November 7, 2022
min read
Business woman working on laptop

IT leaders love Microsoft 365 for the rich feature set it offers. Unfortunately, hackers love it for the same reason. 

M365 implementations are the nervous system of business processes; companies that rely on M365 tend to adopt it across many critical processes, including data analytics, task documentation, project planning, and more.

With such tight integration in core business processes, even a single compromised M365 account can lead to catastrophic outcomes. Threat actors can leverage their access and the data found in these accounts to extend multichannel phishing scams or introduce malware into a system.

Naturally, cybersecurity is a top priority, but many administrators struggle to manage M365 security across numerous locations and business units. 

With enterprises hosting hundreds, or thousands, of employees, every business should know how to protect M365 resources from cyber threats. These days, this means understanding and deploying zero-trust security.

What Is Zero Trust?

Zero trust is a security principle based on a simple idea: trust nothing.

The zero trust concept reflects the changing landscape of cybersecurity in the modern era. Up until around 2004, companies relied on more conventional perimeter-based security protocols. 

Things changed when enterprises began to adopt cloud computing at scale. There was a seismic shift in infrastructure that necessitated a more thorough approach to security. Microsoft explains the concept well:

“Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time.”

In other words, Microsoft’s approach to zero trust eliminates notions of “trusted users;” all IT communications are secured to prevent potential eavesdropping, and all generic access permissions are removed. With M365 zero trust, every permission has a purpose, and every purpose is verified.

Compared with conventional perimeter-based security, zero trust offers clear advantages that ensure total security coverage across cloud servers, networks, devices, and endpoints.

Core Tenets of Zero Trust

Zero trust policies are a response to changing IT paradigms. With hybrid and remote work becoming the norm, workforces access more company applications outside of conventional network boundaries. 

Although zero trust is a relatively recent concept, it’s being adopted by organizations of all kinds (including the U.S. government, which, in 2021, pledged its commitment to modernized cybersecurity and zero trust architecture in particular.)

So, what are the guiding principles behind a zero-trust strategy? Microsoft offers three recommendations:

  1. Verify explicitly. Authenticate and authorize based on available data, including user identity, location, device health, service, anomalies, etc.
  2. Use least privileged access. Limit users with just-in-time/just-enough-access and risk-adaptive policies.
  3. Assume breach. Minimize blast radius and segment access, verify end-to-end encryption, and use analytics to drive threat detection and visibility.

At its core, zero trust changes the way we think about security. Users must be explicitly verified and given the least amount of access possible without restricting their productivity.

How to Achieve Zero Trust in M365

Zero trust sounds like the perfect solution to modern security challenges. So, why aren’t all companies using it? 

To begin, implementing zero trust in M65 is complicated. Zero trust can’t be implemented overnight; it’s a process that must be broken into units of work that are handled separately and configured together.

While a complete rundown of zero trust could fill a book, we can offer a breakdown of essential steps that most businesses will need to take when working toward zero trust. Use this framework as your starting point but understand that it’s only the beginning of your zero trust journey.

Build a Foundation

For M365, first, build a foundation of identity and device protection. Start with these steps:

  • Configure Enterprise Zero Trust identity and device across policies
  • Establish compliance policies to ensure devices meet minimum requirements
  • Enroll all devices

Add Threat Detection

Next, add threat protection and defense capabilities to the foundation. M365 Defender offers tools to protect identities, endpoints, cloud apps, and more within your M365 ecosystem. Combined with features like Microsoft Intune’s configuration profiles, these tools provide a powerful way to harden devices and gain real-time monitoring for security issues.

Protect and Govern Data

The third step is to protect and govern sensitive data. Apply more sophisticated controls for different security and compliance goals:

  • Deploy classification, labeling, and information protection
  • Create auto-labeling rules
  • Establish data loss prevention (DLP) policies
  • Define data handling standards and data sensitivity schema

It’s important to extend these protections across all M365 applications, software-as-a-service (SaaS) applications, and endpoints in your stack. Follow these steps and apply a time-tested framework for security optimization. 

Companies can work toward security that covers all systems and devices in M365. Double-check that your zero trust efforts protect each critical area of your IT infrastructure:

  • Workforce security
  • Device security
  • Workloads
  • Networks
  • Data security
  • Visibility into analytics and reporting
  • Automation and coordination of processes

Create True Zero Trust Architecture for Your M365 Tenant

While the above is a breakdown of which steps will move you toward zero trust, note that general frameworks are only the beginning. To achieve zero trust, take the above strategies and tailor them to each business’s unique posture. This will ensure that all endpoints and applications are covered.

Most companies (at least, the ones without dedicated expertise in M365 security) can’t achieve true zero trust on their own. Businesses generally turn to M365 specialists like those at CoreView, who can help them optimize their M365 tenant and apply zero trust principles at every layer in the stack.

Specifically, CoreView’s process provides proprietary modeling for the operator and functional access, which makes it easier for companies to establish granular, role-based permissions. 

We can also help companies enforce security policies and audit login credentials to help clients achieve 99.9% protection from credential cracking.

Combined with additional services like automated log management and deep data forensics, CoreView can help companies substantially improve their security posture and work toward a true zero trust system.

Assess your organization’s zero trust maturity and get targeted guidance in your improvement efforts. Contact CoreView to get enterprise-level support for every aspect of your M365 security, governance, and compliance.

Get a personalized demo today

Created by M365 experts, for M365 experts.