Companies get themselves into trouble when they do not fully understand the way data moves through Office 365 or they apply on-premise security practices to their cloud strategy. While the Office 365 platform comes with some security features and configuration options – that all customers should take advantage of – native or built-on tools do not address many vulnerabilities or other security issues.
Enterprises are increasingly relying on zero trust cybersecurity strategies to mitigate risk and prevent data breaches. With the zero trust model, an organization only allows access between IT entities that have to communicate with each other. IT and security teams secure every communication channel and remove generic access to prevent malicious parties from eavesdropping or obtaining critical data or personally identifiable information (PII).
One problem with using a zero trust strategy is that implementing it in Azure Active Directory (Azure AD) is highly complicated. For instance, IT and security teams can label an employee an “Application Administrator,” which gives them and anyone else with that label the ability to perform/change 71 different attributes. The problem with these cookie-cutter roles is that organizations do not know precisely what all of the corresponding admin-controlled attributes mean, nor do they know what functionally they are granted.
Under the Office 365 centralized admin model, all administrators have global credentials, which means they have access to each and every user. Not only is this deeply inefficient, it also creates huge security problems. Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all? In Office 365, user identity must be treated as the security perimeter.
The native Office 365 admin center focuses on providing global admin rights, giving admins who tend to work locally too much power and privileges they do not need. This centralized management model of setting privileges with Office 365 entirely relies on granting “global admin rights” – including regional, local, or business unit administrators.
The native Office 365 Admin Center does not enable you to easily set up rights based on business unit or country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly, so they can only perform limited and specific functions, such as changing passwords when requested.
So, how do you mitigate the risk related to Office 365’s operator rights? Some IT veterans may answer with role-based access control (RBAC) as it allows organizations to partition permissions based on job roles, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your Office 365 environment.
Office 365 collects millions of bits of information on even the smallest implementation. Unfortunately, from a security standpoint, these data points do not exist for long and far too few are ever used for protection or forensics. Microsoft historically offers logs for only the last 30 days (though that is being increased to a year soon, but only for high-end E5 licenses), but businesses must ask themselves:
- Why do they need to collect data logs?
- How do logs impact regulatory compliance?
- What happens if the logs aren’t saved or otherwise mined and audited?
- What business value do these logs offer?
When used strategically, logs provide valuable forensics that not only help detect a breach, but also identify cyber criminals that may still reside on the network. Before businesses can even think about leveraging audits, IT and security teams have to turn on logging and implement a process to save log data far longer than Microsoft’s standard 30 days. It’s also important to know that even when logging is set up, event tracking is not an Office 365 default setting so businesses must turn that on.
Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their Office 365 environment.
Compliance is a big security and economic issue. There are almost daily incidents of fines occurring due to GDPR and other privacy regulations like CCPA. There is a lot involved in being compliant with GDPR, foremost among its statutes is the right to be forgotten. This statute states that individuals have the right to ask organizations to delete their personal data. However, as many businesses have learned, it is difficult to fulfill this requirement if the IT or security team cannot locate personal information or know how it was used.
Organizations must be able to track and audit individual user accounts to make sure that they not only comply with this request but have processes in place to differentiate between users with similar (or even identical) usernames, even if one of them exercises their right to be forgotten.
At their core, each of these challenges is centered around a general lack of visibility into the Office 365 infrastructure. Microsoft’s SaaS platform introduces a number of important business benefits and capabilities but requires enterprises to take proactive measures to account for their data and how it is accessed and shared externally. Organizations need to fulfill their end of the shared responsibility model to maintain a solid organizational security posture.
CloudM are helping businesses mitigate some of these security risks by consistently adding updates and improvements to the CloudManager for Microsoft platform. CloudManager provides administrators with the ability to assign users a custom role template with basic predefined permissions. Additional permissions can be offered when and where necessary. This reduces the need for administrators to assign global admin rights and tracking what functionality has been offered to users becomes clear and uncomplicated. Furthermore with each user action logged centrally, compliance becomes effortless and data is always accessible and audit ready.