Microsoft 365, formerly known as Office 365, is a popular cloud-based collaboration platform that allows companies to share information and applications with people outside of their network.
Companies have the ability to share entire folders, including any subfolders. The open-sharing nature of Microsoft Office 365, specifically products like Teams, will inevitably increase the possibility of unauthorized exposure of sensitive data.
To make matters worse, the default access controls provided by Microsoft Office 365 are not granular enough to adequately protect your accounts and data, as users often end up with more privileges than what they actually need.
This is particularly problematic when it comes to Global Administrator accounts, as Office 365 grants all administrators global access, and it’s not easy to restrict access for specific purposes, such as resetting a user’s password. As such, were an attacker to gain access to a Global Administrator account, they could cause a serious amount of damage to your network.
Another notable flaw in Office 365 security relates to the way audit logs are recorded and retained. Firstly, auditing is not enabled by default, and logs are only retained after auditing has been enabled. Secondly, audit logs are kept for a maximum of one year, which is not sufficient to comply with regulations like HIPAA, which mandates that covered entities retain logs for a minimum of six years.
Office 365 Security Best Practices and Recommendations
The good news, however, is that there are many things that companies can do to improve their Microsoft Office 365 security posture. Below are some recommendations and tips for Microsoft Office 365 Security:
1. Enable Multi-Factor Authentication
Multi-factor authentication in Office 365 requires two or more additional verification methods, is a very effective way to protect user accounts and the resources they have access. You can either use the Microsoft Authenticator app (recommended) or receive a phone call or text message on your registered number. As always, you must ensure that access to sensitive data is restricted in accordance with the Principle of Least Privilege (PoLP). If you need more control over who has access to which resources, you can achieve this by setting up Conditional Access policies.
2. Implement Azure Conditional Access
Conditional Access policies are essentially if-then statements. In other words, when a user seeks access to a particular resource, they must first complete a necessary action. For instance, let’s say a payroll manager wishes to access the payroll app – this individual must complete multifactor authentication before gaining access. Employing Azure Conditional Access policies is a reliable way to impose the right access controls when necessary, thereby bolstering security. Plus, this function aligns well with the fundamental tenets of a Zero Trust architecture, which include explicit verification, the principle of least privilege (PoLP), and the assumption that a breach will take place.
3. Audit your Office 365 environment
In the Microsoft 365 compliance center, you can monitor the unified audit log for suspicious user activity, including mailbox activity. As mentioned previously, in Office 365, the audit logs are not enabled by default and are only retained for a maximum of one year. If you need to comply with regulations that require a longer retention period, you will need to use a third-party Office 365 auditing tool. A third-party solution will aggregate event data from multiple sources, including both on-premise and cloud environments. They use machine learning techniques to detect anomalous user behavior, and provide real-time alerts when sensitive data is accessed, moved, modified, shared, or removed. Most sophisticated solutions will also provide a data classification tool out-of-the-box, in addition to numerous other valuable features.
4. Enable Mailbox Auditing
Enabling Office 365 mailbox auditing for all users will help to improve your Office 365 security score. This feature is not activated by default but can be enabled using PowerShell via a simple process. With mailbox auditing, you can monitor the activities of your own mailbox, as well as employee mailboxes (assuming they have been informed). This capability lets you search the Office 365 Unified Audit logs by mailbox actions and the corresponding user identities. You can also set up notifications and alerts for events such as non-owner mailbox access and permanent mail deletion.
5. Configure Alert Policies
Setting up alert policies can facilitate the monitoring of administrator and user activities, and thus protect against data loss and malware threats. At a minimum, you should configure alerts to identify failed login attempts, repetitive file encryption, user forwarding or redirecting emails, and other suspicious activity. Sending event data to an SIEM or real-time auditing solution for correlation and long-term storage is strongly recommended.
6. Classify Your Sensitive Data in Office 365
In order to adequately protect your sensitive data, you must know exactly what data you have, and where it is located. The Data Classification feature of Office 365, found in the Admin Center, allows you to apply sensitivity labels to content.
The labels specify how sensitive the content is, and how it should be treated, which may include mandatory watermarking or encryption. Highly sensitive content will be tracked wherever it goes, and with endpoint protection enabled, you can prevent it from leaving your organization.
It should also be noted that there are a number of third-party data classification software, which offer more advanced features. For example, a third-party solution will scan all relevant repositories, whether on-premise or ‘in the cloud’ and classify the relevant data as it is found.
