How to Assess Your Office 365 Security Risk
Security has become a top concern for organizations around the world. And as content continues to move into the cloud, organizations are doubling down on how they can ensure the safety of their sensitive and personal information.
Why? If we look at the numbers, over 1.9 billion records have been leaked, lost, or stolen during the first half of 2017, which significantly surpasses the number of total incidents in 2016. While many perceive that only public brands are at risk of data breaches, occurrences in 2017 proved that hackers can and will target large organizations, such as HBO and Equifax, as well as SMBs like CloudPets.
How Do Security Breaches Tie Into Office 365?
Let’s jump back to Office 365. In light of the increasing rate of data breaches, what exactly is Microsoft doing to ensure that Office 365 is as secure as possible?
First of all, Microsoft deploys a defense-in-depth strategy to protect data through multiple layers of security. The image below showcases the Physical, Logical, and Data layers of security.
Source: Microsoft’s Security in Office 365 whitepaper
The Physical Layer
The Physical Layer is how Microsoft prevents people from physically getting into the datacenter and accessing data. Microsoft datacenters are designed to protect data against unauthorized access by employing strict protocols and security features, including:
- Multiple authentication protocols: Badges, smart cards, biometric scanners, and on-premises security.
- Constant surveillance: Motion sensors, video surveillance, and security breach alarms.
- Restricted access: Access is restricted by job function, meaning datacenter employees lack access based on their responsibilities.
The Logical Layer
The Logical Layer comprises the controls and processes to secure the physical hosts and applications from administrators, including:
- Automated operations: Human intervention is reduced to a minimum, reducing the risk of malicious activity or inconsistent configurations.
- Monitored admin access: Data is controlled voa multiple layers of security, including a Lockbox process, which allows:
- Just-in-time accounts with high-entropy passwords.
- Access for a limited amount of time.
- Access to take specific actions based on the role.
The Data Layer
The Data Layer is how Microsoft secures data both at rest and in motion. While Office 365 is a multi-tenant service (i.e. multiple tenants share the same hardware), the data storage and processing for each tenant is segregated trough Azure Active Directory and capabilities that are specifically developed to help build, manage, and secure multi-tenant environments.
How Do Organizations Begin to Safeguard Their Content?
Despite the levels of security that Microsoft employs, organizations need to implement extra layers of security to safeguard their content. In other words, whatever Microsoft does to secure their service is useless if users leave their login information and their laptop at a local Starbucks.
Microsoft offers multiple ways to add extra security (like Multi-Factor Authentication), but these are not enabled by default. Microsoft’s Office 365 Secure Store allows admins to enable security configurations for a more secure environment. To access the Office 365 Secure Store, navigate to the Office 365 Admin Center, or directly to https://protection.office.com.
Assessing Your Office 365 Security Risk
It may not be a guarantee, but following security best practices can decrease the chances of exposing sensitive content to a breach.
Upon accessing the Office 365 Secure Store, click on the “Go to Secure Score” link to get more details into your Office 365 security risks. In the following image, you can see my current score of 68 out of 452.
Note that I’ve set myself a target of 372. A target of 289 to 372 is considered “Balanced” between user impact and the security measures that I need to implement. It also recommends 31 actions that I can implement in order to reach my goal.
Let’s take a look at some of those actions.
Some actions can be worth a lot more than others. For example, one of the first things that I can do is enable Multi-Factor Authentication for all the Global Administrators in my tenant. Currently, 0/2 of my Global Admins have it enabled, so if I enable it for both of them, I would gain 50 points on my score!
Some of the actions are also things that you would need to do on a regular basis, like reviewing audit data information on a weekly basis. Once I review it, I will get five points added to my score; but if I don’t review it again in a week, it will go back to zero.
Guest Sharing Links
Some actions are recommended based on Microsoft best practices, rather than your initial impression of a feature. For example, Microsoft recommends enabling guest sharing links for sites and documents because their research has shown that when these are disabled, users will resort to a less secure way of sharing data.
This action may not worth a lot (i.e. 1 point), but it’s something to consider. If users need that feature, would you rather have them use it in a controlled way in Office 365 or via a service that you have no idea about?
Where Shadow IT Comes Into Play
This brings us to the topic of Shadow IT, or better yet, finding the balance between security and productivity.
One of the major problems that organizations face with locking down their collaboration environments is that their users will introduce consumer-level tools to achieve their daily tasks and stay productive. This puts the organization at more risk of data breaches than opening up certain features; and this is where recommendations like anonymous SharePoint sharing links arise.
Office 365 is one of the most secure collaboration suites in the world, and it’s proven and certified by numerous compliance areas, such as HIPAA, FedRAMP/FISMA, ISO 27001/ 27018, and more.
While Microsoft provides their users with plenty of tools to decrease the risk of data breaches, it is your duty to ensure that logs are audited, tasks are reviewed, and security configurations meet the level of security that your organization needs.
Metalogix Can Fill Your Security Gaps
Microsoft’s out-of-the-box security tools are a great place to start. But with regulations like GDPR and the impending risk of breaches posing a threat to many organizations around the world, it’s time to face an enterprise-grade security solution.
Get a personalized demo of ControlPoint to see how you can identify and secure sensitive data, while enforcing governance policies and preventing suspicious user activity. Our security experts can share a custom security and information governance solution that enables peace of mind and compliance.
Concerned about Shadow IT in your organization? See how Content.ly is designed for organizations to identify, manage, and protect collaboration content across any cloud platform.
Vlad is a SharePoint and Office 365 Consultant specializing in SharePoint and SharePoint Online deployments as well as hybrid scenarios. As a Pluralsight Author, Microsoft Certified Trainer and recognized international speaker, Vlad has helped thousands of users and IT Pros across the globe to better understand and to get the most out of SharePoint. Vlad is also a Microsoft Most Valuable Professional (MVP) in SharePoint since 2013 and has his own blog at www.absolute-sharepoint.com and he often shares his knowledge by speaking at local conferences and community events. Vlad also blogs at CMSWire as well as Computerworld and is often featured in other Microsoft sites such as Redmond Channel Partner.