If your business is running in the cloud or you’re considering a cloud migration, there’s little doubt that security is on your mind. Microsoft 365 has tonnes of features to help keep your data safe in the cloud. So many, in fact, that it can be difficult to know where to start.
When we work with our clients at Regroove, we have eight standard Microsoft 365 security recommendations that help them get started on the right foot. These recommendations often form the foundation of our client’s security and compliance plan; we work to develop additional policies that supplement that plan depending on the client’s industry, data type, and access requirements.
In this blog, we’ll outline our Microsoft 365 security recommendations to help you build your own security and compliance plan in the cloud!
1. Turn on audit logging
One of the first steps we take with clients who are new to the cloud is to turn on audit logging in the security center. Not only does audit logging allow you to track and manage end user and administrator actions throughout Microsoft 365, but it can also help to identify holes in your security by collecting and analysing events that occur in Microsoft 365.
To turn on audit logging in Microsoft 365:
- Log in to the Microsoft 365 Admin Center, then click ‘Security’ from the left-hand navigation.
- Click ‘Search’ from the left-hand navigation, then ‘Audit log search’.
- Click ‘Enable audit logging’.
It can take up to 24-hours for information to begin appearing in your audit log. You can regularly check the log for unusual actions, refer to collected information when issues arise, and use it as a baseline to determine your end user and administrative requirements.
2. Implement multi-factor authentication
Implementing multi-factor authentication blocks 99.9% of all incoming attacks, while also making the process of logging in easier for your end user. With stats like that, it’s one of the most beneficial steps you can take to secure your data in the cloud.
Multi-factor authentication requires the user to prove their identity through multiple methods before giving access to your company resources. With multi-factor authentication, your user needs:
- Something they know, like a username and password
- Something they have, like a cell phone or USB
- Something they are, like a fingerprint or face scan
Typically, a user will download and set up the Microsoft Authenticator app on their cell phone. When they enter their username and password to log in to a company resource, a prompt is sent to the app on their phone. They open the app, approve the sign in, and confirm with a fingerprint or face scan. This process can be modified for those users who don’t have or don’t want to use their personal cell phone for logging in.
You can find out more about how to enable multi-factor authentication in our blog What the F is MFA? Your Multi-Factor Authentication Questions Answered.
3. Configure security policies
Anti-malware, anti-spam, and Outlook message encryption policies help protect your users, your email, and your data from malicious attacks.
Anti-spam policies help prevent spam emails from reaching your user’s inbox. Anti-malware policies protect your devices from sofrware designed to obtain or damage your company data. Outlook message encryption works to protect your users by enabling encrypted email messages both internally and externally so that only the message’s intended reader can view its contents.
Microsoft applies many of these policies automatically, so that you’re protected when you start your journey in the cloud. However, you can edit these security policies at a more granular level based on your organization’s requirements and can even block specific senders that target your organization.
To access and modify these polices:
- Log in to the Microsoft 365 Admin Center, then click ‘Threat management’ from the left-hand navigation.
- Click ‘Policies’ from the left-hand navigation.
- There are a number of policies you can configure here. We recommend determining which policies you need based on the type of data you work with and how your users share it or working with a Microsoft 365 consultant to determine what policies are best for your organization and its needs. At a minimum, we recommend ensuring anti-spam and anti-malware policies are set up.
4. Manage your user devices
Securing organization-owned and personal devices that access your data helps to stop attacks at the device level by ensuring only approved devices can have access.
Devices are secured using Microsoft Intune, which supports all mobile operating systems and a wide range of devices. Using Intune, you can ensure that devices that access your information meet security standards. You can also control how your data is shared between devices.
To set up managed devices:
- Log in to the Microsoft 365 portal, then click ‘Azure Active Directory’ from the left-hand navigation.
- Once you’re in the Azure Admin Centre, click ‘Azure Active Directory’, then ‘Devices’.
- In this list, you’ll see all current joined and registered devices, and can enable or disable devices.
- When you click on a device, you can see information and actions available for that device.
- You can also manage devices in Microsoft Intune.
