Employees downloading sensitive corporate data with the intention of taking that data with them when they leave to join a competitor
Malicious administrators accessing data out of policy or data not related to their role, intentionally degrading security settings, or creating dummy accounts for unauthorized third party access
High-risk user behavior such as downloading data from company-sanctioned cloud services and uploading it to high-risk shadow IT services
Third parties logging into cloud service accounts using stolen or guessed login credentials in order to steal sensitive data
Dormant administrator accounts belonging to former employees that can be de-provisioned to eliminate the latent risk of account compromise
Data leakage from users due to improper configurations/permission management The information gathered in this report can help mitigate those types of scenarios, based on Microsoft’s own best-practice foundational security goals:
Simplify and protect access
Allow collaboration and prevent leaks
Stop external threats
Secure administrative access
Introduction to Office 365 Security Let's assess risk and implement the most critical security, compliance, and information protection controls to protect your Office 365 tenant. The goal is to prioritize threats, translate threats into technical strategy, and then take a systematic approach to implementing features and controls. At core to Office 365 Security: Data Loss Prevention
Malware and targeted attacks can cause data breaches; however, user error is a much greater source of data risk
DLP identifies, monitors and protects sensitive data and helps users understand risksAuditing and Retention Policies
Allow logging of events including viewing, editing and deleting content such as email messages, documents and calendarseDiscovery
A single experience for searching and preserving email & documentsData Deletion
Clear commitments and procedures for end-of-life and data destructionData Spillage Management
Hardware with your data is locked downQuestion: “What are the main differences between security on-premises and security in the public cloud?”Answer: “You still need to do most of what you’re doing now. Ensuring that the data and its classification is done correctly, and that the solution will be compliant with regulatory obligations is the responsibility of the customer. Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing. The remaining responsibilities are shared between customers and cloud service providers.
Security Responsibilities Managed by Office 365
Threats Managed by Office 365
Implications Considering the aforementioned Security Responsibility & Threat patterns, a key conclusion can be drawn as to what your Organizational security focus with Office 365 should be:
Authentication Security is critical
Tenant Security Configuration is critical
Security Capabilites Plan Start with a set of standards that can be applied across your organization. Here is an example of what this can look like.
Set Information Protection Standards Start with a set of standards that can be applied across your organization. Here is an example of what this can look like: GoalDescriptionEstablish information protection prioritiesThe first step of protecting information is identifying what to protect. Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside.Set organization minimum standardsEstablish minimum standards for devices and accounts accessing any data assets belonging to the organization. This can include device configuration compliance, device wipe, enterprise data protection capabilities, user authentication strength, and user identity.Find and protect sensitive dataIdentify and classify sensitive assets. Define the technologies and processes to automatically apply security controls.Protect high value assets (HVAs)Establish the strongest protection for assets that have a disproportionate impact on the organizations mission or profitability. Perform stringent analysis of HVA lifecycle and security dependencies, establish appropriate security controls and conditions.
Classify Data by Sensitivity Levels Four levels is a good starting point if your organization doesn’t already have defined Data Sensitivity standards: Sensitivity LevelDescriptionConfidentialOnly those who need explicitly need access must be granted it, and only to the least degree in order to do their work (the ‘need to know’ and ‘least privilege’ principles).RestrictedSubject to controls on access, such as only allowing valid logons from a small group of staff. ‘Restricted’ information must be held in such a manner that prevents unauthorised access i.e. on a system that requires a valid and appropriate user to log in before access is grantedInternal UseCan be disclosed or disseminated by its owner to appropriate members of your organization, partners and other individuals, as appropriate by information owners without any restrictions on content or time of publicationPublicCan be disclosed or disseminated without any restrictions on content, audience or time of publication. Disclosure or dissemination of the information must not violate any applicable laws or regulations, such as privacy rules.
Map Service Capabilities to Data Sensitivity Levels This table is an example of how capabilities can be mapped to data sensitivity levels: Service CapabilityDescriptionData is encrypted and available only to authenticated usersProvided by default for data stored in Office 365 services. Data is encrypted while it resides in the service and in transit between the service and client devices.Additional data and identity protection applied broadlyCapabilities such as multi-factor authentication (MFA), mobile device management, and Exchange Online Advanced Threat Protection increase protection and substantially raise the minimum standard for protecting devices, accounts, and data.Sophisticated protection applied to specific data setsCapabilities such as Azure Rights Management (RMS) and Data Loss Protection (DLP) across Office 365 can be used to enforce permissions and other policies that protect sensitive dataStrongest protection and separationCustomer Lockbox for Office 365, eDiscovery features in Office 365, and use of auditing features to ensure compliance to policies and prescribed configurations.
Office 365 Secure Score Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security. Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren’t assigned an admin role won't be able to access Secure Score. However, admins can use the tool to share their results with other people in their organization. Secure Score figures out what Office 365 services you’re using (like OneDrive, SharePoint, and Exchange) then looks at your settings and activities and compares them to a baseline established by Microsoft. You’ll get a score based on how aligned you are with best security practices.
Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you’re taking the right steps to protect your organization from threats. If you want to improve your score, review the action queue to see what you can do to help increase security and reduce risks.