Exchange Online, Yammer, OneDrive for Business, Skype For Business, SharePoint Online, Teams, Office 365 groups, Planner. The list goes on – many excellent services but more and more settings and controls to manage.
How can you tell if your current Office 365 is secure? How do you check if a new service was released?
To deliver a secure collaboration platform, Microsoft uses a lot of its knowledge, experience and skills, learned over decades from building enterprise software and running on-premises and online services. It is also actively using data gathered from security incidents and data breaches. Not to mention, attacks that target every service all the time.
Besides the factors mentioned above, they have also put a strong effort to comply with the highest industry standards and certifications, like ISO 27001, ISO 27018, Safe Harbor, SSAE16 SOC1 Type II, FISMA and much more, to deliver a trusted and secure cloud platform.
But does it mean that I don’t need to bother about security, and I can assume that our big cloud brother is taking care of every aspect of safety within my Office 365 playground? Should I do anything else?
Remember! Running services in the cloud are always a shared responsibility. The SaaS provider gives you capabilities, but you are accountable for using it and keeping your data, including security configuration and identity, in check.
Let me share ONE OF THE MOST IMPORTANT lessons I’ve learned during my nine years in IT! Especially when it comes to security.
How can I CHECK my Office 365?
Recently Microsoft released a new security analytics tool – Office 365 Secure Score. It is free, no matter what licenses you have. Have a look here
The main goal of the Secure score is to measure your security score and help you understand your present security configuration. The score is calculated based on the workloads you have enabled within your Office 365 against all possible ways Microsoft offers to secure them.
In the example below, the Secure Score for the Predica Office 365 is 101 out of 273 possible points.
Why not the maximum? Nobody is perfect. More seriously, you will find an explanation and tips in next section.
Depending on your secure score, the tool will generate a risk assessment that presents all the threats which the Office 365 can be exposed to. Examples of such threats are an account security breach, elevation of privileges or data exfiltration.
All the risks highlighted in your Office 365 comes with a detailed explanation of the specific threat and the impact on your environment. For now, you are one step away from mitigating those threats.
How secure is your Office 365?
It is time for the truth. Based on Microsoft’s research, across all implemented O365 platforms, the overall score is calculated around 20 points where the max score you can achieve is 440.
Does it mean that you should feel endangered? No, it does not. Please note that you will not always be able to reach a maximum score of points in controls associated with services that you have not purchased.
Does it mean that you should feel relaxed? Absolutely not! The average score may be higher than you can achieve, but it does not mean that you can safely accept the present situation.
Definitely, there is room for improvement for your Office 365, so, you should try to get as many points as you can! But remember, in the end, it is not about points but protection for your company assets.
How can you improve?
Besides providing the score for your services, the tool will give you a list of possible suggestions and actions you can take to improve your security and mitigate presented threats.
So, for example, to reduce the potential risk of an account breach you might be proposed to enable multifactor authentication for the users. Another step offers to enable mailbox auditing for Exchange mailboxes to track non-owners or delegate access, which will allow you to discover illicit access to Exchange Online activity if a user’s account has been breached.
Actions come with a detailed explanation of why you should apply them, and contain information such as users’ impact, implementation costs or an action category that helps you carefully plan a particular feature deployment for your environment.
All the actions are prioritized based on their effectiveness, so by applying the steps from the top of the list, you not only raise your overall security score but also increase the level of protection for your data.
Ten Office 365 Secure Score risks you should mitigate!
Below, the list shows ten security risks you should reduce as fast as you can. Each of these mitigations can have a serious impact on your Office 365 safety and in the end, of your data and business. To solve them, you don’t need to be a security expert. You just need to spend 10 minutes to read about each risk and apply the fix from the attached links. It’s time for some work!
- Designate less global admins. It is crucial to keep global admin accounts numbers as minimal as possible. The more global admin users you have, the more likely that an external attacker will successfully breach one of those accounts. Check it out
- Use non-global administrative roles. Based on our experience, we can say that the common practice in companies when performing some administrative tasks is to use global admin privileges. Yes, it is easier, but this does not pair with safer. Using roles like Password Administrator or Exchange Online Administrator will significantly reduce the number of global admin role holders you have, which in result will lower the likelihood of a breach of an account with global administrative privileges. Check it out
- Enable MFA for all users. Today’s cyber-attacks are more and more sophisticated, and a simple password is not enough, especially when there is no strong password policy. Because a breach of any user account can lead to a violation of the data that user has access to, you should enable MFA for all of your user accounts to provide an additional level of identity check. Check it out
- Enable audit data recording. In a perfect world, you should be able to not only protect your infrastructure but also to investigate it by checking every user and administrator’s interaction with the services. You should not only examine the scope of the security breach after the attack but also on a daily basis to predict a potential violation. Be perfect!
To do link: Check it out
- Disable accounts not used in the last 30 days. There are circumstances where accounts are unused for a long period, but they can be targets for attackers who are looking for ways to access your data without being noticed. So, as a best practice, you should keep track of these accounts and disable access to Office 365 if they stay inactive for a long time. Check it out
- Enable mailbox auditing for all users. Do you know how many mailboxes have been delegated? How often somebody accesses a non-owner mailbox? In Exchange Online, by default, all non-owner access is audited, but you should enable this option on the mailbox for owners as well. That will allow you to discover any unauthorized access to Exchange Online if a user’s account has been breached. Check it out
- Do not allow anonymous calendar sharing. Sounds ridiculous? How can my calendar be useful for anyone, besides when they can drink coffee with me? What about you CEO’s calendar? CIO’s calendar? Now do you understand? Attackers will very often spend time performing reconnaissance about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships, and decide when specific users may be more vulnerable to Do not disregard that! Check it out
- Configure expiration time for external sharing links. Exchange of data with business partners is an essential feature of today’s Shared data, via external links, can be accessed easily anytime. Keeping shared links without an expiration time, gives an attacker the possibility to compromise a user’s account for a short period, send anonymous links to an external account and take their time accessing the data. Check it out
- Require mobile devices to use passwords. In today’s digital workplace, mobile devices play an important role in our businesses – exchanging emails, storing data, accessing documents and business applications. Devices without the protection of a password are vulnerable to being accessed physically by attackers who can steal account credentials, data, or install malware.Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. Check it out
- Require mobile devices to use encryption. Unencrypted devices can be stolen and their data extracted by an attacker very easily so you should force encryption to eliminate this threat. Check it out
Still something left on the report you are not sure what to do about?
Let us help You!
Microsoft has invested a lot in research and technology to create solutions that can protect almost every aspect of your infrastructure. You have the option to enable a multifactor authentication to secure login processes. You can configure Advance Threat Protection to provide additional protection for your email, before day zero and ransomware attacks or create Data Loss Prevention rules to eliminate the possibility of data leakage.
During your score review, you will be proposed different implementation solutions to deliver additional layers of security for your data and a way you access them. We understand that many of these solutions can be complex and challenging, not only in understanding them, but also choosing appropriately.
Confused? We will help you understand your Security Score and explain what steps you should take to make your Office 365 more secure.