Microsoft Office 365 Security Concerns

Microsoft Office 365 Security Concerns

External File Sharing in Microsoft 365

Applications like Teams and SharePoint, which are a part of the Microsoft 365 family, have made it a lot easier for organizations to share documents with customers, partners, suppliers, and other relevant stakeholders. A single user can share files and folders, including sub-folders and newly created folders, with external users. The open sharing capabilities of these applications will naturally increase the risk of unauthorized disclosure of sensitive data.

Limited Access Control

Unfortunately, Microsoft 365 doesn’t allow for fine-grained control over access permissions, which means that users frequently end up with more access than what they need. For example, there are limited options for restricting admin rights to specific functions, and there is no way to configure permissions based on the physical location of the users. Naturally, this increases the likelihood that users will lose, steal or expose sensitive data to unauthorized parties, whether accidentally or deliberately. Likewise, where a malicious actor compromises a regular user account, they will have more access than they otherwise would.

Global Admin Account Breaches

Hackers are always looking to gain access to administrator accounts as they have elevated privileges. Microsoft 365 gives administrators global access, which means they have access to pretty much everything. They can change important settings, disable security features, steal sensitive data and create backdoors for future access. To help prevent this, it is a good idea to enable multi-factor authentication (MFA) on all global administrator accounts.

Disabled Microsoft 365 Audit Logs

By default, the Microsoft Office 365 audit logs are disabled and must be turned on manually by the administrator (including mailbox auditing). It’s worth noting that no logs are recorded until auditing is enabled.

Short Log Retention Periods

In the event of a security incident, organizations must scrutinize their audit logs to determine who caused what, how, and when. Some data privacy regulations specify a log retention period, while some don’t. Either way, you will need to ensure that you can retain the logs long enough to carry out a thorough investigation into the incident. In Microsoft 365, by default, audit records are retained for 90 days, which may not be long enough when dealing with Advanced Persistent Threats (ATPs). If you want to retain audit logs for a longer period, you will need to purchase an E5 license.

Other Microsoft 356 Related Concerns

The security concerns listed above are specific to Microsoft 365, however, there are numerous other concerns that relate more to the use of cloud-based platforms for storing confidential data, which include:

Government subpoenas

While this is only relevant to a very small number of users (mostly law firms), it’s worth noting that Microsoft is still vulnerable to blind subpoenas, which is where a Government agency compels them to provide access to their customer’s data without the knowledge or consent of the customers. Even if the data is encrypted, the Government agency can still demand access to the decryption keys, which Microsoft will have access to. The best protection against such activities is to use your own keys when encrypting sensitive data stored in the cloud.

Cross-platform correlation

Companies that use multiple cloud platforms, such as Dropbox, Google Cloud, and Amazon Web Services, will lack visibility if the security solutions they use are not able to aggregate and correlate event data across all platforms, including their on-premise environment. For example, if a user downloads sensitive data from SharePoint and then uploads it to OneDrive, the Microsoft 365 event logs will only retain evidence of the files that were downloaded from SharePoint. As such, if you need more visibility into how your files are accessed across all platforms, you will need to use a third-party auditing solution.

How to overcome Microsoft 365 Security Concerns

Microsoft 365 comes with a number of built-in security features which you can find in the Security and Compliance Center. Such features include multi-factor authentication (MFA), anti-phishing protection, data loss prevention (DLP), email encryption, and data classification. Below are some of the ways that organizations can overcome the security concerns associated with Microsoft 365:

The Microsoft Secure Score

It’s worth paying close attention to the Microsoft Secure Score, which carries out an assessment of your current security posture and suggests ways to improve it. According to Microsoft’s documentation, you’re given points for the following actions:

• Configuring recommended security features
• Doing security-related tasks
• Addressing the improvement action with a third-party application or software, or alternate mitigation

Enable Multi-Factor Authentication

Multi-factor authentication (MFA) in Office 365 is a simple yet very effective way to prevent unauthorized access to privileged accounts. To enable MFA you will need to go to the Admin Center, select Users > Active users, and select Multi-factor authentication. On this page, you can set up MFA for some, or all users.

Discover and classify your critical assets

Microsoft Office 365 has a built-in data classification solution to help organizations discover and classify their critical assets, which can help to prevent external sharing of sensitive data. However, for companies that store large amounts of sensitive data, adopting a third-party data classification software is probably a better option. For example, a third-party solution can automatically discover and classify sensitive data across a wide range of platforms, including both on-premise and cloud-based environments. Third-party solutions also tend to deliver more accurate results, and they come with pre-defined classification taxonomies, which cover a wide range of data privacy laws, such as GDPR, HIPAA, PCI-DSS, and more. Classifying sensitive data will make it a lot easier to apply the appropriate security controls.

Enforce “least privilege” access

Access to every Microsoft 365 account should be restricted according to the Principal of Least Privilege (PoLP). Global administrator accounts should only be used when absolutely necessary, and you will need to regularly review all access permissions, and revoke them whenever possible. You will also need to keep track of any third-party storage services and set expiration dates on links.

Enable Unified Audit Logging

The Microsoft 365 unified audit log helps administrators monitor suspicious activities across all services. If you need a more comprehensive and contextual audit, consider using a third-party auditing solution that uses machine learning techniques to identify anomalies. A third-party Office 365 auditing solution will also aggregate event data from a broad range of sources, including both on-premise and cloud platforms. You should also enable mailbox auditing to monitor activity in Exchange Online. However, if you are using a recent version of Microsoft 365, mailbox auditing will be enabled by default. In addition to monitoring non-owner mailbox access, you will need to monitor all changes to mailbox permissions and settings. It’s worth noting that audit logs are retained for 90 days for Basic auditing. If you want to extend this period, which may be necessary to comply with certain regulations, you will need to purchase an additional license, or use a third-party auditing solution, where such limitations don’t apply.