A move to the cloud may make sense, especially if you don’t have an in-house IT staff or your IT staff are drowning in current projects. Afterall, you don’t have to patch the cloud, restart it, or implement redundancies. All of those things are taken care of by the smart folks at Microsoft or other cloud providers.
However, a move to the cloud does not alleviate the need to pick and follow a cybersecurity framework such as NIST, PCI, or HIPAA. For example, the default retention rate for Office 365 is 30 days. So, if an employee deletes an email inadvertently, it becomes permanently and irrevocably unrecoverable if they try to access it after 31 days.
Also, Office 365 doesn’t force encryption when you send an email to a mail server that doesn’t have SSL/TLS support enabled. That means an attacker with even trivial hacking skills can intercept your potentially sensitive emails in cleartext.
How about ITAR compliance? The standard Office 365 tiers do have some nifty security settings that can be enabled, but none of them are ITAR-compliant. For that, you’ll have to go to the higher-level “Government” tiers which are single-tenant. Licensing within the G1, G3, and G5 tiers of Office 365 must also be purchased directly from Microsoft and can’t be purchased through standard retail channels.
Furthermore, the cloud goes beyond Office 365. Consider a company moving their Active Directory and File Server Windows servers to Azure or AWS. Many companies are doing just this. In moving to the cloud, you must also consider the need for access control on cloud-based storage and the need for redundancy (eliminating single points of failure.) Not to mention the need to front-end your cloud resources with adequate security measures such as cloud-based firewalls and web application firewalls.
Remember, folks, the cloud is essentially just your data/servers/workflows in someone else’s closet. The need for security planning doesn’t go away just because you can’t see blinking lights in your own.