The benefits of ensuring devices are joined or registered to your organization in Azure are abundant. Azure and Intune help ensure that devices accessing your organization’s data are compliant with your security requirements, and can help control how and where information is shared.
5. Use principles of least privilege access
The principle of least privilege access requires that every individual access only the information and resources (and even more importantly, the powerful admin tools) necessary to accomplish their role. In Microsoft 365, least privilege access can be applied by implementing Azure Privileged Identity Management.
Privileged Identity Management (PIM) is a service in Azure that allows you to manage, control, and monitor access to resources in your organization. This is a great option for organizations that want to minimize the number of people who have access to secure information. Privileged Access Management provides time-based and approval-based access to mitigate the risk of unnecessary or malicious access to secure resources.
To set up Privileged Identity Management:
- Log in to the Azure Admin centre, then search ‘PIM’ in the search bar at the top of the screen.
- Select ‘Azure AD Privileged Identity Management’.
- Select ‘Quick Start’ to walk through the set-up process.
Privileged Identity Management requires users to have a Premium P2 Azure licence, so we recommend that you only implement PIM for users that need access to complex administrative roles or to highly secure data.
6. Get a handle on shadow IT
Shadow IT refers to the unofficial solutions employees use to fill gaps in their day-to-day process. It might be because they don’t know a tool is available to your organization, they haven’t been properly trained on your company resources, or they’re more comfortable with an application they used previously. It sounds harmless, but shadow IT can be a real threat to your company’s security. Data shows that up to one-third of successfully attacks on businesses are related to data located on shadow IT solutions that are not properly managed by an organization’s IT department.
One obvious way to limit shadow IT is to restrict everything down to a bare minimum. Instead, we recommend working with your employees to understand their needs and get an understanding of what tools work, what don’t, and what they might be lacking in accomplishing their day-to-day. It’s also important that your team understands the security risks behind things like shadow IT, which is where our next recommendation fits in.
You can find out more about shadow IT, how to track it, and how to prevent it over on the Navo blog: How to Tackle Shadow IT in 2020.
7. Provide coaching to employees
It’s crucial to ensure your team understands data security, at least at a basic level. Providing examples of companies who have suffered from malicious attacks, explaining what policies you have in place, and helping them understand why these are all important steps in securing your data in the cloud, and supplement your Microsoft 365 security plan.
Keeping data security as part of your regular conversations with employees will help your team know the risks and understand your policies. Plus, it might prevent them from clicking on a link in a phishing email, entering their personal information they shouldn’t, or downloading files from untrustworthy websites. This alone goes a long way to helping keep your data safe.
8. Review the Microsoft Compliance Center
The Microsoft Compliance Center provides a snapshot of your organization’s security and compliance, including how you compare to others in your industry, and steps you can take to improve your posture.
To access your security score:
- Log in to Microsoft 365 Admin, then click ‘Security’ from the left-hand navigation.
- Click ‘Secure score’ from the left-hand navigation.
Your secure score is comparing your security set up to other organizations of the same size in the same industry. Microsoft will provide a list of steps you can take to improve your secure score, as well as how much each recommendation action will affect that score.
To access your compliance score:
- Log in to Microsoft 365 Admin, then click ‘Compliance’ from the left-hand navigation.
- Click ‘Compliance Manager’ from the left-hand navigation.
Your compliance score is based on the score that Microsoft thinks you should have, which in turn is based on Microsoft’s own compliance posture. Microsoft will also provide recommendations to improve your compliance here. However, don’t get too hung up on trying to reach 100%. Most of the recommendations in this section rely on extra licensing and administrative set up, and likely will not provide a great cost-benefit for your organization. We recommend reviewing the improvement actions Microsoft suggests for your organization and determining case by case which ones will have the greatest benefit for your organization.
Security in the cloud is a serious topic. There are dozens and dozens of Microsoft 365 security and compliance settings that you can implement to ensure that your company, your users, and your data are protected. The above recommendations represent a starting place for many organizations making their way into the cloud. These recommendations are not conclusive and should be built upon to ensure that your organization is secure, protected, and able to thrive in your cloud environment.
Need assistance planning and implementing your organization’s security plan? We can help! Get in touch at regroove.ca to start today.