Written by Keith Tuomi on . Posted in Compliance, Office 365, Security. Leave a Comment
Written by Keith Tuomi on . Posted in Cloud, Compliance, Office 365, Security, Security. Leave a Comment
Moving to the Cloud can introduce new concerns. In this post, i’ll help you address your unique organizational security standards, framed against the products and capabilities of your Office 365 services.
While Microsoft has invested heavily in securing their platforms against cyber attacks, they operate with a shared responsibility model in which the customer is responsible for ensuring their users take precautions to protect information. Many organizations have an information gap where the IT security team does not have visibility into everyday high-risk activity occurring within these services. They often do not know about misuse until it escalates into a major data loss incident.
As a result, many IT security teams need actionable intelligence around a wide range of internal and external threats and security vulnerabilities that can lead to data loss including:
The information gathered in this report can help mitigate those types of scenarios, based on Microsoft’s own best-practice foundational security goals:
Let’s assess risk and implement the most critical security, compliance, and information protection controls to protect your Office 365 tenant. The goal is to prioritize threats, translate threats into technical strategy, and then take a systematic approach to implementing features and controls.
At core to Office 365 Security:
Data Loss Prevention
Auditing and Retention Policies
eDiscovery
Data Deletion
Data Spillage Management
Question: “What are the main differences between security on-premises and security in the public cloud?”Answer: “You still need to do most of what you’re doing now.
Ensuring that the data and its classification is done correctly, and that the solution will be compliant with regulatory obligations is the responsibility of the customer. Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing.
The remaining responsibilities are shared between customers and cloud service providers.
Considering the aforementioned Security Responsibility & Threat patterns, a key conclusion can be drawn as to what your Organizational security focus with Office 365 should be:
Start with a set of standards that can be applied across your organization. Here is an example of what this can look like.
Start with a set of standards that can be applied across your organization. Here is an example of what this can look like:
Goal | Description |
Establish information protection priorities | The first step of protecting information is identifying what to protect. Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside. |
Set organization minimum standards | Establish minimum standards for devices and accounts accessing any data assets belonging to the organization. This can include device configuration compliance, device wipe, enterprise data protection capabilities, user authentication strength, and user identity. |
Find and protect sensitive data | Identify and classify sensitive assets. Define the technologies and processes to automatically apply security controls. |
Protect high value assets (HVAs) | Establish the strongest protection for assets that have a disproportionate impact on the organizations mission or profitability. Perform stringent analysis of HVA lifecycle and security dependencies, establish appropriate security controls and conditions. |
Four levels is a good starting point if your organization doesn’t already have defined Data Sensitivity standards:
Sensitivity Level | Description |
Confidential | Only those who need explicitly need access must be granted it, and only to the least degree in order to do their work (the ‘need to know’ and ‘least privilege’ principles). |
Restricted | Subject to controls on access, such as only allowing valid logons from a small group of staff. ‘Restricted’ information must be held in such a manner that prevents unauthorised access i.e. on a system that requires a valid and appropriate user to log in before access is granted |
Internal Use | Can be disclosed or disseminated by its owner to appropriate members of your organization, partners and other individuals, as appropriate by information owners without any restrictions on content or time of publication |
Public | Can be disclosed or disseminated without any restrictions on content, audience or time of publication. Disclosure or dissemination of the information must not violate any applicable laws or regulations, such as privacy rules. |
This table is an example of how capabilities can be mapped to data sensitivity levels:
Service Capability | Description |
Data is encrypted and available only to authenticated users | Provided by default for data stored in Office 365 services. Data is encrypted while it resides in the service and in transit between the service and client devices. |
Additional data and identity protection applied broadly | Capabilities such as multi-factor authentication (MFA), mobile device management, and Exchange Online Advanced Threat Protection increase protection and substantially raise the minimum standard for protecting devices, accounts, and data. |
Sophisticated protection applied to specific data sets | Capabilities such as Azure Rights Management (RMS) and Data Loss Protection (DLP) across Office 365 can be used to enforce permissions and other policies that protect sensitive data |
Strongest protection and separation | Customer Lockbox for Office 365, eDiscovery features in Office 365, and use of auditing features to ensure compliance to policies and prescribed configurations. |
Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.
Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren’t assigned an admin role won’t be able to access Secure Score. However, admins can use the tool to share their results with other people in their organization.
Secure Score figures out what Office 365 services you’re using (like OneDrive, SharePoint, and Exchange) then looks at your settings and activities and compares them to a baseline established by Microsoft. You’ll get a score based on how aligned you are with best security practices.
Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you’re taking the right steps to protect your organization from threats.
If you want to improve your score, review the action queue to see what you can do to help increase security and reduce risks.
Expand an action to learn about what threats it’ll help protect you from and how you’ll get the job done.
To see the impact of your actions on your organization’s security, go to the Score Analyzer page and review your history.
Click any data point to see a breakdown of your score for that day. You can scroll down to see which controls were enabled and how many points you earned that day for each control.
Office 365 Secure Score is a great security analytics tool that you can access at https://securescore.office.com. However not everyone knows how to access Secure Score. You can make it easier to discover and quickly review your security position by adding a Secure Score widget to the home page of the Office 365 Security and Compliance Center.
The widget will show your latest score and the maximum points you can obtain. To get more information about your score you can click the “Go to Secure Score” link and it will take you directly to Secure Score to review the additional details.
Offerings
Office 365 Secure Productive Enterprise
Getting Started
New technologies and services enhance Microsoft’s unique approach to cybersecurity
Address your CXO’s top five cloud security concerns
Take control of your security and compliance with Office 365
Learn how Office 365 security and compliance leverages intelligence in a cloud first world
Secure Office 365 like a cybersecurity pro—assessing risk and implementing controls
Own your data with next generation access control technology in Office 365
General Data Protection Regulation (GDPR)
How Does Microsoft IT Secure Office 365?
Keep calm and automate: How we secure the Office 365 service
Office 365 Secure Score
Introducing the Office 365 Secure Score
An introduction to Office 365 Secure score
New Office 365 capabilities help you proactively manage security and compliance risk
Advanced Threat Analytics
Learn how Microsoft Advanced Threat Analytics combats persistent threats
Plan and deploy Microsoft Advanced Threat Analytics the right way
Advanced Security Management
Overview of Advanced Security Management in Office 365
Get started with Advanced Security Management
Gain visibility and control with Office 365 Advanced Security Management
Advanced Threat Protection
Introducing Office 365 Advanced Threat Protection
Advanced threat protection for safe attachments and safe links
Learn about advancements in Office 365 Advanced Threat Protection
Data Loss Prevention
Protect your sensitive information with Office 365 Data Loss Prevention
Customize and tune Microsoft Office 365 Data Loss Prevention
Customer Lockbox
Announcing Customer Lockbox for Office 365
Office 365 Customer Lockbox Requests
Developer
Building security and compliance solutions with the O365 Activity API – a Microsoft IT case study
Exchange
Implement Microsoft Exchange Online Protection
Get an edge over attackers – what you need to know about email threats
Understand how Microsoft protects you against Spoof, Phish, Malware, and Spam emails
Learn about advancements in Office 365 Advanced Threat Protection
Advanced eDiscovery
Office 365 Advanced eDiscovery
Video: Office 365 Advanced eDiscovery
Reduce costs and challenges with Office 365 eDiscovery and Analytics
Azure Information Protection
What is Azure Rights Management?
Collaborate confidently using Rights Management
Adopt a comprehensive identity-driven solution for protecting and sharing data securely
Mobile Devices
Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune
Deliver a BYOD program that employees and security teams will love with Microsoft Intune
Manage BYOD and corporate-owned devices with MDM solutions
Encryption
Introducing Office 365 Message Encryption: Send encrypted emails to anyone!
Encryption in Office 365
Challenge cloud encryption myths and learn about Office 365 BYOK plans
Advanced Data Governance
Advanced Data Governance overview
Take control of your data with intelligent data governance in Office 365
Applying intelligence to security and compliance in Office 365