Securing your Microsoft 365 environment

In the current climate, where there is increased cyber crime, security has become a top priority for many organisations and governments alike.

At the same time more organisations are looking to the cloud with the intention of scaling down their on-premises environments in favour of cloud-based solutions such as PaaS (Platform as a Service), SaaS (Software as a Service), and IaaS (Infrastructure as a Service).

Securing your company’s data in the cloud is critical and therefore security in the cloud has become a growing focus amongst organisations.

It’s important for organisations to strike the right balance between security and ease of use for their users.

What is Microsoft 365?

Microsoft 365 is a cloud-based subscription service that includes productivity applications such as Teams, Word, Excel, PowerPoint, Outlook, and SharePoint/OneDrive. Microsoft 365 allows organisations to have the most up-to-date Office applications, with minimal effort required. Organisations can use Microsoft 365 services on multiple devices no matter where their staff are or what device they are on, making it a scalable option for organisations.

Shared Security Responsibilities

Microsoft have what is called a shared responsibility model. It is important to understand the model and which security tasks are handled by the cloud provider (Microsoft) and which tasks are handled by your organisation. This means that that both your organisation and Microsoft are accountable for respective parts of the service and security.

The responsibilities vary depending on the workload your organisation has hosted, whether that be SaaS, PaaS, IaaS or any combination of these. However regardless of the deployment, your organisation will remain responsible for data, endpoints, accounts, and access management. Microsoft’s official article on “Shared responsibility in the cloud” can be found here.

How to best secure your Microsoft 365 tenancy

There are several strategies to keeping your Microsoft 365 tenancy secure. The below suggestions provide a high-level overview of what can be implemented to strengthen your security posture across Microsoft 365 applications, as well as some best practices.

Enforce Multifactor verification for users

Setting up Multifactor authentication in your organisation for IT administrators, users and even guests via security defaults or the use of conditional access policies is a must these days.

MFA (Multifactor Authentication) requires users to enter a code (in addition to their credentials) which can be done via several methods: voice call, SMS, or the ‘Microsoft Authenticator’ app being the most common. We recommend using Microsoft Authenticator as the preferred option for MFA, as this is more secure than voice call or SMS. The most efficient way of implementing MFA across your organisation is typically via conditional access policies. Enabling MFA ensures users are authenticating via multiple methods of identity such as “something you know” i.e., password and “something you have” i.e., smart phone (soft token) or a hardware token. This adds additional layers of account protection.

Protect your devices and the data on them

Set up compliance policies that will block noncompliant devices through conditional access policies for endpoint devices. Additionally, Intune offers a variety of security settings to restrict devices through Intune MDM (Mobile Device Management) compliance policies and Application Management via MAM (Mobile Application Management), to protect BYOD and company devices. Application protection software and antivirus/antimalware software are also a critical factors in helping keep your organisation safe.

Identity Management

Limiting access entry points

Microsoft 365 is a cloud platform and can be accessed anywhere throughout the world, as a result cyber threats can come from anywhere in the world. A key first step in limiting your attack surface can be to restrict where your IT administrators and users can sign in from. Specify explicit IP ranges or countries/regions you would like to allow your admins and users to sign in from, blocking sign-ins from everywhere else.

Review and govern Administrator Roles

Due to the nature of administrator accounts, there should always be a strong focus in any organisation to secure your administrator accounts, especially any account with a global administrator role. It’s recommended that all administrator accounts (regardless of role assigned) use MFA and access is provided using the least privilege principle. We recommend Administrator accounts be dedicated accounts, separate to standard accounts used to access Microsoft 365 services every day.

Implement Privilege Identity Management (PIM)

Microsoft offer a Privileged Identity Management (PIM) service that is built-in to Azure AD, which enables your organisation to manage, control, and monitor access to important resources within your organisation. PIM provides both a time based and approval role-based system to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. Implementing a PIM solution that will monitor and control privileged access management of your privileged accounts is an important part of your security plan.

Disabling the use of older, less secure protocols

Legacy authentication includes authentication methods that are superseded by modern authentication, which are typically used by mail protocols such as IMAP, SMTP and POP3. Allowing legacy authentication invites an adversary to bypass multifactor authentication, thus making this a high value target that should be mitigated within your organisation’s tenancy.

Use Pre-set security policies for Exchange Online Protection (EOP)

All Microsoft 365 Business Plans (Basic, Standard, and Premium) include Exchange Online Protection (EOP), which is a built-in cloud-based email filtering service. This comes with various protection mechanisms. The pre-set security policies include anti-spam, anti-malware, anti-phishing, anti-spoofing, mail flow rules, connection filtering and much more. A full list of these features can be found here. Implementing the pre-set policies which come as standard will help protect your users from cyber attacks. Note: Microsoft 365 Business Premium also includes Microsoft Defender for Office, which provides further advanced protection for email. In addition to this AC3 recommend implementing a multi-layered email security solution via 3rd party providers.

Security Awareness Training

Educate users in the organisation to be cyber safe and watch out for spam, junk mail or phishing attempts. Email is widely used across all organisations, so steering clear of phishing often relies on staff making educated decisions. There are several providers of security awareness training solutions for your staff, including the Attack simulation training offered as part of a Microsoft Defender for Office 365 – (Plan 2) license.

Review SharePoint Online and OneDrive Permissions

SharePoint and OneDrive contain your company’s data and are often a critical component of your day-to-day operation, so protecting these resources is paramount. Performing regular reviews of SharePoint Online permissions allows you to maintain identity and privilege hygiene, just like performing an access review on a traditional File Server. Additionally, and equally important is to implement off-boarding processes which cover access to important cloud resources.

The default sharing levels are typically set to far more permissive levels than what your organisation may require. Always consider your organisation’s requirements and potential regulatory requirements. Implement a standardised access model which strikes a balance of accessibility and least privilege, so that staff can go about their work unhindered whilst only accessing authorised content.

Perform routine security audits across your environment.

Performing routine access review audits across your Microsoft 365 tenancy helps reduce the risk of leaving behind permissions that are no longer needed. We recommend specifically reviewing members of all privileged access roles within Azure as a starting point. Checking your Microsoft security score under the security admin centre is also necessary for any security audit and can provide key insight into areas security improvements can be made.

Implement a backup Solution for Microsoft 365

Although Microsoft offers several native retention capabilities such as eDiscovery for Microsoft 365, its recommended to also implement an independent backup solution to make sure your company’s data is truly safe in the event of an emergency or disaster. These may come in the form of accidental deletion, ransomware or legal requirements. There are several 3rd party SaaS providers that can back-up your company’s Exchange Online, SharePoint, OneDrive, and Teams data via Microsoft’s

API. Having the ability to restore your Microsoft 365 data provides piece of mind to your organisation to prevent any data loss.

Summary

This article should serve as a key starting point for initiating discussions within your organisation regarding the security and compliance of Microsoft 365. It offers high level recommendations on how best to secure your data within Microsoft 365. If you would like tailored advice, then AC3 can help in securing your Microsoft 365 environment by providing a current state assessment with best practice recommendations to help keep your company and data safe.