Office 365 security and compliance guidance for our UK Public Sector customers.

The UK Government’s NCSC and Cabinet Office created the 14 Cloud Security Principles. This allows customers to evaluate cloud services and provide a broad non-definitive list of controls that could be used by cloud providers to meet the security obligations when operating at UK OFFICIAL.

Microsoft provides cloud services with built-in security and compliance. It has numerous independently verified attestations on its configuration state, from ISO such as the ISO 27000 family of standards, guidelines published by the National Institute of Standards and Technology (NIST) like NIST 80053, and more. Furthermore, Office 365 offers a rich set of technical options enabling the customer to manage risk. However, sometimes this can lead to confusion or unintentional gaps in a customer’s security posture.

Our guidance has been developed out of a need to help UK Government departments, Local Authorities and the various agencies across the wider public sector, as well as commercial organisations who work closely with government:

Understand how the 14 Cloud Security Principles can be supported natively within Office 365, and
Configure Office 365 in a way that helps them meet their obligations and leverages the features and capabilities that are present within the service. It draws on broad experience across UK government, industry and draws heavily on already existing best practice.

To cover these in more detail, we have produced two documents to help inform public sector customers.

The first document, Office 365 Security and Compliance Blueprint explains how Office 365 maps to each of the cloud security principles and helps customers understand why specific security controls are recommended.
The second document, Office 365 Secure Configuration Alignment provides step by step configuration guidance allowing organisations to understand how the features and capabilities in Office 365 can be used to ensure that a common bar has been achieved for their Office 365 tenant.

We have taken a ”good, better, best” approach to help customers choose the right, security options in line with their own organisation’s risk appetite.

A spokesperson from the NCSC’s Cloud Security Research said: “This guidance has been developed through the shared expertise and successful collaboration between the NCSC, Microsoft and the Government Digital Service. The advice aims to help private and public sector colleagues check and improve the security stance of their Office 365 deployments.”

Michael Wignall, Microsoft’s UK CTO also said: “This documentation provides a thoughtful and detailed outline of how to secure your Office 365 tenant in line with the Government’s security principles and offers practical guidance to ensure users stay safe right now, and helps support organisation’s compliance efforts with GDPR.”

We also hope this guidance is timely as the Government Digital Service (GDS) has now stopped issuing any new GSi-family domains and says: “These domains no longer offer value for money and our security needs can be delivered in more efficient ways, such as through a secure public cloud service.”

GDS is proposing that in most cases Government email should move to public cloud and has published guidance:

It covers practical steps to take for organisations using Office 365 who currently route email via PSN and the GSi Convergence Framework (GCF) Mail Relay services; as well as other practical issues such as managing DMARC, DKIM and SPF records and making DNS changes.