Educause Security Discussion mailing list archives
Re: Exchange Online
From: "Tevlin, Dave" <dtevlin () VISI ORG>
Date: Fri, 14 Aug 2015 08:00:18 -0400
The question that jumps to my mind deals with how Exchange in the Office 365 infrastructure is managed. At TechEd in Europe, last year I think, there was a deep dive talk about their datacenters and processes. One of which is they don't patch Exchange like you would for an on-prem operation. Due to the size and global nature of the environment, in order to prevent code drift within the datacenters they wipe and reload new code for Exchange every 2 weeks. The code revisions go through testing and are implemented for MS in-house use first, part of their eat their own dogfood philosophy they have, before going into the datacenter image. This process may have changed since I saw the presentation, please check with your contacts at MS for current updates. The question I have is does this same process hold true for security patching known vulnerabilities that were publicly disclosed or actively being exploited? At a minimum this would seem to leave Exchange exposed for up to 2 weeks as new code is brought into the datacenter image. Does that fit with your accepted risk tolerances? Dave Tevlin Network/Systems Admin Georgetown Visitation Prep School On Fri, Aug 14, 2015 at 7:28 AM, Jones, Mark B <Mark.B.Jones () uth tmc edu> wrote:
Is there something special about email in O365. I think having a policy that sanctions sending PHI via email is irresponsible unless you add the requirement that the email be encrypted. Perhaps PHI can be protected at rest in O365, But email is email. *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Everett, Alex D *Sent:* Thursday, August 13, 2015 10:21 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Exchange Online I am wondering if any of your organizations have sanctioned the exchange of PII or PHI via e-mail in Office 365 or are evaluating this. Over time, we are seeing more security controls and features added to Office 365 and wondered if any other organizations had made this decision. We have not yet made this decision and are not presently using Exchange Online/Outlook in Office365. If you have or have not, or if you have a policy that you could point me to I would appreciate it. Feel free to e-mail me directly if you don’t want to respond to all. Sincerely, Alex Everett, CISSP IT Security Engineer University of North Carolina at Chapel Hill
Current thread:
- Exchange Online Everett, Alex D (Aug 13)
- Re: Exchange Online Meier, Tina (Aug 13)
- Re: Exchange Online Jeff Choo (Aug 13)
- Re: Exchange Online Jones, Mark B (Aug 14)
- Re: Exchange Online Tevlin, Dave (Aug 14)
- Re: Exchange Online Evans, Edward (Aug 14)
- Re: Exchange Online Jones, Mark B (Aug 16)
- Re: Exchange Online Jeff Choo (Aug 17)
- <Possible follow-ups>
- Re: Exchange Online Everett, Alex D (Aug 13)
- Re: Exchange Online Everett, Alex D (Aug 13)