In the days of on-premises software, IT was responsible for securing every application layer. That all changed with the cloud and SaaS, leading to the creation of the Shared Responsibility Security Model. Here, some security duties performed by IT in the on-premises days are handled by the Cloud/SaaS provider, while other security functions are the RESPONSIBILITY of IT.
While Microsoft secures its own M365 instances in the cloud, and takes full care of that portion, IT is still responsible for securing identities, devices, passwords, stopping data leakage, and preventing insider malfeasance. “For SaaS solutions, a vendor provides the application and abstracts customers from the underlying components. Nonetheless, the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices,” Microsoft argued.
“For SaaS solutions, a vendor provides the application and abstracts customers from the underlying components. Nonetheless, the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices,” Microsoft argued.
Let’s let Microsoft explain the concept further. “As organizations consider and evaluate public cloud services, it is essential to explore how different cloud service models will affect cost, ease of use, privacy, security and compliance. It is equally important that customers consider how security and compliance are managed by the cloud solution provider (CSP) who will enable a safe computing solution. In addition, many organizations that consider public cloud computing mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the CSP,” the software giant explained in its Shared Responsibilities for Cloud Computing white paper. “Cloud providers by design should provide security for certain elements, such as the physical infrastructure and network elements, but customers must be aware of their own responsibilities. CSPs may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; a CSP’s best security measures will be defeated if users fail to use complex or difficult-to-guess passwords.”
The chart below shows what areas of security IT must handle at each level of the cloud services stack.
Identity and Access Management Still in IT’s Hands
High level cloud platforms like SaaS require a slew of IT-driven security responsibilities. While IaaS requires IT do nearly enough to protect the cloud environment as on-premises, since IaaS is really raw computing infrastructure, high level cloud platforms like SaaS require a bit less heavy lifting. “In PaaS and SaaS solutions, Identity & access management is a shared responsibility that requires an effective implementation plan that includes configuration of an identity provider, configuration of administrative services, establishing and configuration of user identities, and implementation of service access controls. Additional considerations that should be considered are the use of two-factor authentication, role-based access control, just-in-time administrative controls, and monitoring and logging of both users and control points,” Microsoft pointed out.
Identity and Access Management (IAM) is Your FIRST M365 Defense
People, and their identities, are a key vulnerability – one cybercriminals are trained to exploit. And the danger is high. “The consequences of poor identity management are significant. For most organizations, services like Exchange Online are mission-critical. If users are poorly authenticated or overentitled, there is an increased risk of data breach, data destruction or unauthorized modification,” Gartner warned.
No accounts need protecting more than highly privileged accounts which give hackers full access to the M365 tenant. “All accounts — but especially powerful ones, like those for administrators — are rich targets for attack and require additional protection through higher trust authentication, typically involving multiple factors,” Gartner advised.
Role-based access is a good starting point. “Use Microsoft’s predefined roles for each service in Microsoft 365 as a starting point to design a role-based access control policy that grants users and administrators the minimum set of permissions required to perform their jobs,” Gartner suggested.
The problem here is that Microsoft roles still give an administrator or O365 operator full global credentials – they can access and perform actions across the entire tenant which is the opposite of least privilege access. CoreView, in contrast, more deeply defines these roles and even scopes them based on functions. More importantly, CoreView can LIMIT an admin’s scope to specific sets of users, so any damage through mistake or malfeasance is radically reduced.
Gartner sees the danger of compromised highly privileged accounts, and advises shops to “Require higher trust authentication for all administrator accounts and accelerate (or start) plans for higher trust authentication for your entire user population. Given the ongoing prevalence of account takeover attacks, this is no longer optional.”
How CoreView Fills in the Shared Responsibility Blanks
As you can see below, for proper M365 security IT has plenty to keep them busy. Fortunately, this is precisely where CoreView shines. CoreView helps:
- Establish and enforce security policies
- Provide true Least Privilege Access
- Conduct deep forensics and auditing around security issues
- Automates M365 admin tasks
- Reports on critical aspects of M365 security