Microsoft 365, formerly known as Office 365, is a popular cloud-based collaboration platform that allows companies to share information and applications with people outside of their network.
Companies have the ability to share entire folders, including any subfolders. The open-sharing nature of Microsoft Office 365, specifically products like Teams, will inevitably increase the possibility of unauthorized exposure of sensitive data.
To make matters worse, the default access controls provided by Microsoft Office 365 are not granular enough to adequately protect your accounts and data, as users often end up with more privileges than what they actually need.
This is particularly problematic when it comes to Global Administrator accounts, as Office 365 grants all administrators global access, and it’s not easy to restrict access for specific purposes, such as resetting a users’ password. As such, were an attacker to gain access to a Global Administrator account, they could cause a serious amount of damage to your network.
Another notable flaw in Office 365 security relates to the way audit logs are recorded and retained. Firstly, auditing is not enabled by default, and logs are only retained after auditing has been enabled. Secondly, audit logs are kept for a maximum of one year, which is not sufficient to comply with regulations like HIPAA, which mandates that covered entities retain logs for a minimum of six years.
Tips for Microsoft Office 365 Security
The good news, however, is that there are many things that companies can do to improve their Microsoft Office 365 security posture. Below are some tips for Microsoft Office 365 Security:
Visit the Security and Compliance Center
The Security and Compliance Center in Office 365 has lots of tools to help you keep your sensitive data secure. It is always good practice to spend some time familiarizing yourself with these tools, which include;
Threat management: This feature helps to protect your inbox from spam, as well as identify unauthorized mailbox usage. Any malicious emails sent to or from your account will be blocked, and the user will receive a notification. The Advanced Threat Protection (ATP) feature provides two sub-features, which are; ATP Safe Attachments and ATP Safe Links – both of which are designed to detect and block potentially malicious emails. Additionally, Microsoft Defender, formally known as Cloud App Security, is a feature which, according to Microsoft’s website, acts as “a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using”.
Mobile device management: This solution will prevent users from accessing your Office 365 environment unless they have installed the MDM solution on their device. The MDM solution can be used to ensure that devices accessing your environment are encrypting sensitive data and preventing jail-broken devices from accessing the network. It can even wipe some or all of the data on a device if it is lost or stolen.
Data loss prevention: The Office 365 DLP feature helps you prevent users from sharing sensitive data outside of your organization, and works across SharePoint, OneDrive, and Exchange Online. You can either use the default rules or setup your own. Based on these rules, if a user tries to share sensitive data outside of the organization, it will either be blocked, or the user will be required to verify their actions. You can also view reports that inform you about how data is being shared across your organization.
Information governance: Users can setup retention policies and retention labels to retain data across their Office 365 environment. They also have the option to archive third-party data, import PST files to Exchange Online mailboxes, as well as retain mailbox content after employees leave the organization.
Search and Investigation: This feature enables you to quickly locate content in your Office 365 environment. This includes the content found in documents, mailboxes, and audit logs. You will also find an eDiscovery feature, which is designed for legal purposes and is thus only relevant to administrators.
Office 365 Secure Score: The Secure Score feature of Office 365 is a metric designed to inform you about the current state of your organization’s security posture. You will be given points for enabling/configuring the recommended security features and carrying out security-related tasks.
Compliance Manager: As you might expect, this section is designed to help companies comply with the relevant data privacy regulations, and provides reports/assessments, a risk-based compliance score, as well as recommendations to help you improve your score.
Classify Your Data
In order to adequately protect your sensitive data, you must know exactly what data you have, and where it is located. The Data Classification feature of Office 365, found in the Admin Center, allows you to apply sensitivity labels to content.
The labels specify how sensitive the content is, and how it should be treated, which may include mandatory watermarking or encryption. Highly sensitive content will be tracked wherever it goes, and with endpoint protection enabled, you can prevent it from leaving your organization.
It should also be noted that there are a number of third-party data classification solutions, which offer more advanced features. For example, a third-party solution will scan all relevant repositories, whether on-premise or ‘in the cloud’, and classify the relevant data as it is found.
It can also classify data at the point of creation/modification. It will provide pre-defined classification schemas customized according to the data privacy laws relevant to your industry. It will cover a wide range of file types, and some advanced solutions can even find sensitive data in images and other forms of multimedia.
Enable Multi-Factor Authentication
Multi-factor authentication, which requires two or more additional verification methods, is a very effective way to protect user accounts and the resources they have access to. You can either use the Microsoft Authenticator app (recommended) or receive a phone call or text message on your registered number. As always, you must ensure that access to sensitive data is restricted in accordance with the Principle of Least Privilege (PoLP). If you need more control over who has access to which resources, you can achieve this by setting up Conditional Access policies.
Audit your Office 365 environment
In the Microsoft 365 compliance center you can monitor the unified audit log for suspicious user activity, including mailbox activity. As mentioned previously, in Office 365, the audit logs are not enabled by default and are only retained for a maximum of one year. If you need to comply with regulations that require a longer retention period, you will need to use a third-party auditing solution. A third-party solution will aggregate event data from multiple sources, including both on-premise and cloud environments. They use machine learning techniques to detect anomalous user behavior, and provide real-time alerts when sensitive data is accessed, moved, modified, shared, or removed. Most sophisticated solutions will also provide a data classification tool out-of-the-box, in addition to numerous other valuable features.