Office 365 Security & Compliance

Author: Chris Gent

 

So, you have moved to Office 365. I can imagine that your IT department is rejoicing the fact they will never again have to run ESEUTIL, especially at 2am on a corrupt exchange database - it’s an experience nobody wants.

Office 365 offers a secure, resilient, and scalable platform that allows your employees to share information and collaborate from anywhere. However, if left unchecked it could hide major vulnerabilities for your business. There is a lot to O365 security, and it all needs to be configured and managed well.

What Security Does Office 365 Offer?

The platform has some great features to improve your business’s security posture; for instance, enabling multi factor authentication with the Microsoft Authenticator app boosts your overall cyber security and offers an easy solution for your employees. Plus, this is also an important stepping stone for the zero-trust security model.

Other security features include: 

  • Advanced Threat Protection

  • AppLocker

  • Azure Information Protection

  • BitLocker

  • Conditional Access 

  • DMARC/DKIM/SPF

  • Mobile Device Management / Intune

  • Policy Controls

  • Privilege Identity Management

  • Windows Defender

Phishing emails offers a way for criminals to connect with people within your organisation and conduct attacks. SPF, DKIM and DMARC are protective features, and while this needs careful planning to implement, will help your business defend itself and stop your domain from being impersonated. 

If you do get phished, most businesses’ IT departments have adopted the ‘least privilege’ approach for limiting who has administrator rights. However, you should check whether this has been extended to your cloud environment. This is where privileged access management coupled with business governance processes can really help control access, ensure approval, and enforce change control over your environment.

The data you store in Office 365 can range in classification, and tools such as Azure information protections and data loss prevention can really help your business label and prevent the most sensitive information (for example OS in government)  from being exposed either accidentally or maliciously, by adding another layer of control.

It is not just O365, another important consideration is how you are managing your devices that access O365. This not only includes mobiles phones and tablets, but your Windows and Mac devices. Device compliance and health monitoring can be tailored to your business needs.

So, there is a rich set of controls. What happens if you don’t get it right, especially when you consider that cyber security is a shifting landscape?

What Vulnerabilities Can Office 365 Create?

With any service that stores data in the cloud,  your business needs to be much more aware of the threats, for example:

  • Who is accessing your data and if credentials have been leaked or have permissions been set that allow more access than required.

  • The potential for data be leaked out of your business, either accidentally by sharing files, setting the incorrect permissions or maliciously. 

  • Your business’s susceptibility to phishing, as a high percentage of attacks start with an email, which will attempt to deliver and infect your equipment with malware/ransomware. 

  • The security of the end points accessing your data, and the practices in place to maintain their compliance, and management level assurances that equipment has a secure configuration.

Cyber security has always been a moving target and are the right business processes in place to ascertain if the controls are still effective.

So how do you get it right?

Best Practice

Help is at hand from Microsoft and NCSC.

Office 365 

  • Microsoft Office 365 Secure Configuration guidance

  • Aligned to UK OFFICIAL

End user device 

  • NCSC’s end user device security guidance

  • Windows 10 / Mac

  • Mobile platforms (iPhone / Android)

How Can Nexor Help?

What Nexor can offer is an independent assessment relative to best practice  and help you understand the business risks present in both the technical and governance aspects of your environment. Creating tailored actionable improvement plans, to help you understand your business risks and your risk appetite. Get in touch with our team of experts today.

Read more posts on

About the author

Chris is a Certified Information System Security Professional (CISSP) and EC-Council Certified Security Analyst (ESCA:Practical) with over 20 years IT and 5 years cyber security experience. His recent projects include vulnerability assessing and auditing IT systems to the centre for internet security framework, helping to attain and maintain security governance such as ISO27001 and Cyber Essentials plus, and designing secure network solutions around new products and services.

Read more posts by Chris Gent