Exchange Online, Yammer, OneDrive for Business, Skype For Business, SharePoint Online, Teams, Office 365 groups, Planner. The list goes on – many excellent services but more and more settings and controls to manage.
To deliver a secure collaboration platform, Microsoft uses a lot of its knowledge, experience and skills, learned over decades from building enterprise software and running on-premises and online services. It is also actively using data gathered from security incidents and data breaches. Not to mention, attacks that target every service all the time.
Besides the factors mentioned above, they have also put a strong effort to comply with the highest industry standards and certifications, like ISO 27001, ISO 27018, Safe Harbor, SSAE16 SOC1 Type II, FISMA and much more, to deliver a trusted and secure cloud platform.
But does it mean that I don’t need to bother about security, and I can assume that our big cloud brother is taking care of every aspect of safety within my Office 365 playground? Should I do anything else?
Remember! Running services in the cloud are always a shared responsibility. The SaaS provider gives you capabilities, but you are accountable for using it and keeping your data, including security configuration and identity, in check.
Let me share ONE OF THE MOST IMPORTANT lessons I’ve learned during my nine years in IT! Especially when it comes to security.
Recently Microsoft released a new security analytics tool – Office 365 Secure Score. It is free, no matter what licenses you have. Have a look here
The main goal of the Secure score is to measure your security score and help you understand your present security configuration. The score is calculated based on the workloads you have enabled within your Office 365 against all possible ways Microsoft offers to secure them.
In the example below, the Secure Score for the Predica Office 365 is 101 out of 273 possible points.
Why not the maximum? Nobody is perfect. More seriously, you will find an explanation and tips in next section.
Depending on your secure score, the tool will generate a risk assessment that presents all the threats which the Office 365 can be exposed to. Examples of such threats are an account security breach, elevation of privileges or data exfiltration.
All the risks highlighted in your Office 365 comes with a detailed explanation of the specific threat and the impact on your environment. For now, you are one step away from mitigating those threats.
It is time for the truth. Based on Microsoft’s research, across all implemented O365 platforms, the overall score is calculated around 20 points where the max score you can achieve is 440.
Does it mean that you should feel endangered? No, it does not. Please note that you will not always be able to reach a maximum score of points in controls associated with services that you have not purchased.
Does it mean that you should feel relaxed? Absolutely not! The average score may be higher than you can achieve, but it does not mean that you can safely accept the present situation.
Definitely, there is room for improvement for your Office 365, so, you should try to get as many points as you can! But remember, in the end, it is not about points but protection for your company assets.
Besides providing the score for your services, the tool will give you a list of possible suggestions and actions you can take to improve your security and mitigate presented threats.
So, for example, to reduce the potential risk of an account breach you might be proposed to enable multifactor authentication for the users. Another step offers to enable mailbox auditing for Exchange mailboxes to track non-owners or delegate access, which will allow you to discover illicit access to Exchange Online activity if a user’s account has been breached.
Actions come with a detailed explanation of why you should apply them, and contain information such as users’ impact, implementation costs or an action category that helps you carefully plan a particular feature deployment for your environment.
All the actions are prioritized based on their effectiveness, so by applying the steps from the top of the list, you not only raise your overall security score but also increase the level of protection for your data.
Below, the list shows ten security risks you should reduce as fast as you can. Each of these mitigations can have a serious impact on your Office 365 safety and in the end, of your data and business. To solve them, you don’t need to be a security expert. You just need to spend 10 minutes to read about each risk and apply the fix from the attached links. It’s time for some work!
Still something left on the report you are not sure what to do about?
Microsoft has invested a lot in research and technology to create solutions that can protect almost every aspect of your infrastructure. You have the option to enable a multifactor authentication to secure login processes. You can configure Advance Threat Protection to provide additional protection for your email, before day zero and ransomware attacks or create Data Loss Prevention rules to eliminate the possibility of data leakage.
During your score review, you will be proposed different implementation solutions to deliver additional layers of security for your data and a way you access them. We understand that many of these solutions can be complex and challenging, not only in understanding them, but also choosing appropriately.
Confused? We will help you understand your Security Score and explain what steps you should take to make your Office 365 more secure.
I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s t...
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...