Educause Security Discussion mailing list archives

Re: Exchange Online

From: "Tevlin, Dave" <dtevlin () VISI ORG>
Date: Fri, 14 Aug 2015 08:00:18 -0400

The question that jumps to my mind deals with how Exchange in the Office
365 infrastructure is managed.

At TechEd in Europe, last year I think, there was a deep dive talk about
their datacenters and processes. One of which is they don't patch Exchange
like you would for an on-prem operation. Due to the size and global nature
of the environment, in order to prevent code drift within the datacenters
they wipe and reload new code for Exchange every 2 weeks. The code
revisions go through testing and are implemented for MS in-house use first,
part of their eat their own dogfood philosophy they have, before going into
the datacenter image. This process may have changed since I saw the
presentation, please check with your contacts at MS for current updates.

The question I have is does this same process hold true for security
patching known vulnerabilities that were publicly disclosed or actively
being exploited? At a minimum this would seem to leave Exchange exposed for
up to 2 weeks as new code is brought into the datacenter image. Does that
fit with your accepted risk tolerances?

Dave Tevlin
Network/Systems Admin
Georgetown Visitation Prep School

On Fri, Aug 14, 2015 at 7:28 AM, Jones, Mark B <Mark.B.Jones () uth tmc edu>
wrote:

Is there something special about email in O365.



I think having a policy that sanctions sending PHI via email is
irresponsible unless you add the requirement that the email be encrypted.



Perhaps PHI can be protected at rest in O365, But email is email.



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Everett, Alex D
*Sent:* Thursday, August 13, 2015 10:21 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Exchange Online



I am wondering if any of your organizations have sanctioned the exchange
of PII or PHI via e-mail in Office 365 or are evaluating this.

Over time, we are seeing more security controls and features added to
Office 365 and wondered if any other organizations had made this decision.

We have not yet made this decision and are not presently using Exchange
Online/Outlook in Office365.

If you have or have not, or if you have a policy that you could point me
to I would appreciate it.

Feel free to e-mail me directly if you don’t want to respond to all.



Sincerely,



Alex Everett, CISSP

IT Security Engineer

University of North Carolina at Chapel Hill

Current thread:

Exchange Online Everett, Alex D (Aug 13)
- Re: Exchange Online Meier, Tina (Aug 13)
- Re: Exchange Online Jeff Choo (Aug 13)
- Re: Exchange Online Jones, Mark B (Aug 14)
  - Re: Exchange Online Tevlin, Dave (Aug 14)
  - Re: Exchange Online Evans, Edward (Aug 14)
    - Re: Exchange Online Jones, Mark B (Aug 16)
    - Re: Exchange Online Jeff Choo (Aug 17)
- <Possible follow-ups>
- Re: Exchange Online Everett, Alex D (Aug 13)
  - Re: Exchange Online Everett, Alex D (Aug 13)