The Importance of Security in Office 365

In the early days of cloud computing there was a lot of concern around the security of data moved to “someone else’s datacenter”. I think it’s clear to most CISOs today that the big providers do a much better job of it security than most businesses can do (or have the budget to do).

Their incentive is also strong, if a large breach happened it could affect many thousands of businesses and so they spend a lot of money on making sure their clouds are as secure as they can be.

That doesn’t mean however that you can leave it all to Microsoft, there’s something called the Shared Responsibility Model and all cloud providers have some version of this.

There are some areas that are still your responsibility such as the endpoints that your users use to access cloud services, any on-premises infrastructure that’s operating in a hybrid mode with O365 and user provisioning and de-provisioning.

There are also many security controls in O365 that you need to customize to suit your business, where you and Microsoft share the security responsibility. In this article we’ll look at these controls and where and how you configure them.

The foundation for “how you think about security” should be Zero Trust, instead of trusting a connection based on where it’s coming from (“if it’s on the internal LAN it’s safe, from the outside it’s dangerous”), every access is checked against your Conditional Access rules which gives you a much better security posture.

And base your security on identity which is the new firewall and keep up with new features in the security space.

When thinking about how to defend your systems, don’t forget to take into account attackers moving from on-premises to the cloud, as we saw in the SolarWinds breach.

If you have M365 E5 licensing, you can use attack simulation training to test your users with fake phishing emails and provide bite sized training automatically to them based on their propensity to fall for them. If you’d like more control and optimization, try out Hornetsecurity’s Security Awareness Service which delivers fully automated benchmarking, spear-phishing-simulation and e-training to sensitize and protect employees against cyber threats.

Remember Entra ID Premium P1 & P2 which you can purchase as add-ons to O365 (included in M365), we covered their security features in this article.

There’s a strong argument to be made that relying on Microsoft both to provide the platform (Office 365) and also paying extra for advanced security features from the same company is a conflict of interest.

After all, Microsoft could include more security features in the base platform (Office 365 E3 and Microsoft 365 E3 for example), rather than charging extra for them.

As such, many enterprises choose to opt for a third-party service for advanced security services on top of the base platform, such as Hornetsecurity’s 365 Total Protection.

365 Total Protection is a cloud-based security solution that covers all aspects of an organization’s Microsoft 365 security management and data protection: email security, backup and recovery, compliance, permission management and security awareness.

The solution is specifically developed for Microsoft 365 and requires no hardware, software, or maintenance, while providing much-needed layers of additional security and data protection against spam, malware, and advanced threats.

365 Total Protection from Hornetsecurity comes in four different plans:

1. 365 Total Protection Business gives you state of the art email security, spam and malware protection, signatures, and encrypted email.
2. 365 Total Protection Enterprise adds email archiving, 10-year retention, eDiscovery, Advanced Threat Protection (ATP) sandboxing of suspect emails, URL scanning, QR code analyzer.
3. 365 Total Protection Enterprise Backup adds automated backup of mailboxes, Teams, OneDrive and SharePoint and easy recovery, Windows endpoint backup and recovery.
4. 365 Total Protection Compliance & Awareness adds Permission Manager, Security Awareness Service and AI Recipient Validation to the offering.

This wide range of Microsoft 365 security and compliance features is available in one package and in one license.

One of the three pillars of Zero Trust, using least-privilege access, is remarkably hard to achieve at scale. This is particularly evident in SharePoint and OneDrive where you not only have a complex set of overlapping permission options, but also sharing of files and sites with external users, either through SharePoint, OneDrive, and now also commonly through Teams.

To inventory all these permissions that have been granted and reporting on them requires browsing multiple screens or running PowerShell scripts.

There’s also no easy way to “right-size” permissions when they’re too broad, nor a quick way to revoke permissions quickly across all sites when a user account is discovered to have been compromised for example.

A unique product from Hornetsecurity, 365 Permission Manager alleviates all these issues, and more. A centralized dashboard shows you all your sites, and how compliant they are with your sharing policies.

To right-size permissions use the simple Fix button, or in the case of genuine business requirements for an exception to policy, Approve a special case.

Built-in or custom policies that control external sharing, internal sharing and associated settings can be applied to individual SharePoint sites or OneDrive locations, improving governance and risk management considerably.

You can also see permissions across SharePoint, OneDrive, and Teams for a selected user, very useful when you suspect an account compromise, or perhaps in the case of an insider risk investigation.

Another very useful feature is Quick Actions, which lets you perform bulk actions to manage permissions and maintain a compliant SharePoint, Teams and OneDrive infrastructure.

All the governance, Data Loss Prevention (DLP) and Information Protection features in M365 come under the Purview umbrella, with the portal located at compliance.microsoft.com.

Using labels to classify data, either manually or automatically through crawling documents or emails lets you start to govern your business information. Once a document has been labeled you can use MIP or OME to protect it (see below), or control access on Windows endpoints through policy as well as manage access in Office for Mac, Windows, iOS and Android.

One of the most powerful and least deployed features is the ability to protect documents, no matter where they live. Traditional file / SharePoint document sharing tightly controlled access at the server level but as soon as a document is emailed to someone, or stored on a USB drive, that control is lost.

With Microsoft Information Protection (MIP) you can set up labels and rules that encrypt documents and that carry their user access with them so no matter how they’re shared, only the right people have access.

If you’re getting started with MIP, you’ll be using the built-in client in the Office apps on Windows, Mac, iOS and Android. It’s important to configure super user accounts so that you can access documents when a user leaves the company.

