Office 365 Security Best Practices

Security in Office 365 is an ongoing process. Microsoft strives to keep software and hardware technologies up to date, maintained and verified by experienced and trained personnel. Microsoft has adopted a number of processes to keep Office 365 security the best in the industry including Security Development Lifecycle, Traffic Throttling, Prevent Detect and Mitigate Breach.

Security Development Lifecycle

Microsoft has adopted the Security Development Lifecycle (SDL), a comprehensive security assurance process that informs every stage of design, development, and deployment of Microsoft software and services, including Office 365. This helps Microsoft predict, identify, and mitigate vulnerabilities and threats.

Traffic Throttling to Prevent Denial of Service Attacks

Exchange Online tracks usage baselines and accommodates normal traffic bursts without affecting the user experience. When traffic from a given user exceeds typical parameters, that traffic is throttled until usage returns to normal. Whether the excessive traffic is caused by user behavior or a malicious attack such as a Denial of Service, Exchange automatically responds to ensure that other users are not affected.

Prevent, Detect, and Mitigate Breach

Prevent Breach is a defensive strategy aimed at predicting and preventing a security breach before it happens. This involves continuous improvements to built-in security features, including port scanning and remediation, OS Patching to latest updated security software, network level Distributed Denial of Service detection and prevention, and multi-factor authentication for service access.

Enabling Anti-Spam/Anti-Malware

Office 365 evaluates received messages and assigns a spam confidence level (SCL) value. Messages with high SCL values are deleted at the gateway. Messages with borderline SCL values are placed in users’ Junk Mail folders, where they are automatically removed after 30 days. Administrators can use the Office 365 Administration Center to manage anti-spam/anti-malware controls including organization-wide safe and blocked sender lists.

Independent Verification and Compliance

Microsoft engages in regular risk management reviews, and it develops and maintains a security control framework that meets the latest standards. Office 365 has obtained independent verifications:

ISO 27001

Office 365 was built based on ISO 27001 standards and was the first major business productivity public cloud service to have implemented the rigorous set of global standards covering physical, logical, process, and management controls.


Office 365 has been granted FISMA moderate Authority to Operate by multiple federal agencies. Operating under FISMA requires transparency and frequent security reporting to our US Federal customers.


Office 365 is the first major business productivity public cloud service provider to offer a HIPAA BAA, a U.S. law that applies to healthcare entities and that governs the use, disclosure and safeguarding of protected health information.

Want to find out more about itranet solutions? Which intranet solution has the right security for you? We can help you figure that out!

Free Quiz to Find Your Intranet Solution


2018-03-07T03:18:59+00:00Office 365, Security, SharePoint Online|