Microsoft recently noted the findings of the "Organizational Security & Compliance Practices in Office 365," a 37-page report conducted by CollabTalk LLC and the Marriott School of Business at Brigham Young University. Key takeaways from this paper are:
- Of those that thought Microsoft security was sufficient, 80 percent of respondents have either not run security and compliance checks, or do not know if they have.
- Of those who did not think the current security protection offered by Microsoft was sufficient, 57 percent of respondents were not aware of Microsoft's security division.
- Of those who did not think the current security protection offered by Microsoft was sufficient, 71 percent of respondents were not aware of Microsoft's overall security and compliance strategy.
This echoes what we typically find in the field working with clients. Historically clients are so focused on onboarding into the cloud, that once they are done, they move on to other projects. In a way this parallels Microsoft’s fast track program ( as shown in the diagram below).
While this satisfies the need to host data in the cloud, it does not address:
- What governance and security measures that are offered with Office 365 and Azure Active Directory which are needed to corporate security policies?
- How often are admins engaged with advanced in the Office 365 suite and the security ramifications?
- How often are the admin team addressing login activity and user activity within Office 365?
To this end Microsoft released the Office 365 Secure Score. Secure Score determines what Office 365 services you're using (such as OneDrive, SharePoint, and Exchange) then compares your settings and activities to a baseline established by Microsoft. You'll get a score based on how well aligned your organization is with security best practices.
You'll also get recommendations on steps you can take to improve your organization's score (as shown in the image below):
What will be challenging for most clients is the interpretation of this report. Key areas to determine a path moving forward:
- What features are covered by existing licenses or will new licenses be needed? An example of this would be the adoption of base Office 365 MFA or the use of conditional access through Azure Active Directory.
- What are the implications of enabling some of the define recommendations? An example of this would be IRM for SharePoint. Turning on this feature would dampen the ability to perform coauthoring. Perhaps in this case Azure Information Protection (AIP) would be more suitable candidate, and perhaps leveraging this with managed applications?
- Are users able to share OneDrive information with other users outside the organization? If you migrated home drive information to OneDrive is the information just as safe or more secure than it was previously? OneDrive can be secured so only domain joined or managed devices (Intune) would have access to OneDrive data using the Microsoft Enterprise Mobility Suite (EMS).
The key takeaway of this is the Office 365 with Azure Active Directory provide a rich ecosystem to enhance and lock down security. Many clients to onboard expeditiously to the cloud will forgo existing and future security considerations to accomplish that goal. In doing so, corporate data might be more exposed than it had been before while it has been on-premise. Secure Score is a strong means to start the internal dialogue and have the honest conversation of what your cloud security is and what you would like it to be.
Rutter can help you sift through this data and discuss options and if need be 3rd party bolt on solutions that might be needed (such as CASB solutions). If you have any questions, please contact our sales team.