It can also classify data at the point of creation/modification. It will provide pre-defined classification schemas customized according to the data privacy laws relevant to your industry. It will cover a wide range of file types, and some advanced solutions can even find sensitive data in images and other forms of multimedia.
7. Deploy Anti-Phishing Defenses
All Microsoft 365 business plans come with Exchange Online Protection (EOP) as standard, which offers a level of defense against Office 365 phishing attempts. Inbound and outbound messages are screened by EOP, which incorporates connection filtering, anti-malware protection, policy-based filtering, and content filtering. Connection filtering examines the senders’ IP addresses and compares them against a list of malicious IP addresses to ensure their credibility. The anti-malware feature will block attachments based on their extensions, such as executable files, and tag messages coming from external sources. Content filters help to identify spam, phishing, and spoofing signatures and assess their confidence score. Based on the score, the messages are either rejected, quarantined, or delivered.
8. Manage User Accounts and Permissions
To ensure effective permission control, it is crucial to follow the principle of least privilege, which involves only granting users access to the data that is essential for their duties. Additionally, within Office 365, Admins can utilize Role-based Access Control (RBAC) and integrate with Azure Active Directory (AD) for user management, role assignments, and application permissions. Since Microsoft 365 admin accounts have greater privileges and access to sensitive data, they are a major target for cyber attackers, and a breach of an admin account could jeopardize the entire Office 365 system. Therefore, it is recommended that administrators only use their accounts when required and have a separate account for regular activities to minimize risks.
9. Use Security Features Available in Office Security and Compliance Center
The Security and Compliance Center in Office 365 has lots of tools to help you keep your sensitive data secure. It is always good practice to spend some time familiarizing yourself with these tools, which include;
Threat management: This feature helps to protect your inbox from spam, as well as identify unauthorized mailbox usage. Any malicious emails sent to or from your account will be blocked, and the user will receive a notification. The Advanced Threat Protection (ATP) feature provides two sub-features, which are; ATP Safe Attachments and ATP Safe Links – both of which are designed to detect and block potentially malicious emails. Additionally, Microsoft Defender, formally known as Cloud App Security, is a feature which, according to Microsoft’s website, acts as “a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using”.
Mobile device management: This solution will prevent users from accessing your Office 365 environment unless they have installed the MDM solution on their device. The MDM solution can be used to ensure that devices accessing your environment are encrypting sensitive data and preventing jail-broken devices from accessing the network. It can even wipe some or all of the data on a device if it is lost or stolen.
Data loss prevention: The Office 365 DLP feature helps you prevent users from sharing sensitive data outside of your organization, and works across SharePoint, OneDrive, and Exchange Online. You can either use the default rules or set up your own. Based on these rules, if a user tries to share sensitive data outside of the organization, it will either be blocked, or the user will be required to verify their actions. You can also view reports that inform you about how data is being shared across your organization.
Information governance: Users can set up retention policies and retention labels to retain data across their Office 365 environment. They also have the option to archive third-party data, import PST files to Exchange Online mailboxes, as well as retain mailbox content after employees leave the organization.
Search and Investigation: This feature enables you to quickly locate content in your Office 365 environment. This includes the content found in documents, mailboxes, and audit logs. You will also find an eDiscovery feature, which is designed for legal purposes and is thus only relevant to administrators.
Office 365 Secure Score: The Secure Score feature of Office 365 is a metric designed to inform you about the current state of your organization’s security posture. You will be given points for enabling/configuring the recommended security features and carrying out security-related tasks.
Compliance Manager: As you might expect, this section is designed to help companies comply with the relevant data privacy regulations, and provides reports/assessments, a risk-based compliance score, as well as recommendations to help you improve your score.
If you’d like to see how the Lepide Data Security Platform can help with Office 365 Security, schedule a demo with one of our engineers or start your free trial today.
How Lepide Helps Improve Office 365 Security
The Lepide Data Security Platform offers enhanced visibility into data sharing, access, and modification activities in Office 365, thus helping you detect and respond to potential breaches in a timely manner. Our Office 365 auditing solution allows users to easily identify sensitive data, track permission changes, and analyze user behavior within the Office 365 environment. This includes changes made to Exchange Online, SharePoint Online, Azure AD, OneDrive for Business, and MS Teams user activities. Users are provided with numerous predefined audit reports that cater to compliance mandates such as GDPR, PCI, HIPAA, and FISMA, among others. The Lepide software monitors changes in permissions and configurations to ensure unwanted access privileges are not granted unknowingly. All relevant activity is presented via an intuitive dashboard, through continuous updates in LiveFeed, and via real-time alerts to your inbox or mobile device.