The list of sensitive information types (SITs) grows ever longer and it’s now possible to customize the confidence levels of rules, copy the built-in ones and customize them and create larger keyword dictionaries (catch every mention of a staff ID tag, or patient record number).

It’s possible to co-author protected documents in real time (with AutoSave support!) and in larger deployments you can use variables in MIP rules to facilitate per-app content marking.

You can apply labels (and optionally document encryption) to documents, SharePoint online sites, and on-premises SharePoint and file shares. You can also scan images using Optical Character Recognition (OCR) to catch sensitive information in screenshots and the like.

Sensitivity labels are now also available for SharePoint sites, M365 groups and Teams. This doesn’t apply to content stored in those locations but rather manages privacy of the container, external user access and can also integrate with Conditional Access policies to block access from unmanaged devices for example.

You can however configure a default sensitivity label for a SharePoint site.

In a similar way to how MIP allows you to share protected documents with anyone, you can use O365 Message Encryption to send emails to anyone and know that only that person can access that email.

Like MIP you can also set up rules so that emails with specific information in them (credit card numbers, social security numbers) are automatically encrypted.

The aim of Data Loss Prevention (DLP) is to help users do the right thing by alerting them when they’re about to share sensitive data through email, SharePoint Online, OD4B or Teams.

It can also be integrated with MIP as Microsoft continues the journey of unifying labeling and protection across M365. DLP protection has been extended to Windows 10 and 11 with Endpoint DLP, which can block upload of documents with sensitive content to cloud storage, copying sensitive information to the clip board, USB storage, network shares or printing.

There’s also an extension for Google Chrome that extends DLP protection to browser tasks. DLP has also been extended to on-premises using the MIP Scanner to find sensitive documents and alert management for DLP violations is also vastly improved.

Exchange Online Protection (EOP) is the mail hygiene solution for Office 365 and can also protect your on-premises Exchange mailboxes if you’re in a hybrid deployment (Exchange Online article).

There are a few settings you can control for EOP as well as some additional configuration you should consider for complete spam protection such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Keys Identified Mail (DKIM).

If you find that EOP isn’t catching enough malicious emails consider third party services, Hornetsecurity offers a free tool called Threat Monitor (requiring no changes to your MX records) that’ll identify advertising emails (spam), threats and advanced threats emails and also lets you delete them from user’s mailboxes.

Threat Monitor provides valuable email statistical data for your tenant as to what EOP is missing, making the case for upgrading email hygiene services easier.

Defender for O365 protections (available in O365 E5 or as standalone add-ons) builds on top of EOP and gives you Safe Attachments where attachments in incoming emails that may be malicious are opened inside a VM and checked before they’re delivered to end users.

Safe Links checks that links in emails and Office files aren’t malicious at the time when users click on those links. Anti-phishing detects attempts to impersonate users, these protections also extend to SharePoint, OD4B and Teams.

If you find Defender for Office 365 too pricey (It’s included in M365 E5, E5 Security or as a separate add-on) have a look at Hornetsecurity’s 365 Total Protection which comes in a Business and an Enterprise flavor.

Business gives you granular control over email categories and content so that you can block unwanted emails.

You can set email signatures with company disclaimers and use either PGP or S/MIME for email encryption, with certificate handling built in.

The Enterprise flavor adds email archiving / journaling with up to 10 years retention, eDiscovery and sandbox analysis of attachments, URL rewriting and scanning (both in emails and in attachments) and Contingency Covering through an email failover environment when Microsoft 365 is down.

One of the great features of the unified platform of O365 is the ability to audit user and administrator actions across the entire platform.

At a minimum you want to configure alerting on Entra ID actions, go to the Compliance portal – Search – Audit log search and see all the different activities you can audit and report on, as well as create Alert policies for.

By default, Office 365 audit logs are kept for 180 days (Entra ID logs for 30 days), which may not be sufficient for your business or regulations you must comply with.

You have two options, use a third-party service to continuously export the logs and archive them for the time period you require, or assign M365 E5 (or M365 E5 Compliance / Discovery & Audit) licenses to the users who’s logs you want to keep for longer. This unlocks the ability to keep the logs for 1 or 10 years.

Ultimately the best way to manage passwords is to not have any stored in your directory and not have your users use any – this is called passwordless.

There are many steps on the journey towards this end goal, today you can use the Authenticator app to sign in on an Azure AD account (not as a second factor but as the only factor), or Windows Hello for Business or a FIDO 2 hardware USB/NFC key.

In the meantime, enable Password protection to ban commonly used passwords (2000 in a list maintained by Microsoft plus up to 1000 custom words common in your organization/city/sports teams).

This works seamlessly for cloud only accounts and can easily be extended to on-premises AD. When you require your users to register for MFA, they also register for Self-Service Password Reset at the same time.

If you suspect or confirm that a user account has been compromised the first step should be to disable sign-in for the account in the Admin center.

You should be aware however that the user (or the attacker) isn’t immediately logged out from services they’re accessing, and it can take up to an hour until the block takes effect, due to the lifetime of refresh tokens.

The solution to this issue is Continuous access evaluation which today only applies to Exchange, Teams and SharePoint online connectivity and will block access in near real time (occasionally up to 15 minutes latency due to event propagation).

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

In conclusion, safeguarding your Office 365 environment is paramount in today’s digital landscape.

By leveraging advanced security features such as Defender for Office 365 and comprehensive solutions like Hornetsecurity’s 365 Total Protection, coupled with meticulous auditing practices, you can fortify your defenses and protect your organization from evolving cyber threats.