Security (-and compliance), the most underrated, but at the same time the hottest IT topics today for any organization that wants to move to the Microsoft cloud.
For a long time, and unfortunately still in some countries, security and compliance were two of the main reasons why organizations were hesitant to move to the Microsoft Cloud. I do personally call it the “job protection era” but now that there is more awareness, flexibility and maturity at Microsoft for security and compliance, many organizations are full steam ahead to the Microsoft cloud—and more specifically to Microsoft 365.
Microsoft 365 has some very strong and solid features to protect your corporate data – digital workplace. You, as IT need to know that it’s not about security data and identities within your network perimeter but securing data and identities within your network perimeter with internal, guest and external users.
Today if you can’t find the balance between security and user experience, co-workers will adopt Shadow IT – where systems built and used within organizations without explicit organizational approval, for example, systems specified and deployed by departments other than the IT department.
Many people consider shadow IT an important source of innovation, and such systems may become prototypes for future approved IT solutions. On the other hand, shadow IT solutions are not often in line with organizational requirements for control, documentation, security, reliability, etc.
First, you need to understand the big picture of Microsoft 365 which I think is clear with the following image. Office 365 can be extended and protected by Azure Services and identities with AAD. The tricky question is why AAD? Simply because all users, groups, permissions, domains, licenses are there!
Secondly, when you get the whole picture, you want to begin with security in Microsoft 365. The first thing you check is Google and the image you get isn’t that reassuring if it’s the first time you want to secure your environment, right 😊
This looks so complicated for some reason, that I thought that writing an article with some major important features available in the Microsoft Cloud to secure your environment. 5 ways to manage and secure your environment. Microsoft 365 has some solid features but need to understand how these can be used. With this article, I’ll try to cover the features that can ensure you, to have the best possible data/identity protection for your digital workplace.
Before showing you my 5 top preferred features to secure your environment, please be aware that there is a free service called the secure score for Office 365 and Windows 10. According to Microsoft with the Secure Score, you can have increased visibility and control over your organization’s security posture. From a centralized dashboard you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure.
Microsoft Secure Score gives you robust visualizations, integration with other Microsoft products, comparison of your score with other companies, filtering by category, and much more. With the tool, you can complete security improvement actions within your organization and track the history of your score. A few drawbacks with the secure score is that there is no:
- No automatic fix
- No Assignment of tasks
- Run time can take up to 48 hours
- With the Microsoft365 era it also includes Windows scores. But it needs Windows Defender
Surf to https://securescore.microsoft.com; and see your result for your tenancy before anything else. Or read here to getting stared with secure score: https://docs.microsoft.com/en-us/office365/securitycompliance/microsoft-secure-score
The secure score will give you a result, and depending your result you may use different tools, features or set in the security and compliance section of the Microsoft 365 admin center; but here are as mentioned my 5 top preferred features to secure your environment.
Cloud App Security
One of my preferred solution in security is the Cloud App Security which is is a fundamental component of the Microsoft Cloud Security stack. It’s a comprehensive and intuitive solution that can help your organization advantage of the cloud applications, but keeps you in control through improved visibility into activity.
The image here under is an excellent example: As you can see with the Cloud App Security I can see who connected on which stack in my tenancy – but wait, I know Gokan, I know Hello, but who is app@sharepoint? This is a Typical example of an update that has been executed in my tenancy by Microsoft and that I should maybe recheck everything. Microsoft connecting is fine – but what if somebody else that you don’t know is connecting is worse 🙂
It also helps you increasing the protection of critical and sensible data across your cloud applications. With the Cloud App Security that help you to uncover shadow IT, investigate activities and stop threats (and way more), your organization has done one step in securing his data. Get started with the Cloud App Security now : https://docs.microsoft.com/en-us/cloud-app-security/getting-started-with-cloud-app-security
Azure AD Identity Protection
Azure AD Identity Protection highlights vulnerabilities such as unmanaged apps, users not registered for multi-factor authentication and unused admin accounts and provides recommendations in-line to improve your identity.
This is capital in your environment as the majority of security breaches take place when attackers gain access to your Digital Workplace (Microsoft 365 stack) by stealing your user’s identity. As soon as an attacker gains access to even low privileged user accounts, -this can be a reader account or a simple contributor account – it is relatively easy for the attacker to gain access to important company resources through lateral movement.
