Yesterday we released our Cloud Report, in which we share cloud security findings based on millions of users across hundreds of enterprises. While the headline of the report is about cloud malware, there’s another finding that really jumped out at us as we were crunching the data for the report – the sheer growth in enterprise usage of the Office 365 suite! Microsoft 365 Outlook.com and Microsoft Office 365 OneDrive for Business took the second and third spots, respectively, in our top 20 most-used apps list. For the first time since we’ve been publishing this report, those apps have surpassed their Google counterparts, Gmail and Google Drive. They have also eaten the lunch of their freemium counterparts in the Microsoft Live suite. This is huge for enterprises and obviously huge for Microsoft’s cloud profitability.
Let’s look at Microsoft’s dominance in our top 20 list. No fewer than seven apps made the list, including Office 365 Outlook.com at #2, Office 365 OneDrive for Business at #3, Skype at #10, Live OneDrive at #15, Live Outlook at #16, Office 365 Yammer at #17, and Office 365 Lync at #19. In our dataset, we noticed that not only are more enterprises adopting Office 365, but more users within enterprises are adopting the suite, which increases Microsoft’s consumption – or sustained usage – within the enterprise. Over the past year, usage per enterprise of OneDrive for Business and Office 365 Outlook.com have both grown several hundred percent according to our data. We also noticed that, besides taking market share from other vendors, the Office 365 apps (especially OneDrive and Outlook.com) are also taking share from the Microsoft Live suite, the freemium version. This tells us that Microsoft’s up-sell strategy is working and their conversion program is paying off. We think it’s also good news for enterprises, as they’re better able to consolidate usage onto their sanctioned apps.
It does have implications for Office 365 security, however. Microsoft Office 365 apps are highly rated in the Netskope Cloud Confidence Index and have most of the critical features required by enterprises. That said, many organizations need to govern usage within the suite to ensure they are meeting their security and compliance regimens. This is where a cloud access security broker can come in handy. In the shared responsibility model in the cloud, in which the vendors are responsible for making their apps secure, but enterprises are responsible for how their employees use the apps, a CASB can enforce policies like “least privilege” for admins (e.g., the Exchange admin is separate from the SharePoint one), user access by device type or classification (e.g., users on BYOD devices aren’t only given web-based access and can’t download, but users on corporate ones have full access), and activity by user, group, or organizational unit (e.g., users in the “insiders” AD group are not able to share content outside of the company from OneDrive without a written justification).
There is also the question of the Office 365 ecosystem, which is growing rapidly alongside the suite. In our data, we see many of the popular apps that integrate with Office 365 – apps like RingCentral, Smartsheet, and TeamViewer – posting triple-digit growth numbers over the past year. Our data show that for every anchor tenant app, there are 20-30 ecosystem apps per enterprise. Ecosystem apps integrate – and share data back and forth – with the anchor tenant app, which can be a double-edged sword: While it increases the value for enterprise users (because they can do more with the tools they have), it also puts corporate data at risk if IT isn’t enforcing similar policies in the ecosystem apps as they are in the sanctioned Office 365 suite. We notice that, while Office 365 is usually a sanctioned app, its ecosystem apps are often unsanctioned, which means that more often than not, IT doesn’t even know about them, much less enforce policies in them.
Enterprises are definitely benefiting from Office 365’s growth and popularity, but they also need to be aware of the shared responsibility model in front of them, not just for the apps in Office 365, but also for its ecosystem.
How are you enforcing your security policies in Office 365 and its ecosystem?