Skip to main content

Is Exchange Online For Microsoft Office 365 Secure?

Previously, we discussed the physical and logical security provided by Microsoft for Office 365 (opens in new tab) data centres across all geographic locations. Overall security is important and it reduces the impact of any intrusion attempts, but the security features of each of the component of Office 365 matters as well. Our main concern here today: Is Exchange Online for Microsoft Office 365 Secure?

Microsoft promises to deliver on security through a hoard of features in Exchange Online. It utilises Microsoft Exchange 2010 as the platform and provides security through different measures including:

Transport Layer Security: With TLS (Transport Layer Security) in place, Microsoft ensures that the communication link between the client and Exchange Online Servers is encrypted at all times thereby preventing spoofing attempts and also providing confidentiality of emails through encryption.

Encryption between Client & Exchange Online: With Secure Sockets Layer (SSL) in place, client connections to Exchange Online, by whatever means, is always encrypted through TCP port 443. POP3 and IMAP traffic is also encrypted (opens in new tab) using TCP port 995.

Custom Routing of Outbound Emails: Through this option, companies can make sure that all their outbound emails are routed through their on-premises servers, which in turn enables organisations to use Data Loss Prevention (DLP) appliances/software thus adding an extra layer of security.

S/MIME: If there is an existing PKI (Public Key Infrastructure) and S/MIME Certificate Enrolment process in place at the customer’s premises, Microsoft allows the use of S/MIME for transportation and storing of S/MIME messages.

Anti-spam & Antivirus Filtering: Through the Microsoft Forefront Online Protection for Exchange, an email filtering technology, Office 365 (opens in new tab) provides protection to incoming, outgoing and internal messages from malware that is transferred through emails. The technology ensures that all the emails that are transferred through the Exchange Online service are scanned for all kinds of malware. The anti-spam technology is proprietary and helps achieve high level of accuracy when it comes to blocking of spam messages. Antivirus service that checks for virus and malicious code is not charged for and comes as a complementary service to all the customers. Exchange Online for Office 365 also supports Junk Mail, Spam Quarantine, Safe and Blocked senders (opens in new tab) as well as Filtering service for inbound emails.

Information Rights Management: Exchange Online doesn’t provide hosted Information Rights Management, but administrators can utilize the on-premises Active Directory Rights Management along with Exchange Online. If IRM is in place, Outlook has the capability of communicating directly with the AD Rights Management (RM) Server enabling the users to read and compose email messages protected by AD RM. With Exchange Online and IRM working in sync, the following features are available:

- Transport Protection Rules

- Support for IRM in Outlook Web App

- IRM Search

- Protected Voice Mail

- Outlook Protection Rules, etc.

Pretty Good Privacy (PGP): Even through Exchange Online (opens in new tab) for doesn’t provide key management, key directory or key repository services, Exchange Online can be utilised by organisations to transport and store messages that are encrypted using third party client-side encryption solutions such as PGP.

Ravi Mandalla was ITProPortal's Sub Editor (and a contributing writer) for two years from 2011. Based in Ahmedabad, India, Ravi is now the owner and founder of Parity Media Pvt. Ltd., a news and media company, which specializes in online publishing, technology news and analysis, reviews, web site traffic growth, web site UI. Ravi lists his specialist subjects as: Enterprise, IT, Technology, Gadgets, Business, High Net Worth Individuals, Online Publishing, Advertising, Marketing, Social Media, News, Reviews, Audio, Video, and Multi-Media. He has also previously worked as Dy. Manager - IT Security at (n)Code Solutions.