This content is part of the Essential Guide: Secure email servers on Exchange, Office 365 or both
Manage Learn to apply best practices and optimize your operations.

Secure an Office 365 and Exchange hybrid setup

Keep these six factors in mind if your organization plans to keep some services on-premises and move others to the cloud.

A blend of cloud and on-premises Exchange messaging sounds good on the surface, but what about security?

Many organizations today are considering an Office 365 and Exchange hybrid setup or have already deployed one. Moving to this configuration type allows businesses both large and small to offload processing and bandwidth requirements, build in more resiliency and create a path toward a cloud-only messaging setup. How can you ensure your hybrid Exchange messaging environment is kept in check and locked down from threats while being able to hold up to compliance audit scrutiny?

Offloading certain systems and services to the cloud can be a great way to simplify your IT setup and save costs for the business. Moving to a hybrid Exchange setup may even be one of the best things you do for your IT shop. But it still doesn't absolve any security responsibilities involving Exchange.

There are many resources available to address the technical side of hybrid Exchange deployments, such as this Microsoft Exchange Server Deployment Assistant site. But higher-level security issues may not surface until you have a fully-functioning hybrid Exchange environment.

Six factors can help you take a step back from your daily Exchange administration and think about the big picture Exchange Server security with a hybrid setup. Specifically, these will help you take into consideration the higher-level security issues that can surface when you disrupt this critical business system. Take the following factors into consideration if you run Exchange on-premises and in the cloud.

1. Security functions. What security-related functions can you combine, and which ones must be deployed in each environment? This includes logging, monitoring and alerting, as well as spam management and content filtering. Will existing technologies, policies and procedures support this type of deployment? What additional resources, such as personnel and capital or operational expenditures, will be required?

2. Potential security or policy gaps. Will you any security standards or policy gaps by relying on Exchange Online Protection for mailboxes in the cloud compared to what you locally use? It may be necessary to have two different security controls to help in this because some may work better on-premises and others may work better in the cloud. Make sure the hybrid Exchange and Office 365 setup isn't creating any unnecessary risks in how messages are scanned or how you protect end users and their systems.

3. Existing architecture and processes. What will work with your existing architecture and processes? This includes the default transport security standards, mailbox and directory object permissions and Active Directory authentication and synchronization. Will these meet the service-level agreements and contracts others in the business, outside of IT and security, are already committed to?

4. Incident response plans. How will cloud-based mailboxes affect your incident response procedures and forensics investigations? Will Exchange Online's recent changes to its email retention policy suit your business needs? You'll likely find that such a configuration changes many things in your security strategy and tactics. Adjust your approach and accordingly set the expectations of your lawyers, management and other key players, especially when it comes to legal holds, discovery requests or forensics investigations.

5. Decommissioned Exchange Servers. What plans are in place to decommission unneeded on-premises Exchange Servers? How will the information they house be securely protected, retained or discarded?

6. Security audits. Will traditional vulnerability scans, penetration tests or security control audits be affected or limited? Will you need to adjust the testing schedule and related resources?

About the author:
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Alliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at and you can follow him on Twitter, watch him on YouTube and connect with him on LinkedIn.

Next Steps

Decide if hybrid Exchange is right for your organization

Hybrid Exchange migration options

Why it's easy to deploy hybrid Exchange

Dig Deeper on Exchange Server setup and troubleshooting