Last week, I got to see where Microsoft is taking Exchange Online Protection (EOP), a security layer that comes with Office 365 and is available for a fee for on-premises Exchange deployments. Although I can't share the details, as they were provided under a nondisclosure agreement, I am confident that Microsoft is on the path to eventually becoming as good as the third-party tools IT now uses for such security.
In a discussion with Levon Esibov, the principal group program manager for EOP, I mentioned that even as Microsoft improved EOP, I would still advise admins to use a third-party tool as well, for a dual-layer "defense in depth" approach. Esibov asked me why I'd still make that recommendation, even when EOP was on par with those third-party tools. After all, I don't make that same recommendation when Microsoft has no security layer of its own; I simply suggest you use a single security tool along with best practices and solid user training.
Why not trust Microsoft's security by itself, especially when I think it's equal to the competition?
Esibov's question struck a nerve. I like to believe I'm objective in such recommendations, and when I'm not objective, I am a Microsoft loyalist (as regular readers of this column know). Why assume Microsoft couldn't secure its own servers?
The truth is I've never trusted Microsoft to defend Microsoft -- not on the desktop level, not on the server level, and certainly not on the email level. I'm not alone in that thinking. That's why there are so many serious third-party security offerings on which companies have spent billions of dollars.
Yes, I've come to trust the improved defenses in Windows in combination with the built-in Windows Defender -- I no longer use third-party antivirus software. But I'm not on board yet with a world where Microsoft, and only Microsoft, protects Microsoft.
Today, it's easy to recommend you use third-party tools whether or not you also run Microsoft's. Today, there's no question that Microsoft's own security for its server offerings isn't on par with that of the competition.
And, honestly, I doubt my position will change as time passes and EOP gets up to par with third-party tools. I'm a risk mitigator at heart. I may never face a situation where I need a generator or other disaster-preparedness items, but I have them ready to go. I view email security the same way, so I will probably always recommend "defense in depth" if it's an affordable option.
After all, as the bad guys get ever better about finding their way into our systems, we'll continue to need more than one security layer to keep them out. Two vendors are likely to imagine different risks and to use different approaches to the same risks, reducing the overall risk -- that's how "defense in depth" works.
Whatever it takes to keep the organization safe, right? Better safe than sorry.