Author: Jeremy_MSFT
Originally published to the Office 365 Preview blog.

Office 365 ProPlus changes the security and data management story from securing end points and activities on the end point to decisions for securely accessing data. In order to enable users to switch from one device to another and resume working with their content, it means that either they log into a remotely hosted environment or that endpoints have access to remotely-stored documents. Office 365 ProPlus optimizes for the best experiences on devices while also providing rich browser-based experiences with Office Web Apps. In either constellation, Office 365 ProPlus does not use a Remote Desktop Protocol-based architecture where the user logs into a remote system and views that from the endpoint. Files and content will move to the consuming device whether viewed through a browser or with rich clients, so securing access to files is a key consideration.

If your organization is not quite ready to move email or file storage workloads to Office 365 Enterprise services – with Exchange and SharePoint functionality available – then Office 365 ProPlus may be the best fit because your email services and files will be stored on your premises. The only data Office 365 ProPlus will need to store in the cloud are User Principle Names and related minimum user attributes for handling activation and roaming settings information (primarily HTTP links to files and custom dictionary entries).  Everything else in that case remains in your infrastructure using traditional data management and access models.

Securing the Service

Some of the primary vectors for Office 365 security have been discussed in this series as they relate to authentication and authorization to Office 365 services and which services are permitted as save-to or open-from locations. For the latter configuration, Office 365 ProPlus and Office Professional Plus 2013 may be managed by new Group Policy settings to optionally restrict storage to SkyDrive or third party cloud storage locations. You may also limit sign-in credentials to Organizational IDs and disable sign-in to personal IDs or disable sign-in altogether.

Disabling sign-in completely applies best to Office Professional Plus 2013 installs of Office, where activation is performed via Key Management Service (KMS) or Multiple Activation Key (MAK).

Access to files and services may be augmented by Rights Management Services and/or multifactor authentication used in conjunction with Active Directory Federation Services to provide secure authentication and authorization to your organization’s files.

Securing Clients

Office 365 ProPlus includes enterprise-class security controls and fully-supports Group Policy configuration management. Additional features carried over from Office 2010 include Protected View, Data Execution Prevention (DEP) support, trust locations and documents, Office file validation and file block and ActiveX Kill Bit. For many organizations, the default security settings for Office 365 ProPlus are suitable and for those of you with highly locked-down environments, Group Policy enables thousands of settings via ADMX administration templates to fine-tune Office settings to fit your needs.

Securing Office on Demand and Web Apps

Office on Demand is a new delivery model allowing users to stream complete Office applications from a SkyDrive Pro location. It enables users to get quick access to Office applications and their files on essentially any Windows 7 or newer PC with an Internet connection – and without ActiveX controls disabled by the admin. But what does this mean for the files accessed via these unmanaged or non-owned PCs? Because the user in this case has access to SkyDrive Pro from the unmanaged PC, Office on Demand works to provide an excellent viewing and editing experience. If that user elects to download a copy and view it in Notepad or a browser, the file has already made it to the local hard drive of the computer. While Office on Demand does enable a more compelling user experience in this case, it doesn’t diminish security if those files were already accessible from that unmanaged computer.

Much more to come

This post only scratches the surface of security considerations scoped to the client and essentially was written to answer a few very frequently-asked questions I get when presenting Office 365 ProPlus to large organizations. Check out the Security overview for Office 2013 Preview on TechNet for further information on product and service security as it relates to Office Professional Plus 2013 and Office 365 ProPlus. Also be sure to download the Office 2013 Preview Administrative Template files (ADMX/ADML) for Group Policy management.