Office 365 is Microsoft's premier cloud service, and the clear leader in the "back office" server cloud offering market. If your organization has not moved to Office 365 yet, it's a safe bet that someone within your organization will be making a strong push to get you there soon.
One of the main concerns that I hear from a customer who is hesitant to move to Office 365 is security. How do you know if Office 365 is secure? What are best practices configurations for Office 365 security? Is "the cloud" safe?
In this blog post, I'm going to give you a quick rundown of the top security features of Office 365 and some pointers on how your organization can use these features to ensure that your data is safe.
Maybe the biggest security feature of Office 365 is the fact that it's designed to be secure by default. You, as an Office 365 administrator, don't really need to do a lot to ensure your data is protected. The real promise of the cloud is that the people who are good at specializing in designing and deploying solutions like Exchange, SharePoint, and Skype for Business get to do the work to ensure Office 365 runs on the best possible deployment of these services.
Once the deployment is taken care of, Microsoft also has security teams constantly checking to ensure that Office 365 stays safe. Microsoft uses both "blue" and "red" security teams. The "blue team" takes the job of probing Microsoft's security from a "known" position. "Red team" members are constantly probing the security of Office 365 from the perspective of outside attackers. The red team poses as outside hackers and probes Office 365 security.
Microsoft knows that their entire business model depends on keeping Office 365 secure, and they fully intend to do so.
EM+S is an add-on service to Office 365 that includes advanced security features. EM+S adds advanced security features in three major categories; Identity and Access controls, Mobile Device Management, and Information Protection.
MDM features are part of EM+S via Intune. Intune is a cloud based MDM application that helps the organization keep control of data while giving users the freedom to use their own devices. Organizational data is protected at the application level, not the device level. This allows users to control their devices and personal data without compromising organizational security.
The identity and access control features of EM+S come from Azure Active Directory Premium. AAD Premium adds features to your Azure AD like conditional access, behavioral analytics, and rights management based encryption. The identity security of Azure AD can be used to authenticate your users to thousands of non-Microsoft applications as well.
The current information protection features of EM+S extend the rights management encryption to a system that can classify and label your data so that end users don’t have to think about the proper level of protection to be applied to specific data. With Azure Data Protection, data is automatically protected based predefined rules you configure. Any data related to “the Smith project” can is protected on any device that is used to access it when Azure Data Protection is configured.
Office 365 is an ever evolving and improving service. One of the great new additions to Office 365 is the Office 365 Security and Compliance Center. This new portal for Office 365 is designed to be a centralized place for administrators to manage security and compliance tasks across Office 365.
The high-level tasks that an administrator can complete from the Security and Compliance Center include:
Import data into Office 365
Audit admin and user activity
Manage mobile devices that access Office 365
Protect sensitive information with data loss prevention policies
The security and compliance center rolls a lot of functionality into a single portal. I’m not going to have space in this blog post to go into all the actions that administrators can take in this portal.
Enable MFA for all Global Admin accounts – I have one “backup” global admin account that does not require MFA. I disabled that account.
Enable MFA for all users – This is not practical for me. Some test accounts, and some users for whom this would be too much of a support issue for me. My dad just isn’t going to be able to figure out MFA.
Enable mailbox auditing for all users – Good idea. One simple PowerShell command and this is done.
Get-Mailbox | Where-Object {$_.AuditEnabled -Ne "True"} | Set-Mailbox -AuditEnabled $True
I took care of those three issues within a couple of minutes. I will go through the entire list and make my tenant as secure as I can over time.
My one complaint about this secure score tool is that there is no way to force a refresh of your score. It looks like my score is recalculated every two days, so I might have to wait a while for the score to update.Microsoft has made security a priority for its cloud services, but Microsoft can only do so much. IT administrators must be aware of the features and functionality available to protect their data, and they must be ready to help end users implement those features.
Taking the time to understand how to secure your organization's data in the cloud is of paramount importance.