Azure AD Identity protection will:
- Automatically flags events such as impossible travel times
- Especially if you work in a multi-geo environment and use proxy servers, this can trigger false positives. Connecting from Singapore and one minute later from New York (due to some settings or using other routings) can provoke getting you flagged.
- Whenever you are flagged we can enforce additional policies based on risk
- Apply MFA
- Password Reset
- And provide email notifications for new risks and a weekly digest with an overview
The main advantage is that you can combine the power of Azure AD Conditional Access and real-time risk evaluation to auto-remediate leaked-credentials:
Sign-in risk policy allows you to prevent risky sign-ins by either challenging the user for multi-factor authentication or by blocking the sign-in automatically
User risk policy allows you to automatically remediate risky users by requiring multi-factor authentication followed by a password change, or just blocking the user from logging in.
Multi-factor authentication registration policy to require users to set up multi-factor authentication on their next sign-in, ensuring they can meet password change
Azure AD Privileged Identity Management
One of the global best practices in Microsoft 365 (and especially with your Digital Workplace based on it) is having less than 5 global administrators.
In my case – and I do, definitively not speak for all companies in the world, is that there is always more than 5 global administrators in tenancy for managing your cloud environment.
And, In my humble opinion, organizations want to minimize the number of people who have access to secure their Digital Workplace – or even their corporate network, because that reduces the chance of an attacker getting that access impacting a sensitive resource.
With the Azure AD Privileged Identity Management, Organizations can give users –and not administrators just-in-time (JIT) privileged access to Azure resources and Azure AD. Privileged Identity Management – if set up correctly – will help you to mitigate the risk of excessive, unnecessary, or misused access rights.
So; basically you’ll be getting rid of static roles with PIM – to Azure AD and Azure resources
- Enforce multi-factor authentication to activate any role
- Admin roles become non-permanent and temporary.
- Assign time-centric access using start/end dates
- 1 hour to 72 hours JIT access
- Require approval to activate privileged roles
- Use justification to understand and notifications when activated and download the history for audit and depending the audit, act – conduct access reviews to ensure users still need roles.
Data Loss Prevention
Data Loss Prevention functionality prevents sensitive and confidential data from leaking either inside or outside the organization while providing user education and empowerment. We’ve seen those capabilities, being extended to include Microsoft Teams. You could already use it in SharePoint and OneDrive.
If your organization has DLP, you can now define policies that prevent people from sharing sensitive and confidential information in a Microsoft Teams channel or chat session. It looks like it isn’t fully functional yet, as chatting with guest users; or sending an email with sensitive and confidential information are not really being checked by those policies. Whenever you decide to enable DLP for teams, be aware that by default all teams are checked in.
Here are some examples of how this protection works:
- Data Loss Prevention (in Teams, SharePoint, OneDrive…) will enable you to identify, monitor, and automatically protect sensitive information.
- Protecting sensitive information in Chat
- Protecting sensitive information in documents.
- You can apply multiple policies to different stacks in office 365
- credit card numbers
- social security numbers
- health records
- Depending on the reports settings you get an email report when sensitive information is shared
Multi factor authentication
Secure and strong authentication for on-premises, hybrid and cloud, that’s how I could define Multi factor authentication for Office 365 users. It’s a method of authentication that requires the use of more than one verification methodology and adds a second layer of security to user sign-ins and transactions.
It works by requiring any two or more of the following verification methods:
- A randomly generated pass code
- A phone call
- A smart card (virtual or physical)
- A biometric device
The main goal here is to enforce security beyond the classic username/password. Users must enroll through https://aka.ms/mfauserhowto .
What should be known by every Digital Workplace Administrator/Architect that MFA is available as Office 365 MFA, Azure MFA for Admins and Azure MFA and that Certain (non-browser) apps does not support MFA. You must provision a separate app password trough the My Apps Portal.
All that being said, I really hope you enjoyed reading it until here – and will at least give a try to one of those wonderful security components/features to protect your identities and corporate sensitive data.
A disclaimer in between lines, is that some functionalities are not free, and you may need an Azure AD Premium license in order to let them work.
Hope that helps,
Now that Gokan has given you 5 ways to manage and monitor your digital workplace, how about falling in 💛 with ready-made, robust digital workplace solutions? Find out more and take the Valo Digital Workplace Tour!