Protecting business-critical data is essential to maintaining a competitive position in the modern marketplace.
Today, we’ll take a look at a series of industry-standard best practices for securing your Office 365 deployment, so that your team can focus on your core business initiatives without having to worry about the fallout from possible data leaks and compromised security generally.
Admin accounts – particularly those with global admin privileges – are especially important to keep to a minimum, and to protect access to. The more global administrators your organization has, the greater the likelihood that such an account can become compromised.
With CoreView’s “perfect permissions,” you can very effectively keep such accounts to a minimum because peripheral administrative tasks can be easily and securely delegated to non-admin users in a way that allows a more efficient IT workflow without the wholesale granting of global permissions to users who don’t really need them.
Strong passwords are your first line of defense against unauthorized access to your organization’s resources. Brute force attacks, or those in which a piece of malware tries random passwords endlessly, are best defended with long passwords composed of various character types.
In addition to having strong password guidelines in place, your administrators can also ban up to 1,000 passwords that would be most easily compromised in Azure AD.
For example, you may ban passwords that include the word “password” or some other organization-specific term that would be relatively easily compromised in such an attack.
Moreover, you can add commonly used passwords – such as those collected on this list in GitHub – to the banned password list for the same purpose.
This is a system in which a personal device – likely a phone or tablet – is paired with an account, such that user authentication requires both a username/password combination as well as an identity confirmation step carried out on the associated personal device.
This way, should a password become compromised, unauthorized access still requires access to the secondary device as well.
Next, you’ll want to configure conditional access to your organization’s Office 365 resources. For example, you will likely want to restrict access geographically.
If you’re using Office 365, your organization is likely small enough that you know the geographic region from which users will generally be logging in. So, you can use that knowledge to your advantage and block access from geographic regions in which you don’t have remote employees.
There are ways to allow access from restricted regions in special circumstances or for privileged accounts, so organization resources can still be made available to traveling employees as well.
Your IT team can enable Office Messaging Encryption, which will allow users to send an encrypted email that will only be visible to the intended recipient. Additionally, this functionality can extend to include an incoming email from external email servers such as Gmail, Yahoo, and others.
If the recipient is using Outlook 2013, Outlook 2016, or Outlook 2019, they will see an alert denoting the email as being encrypted but will then be able to open the email as usual.
If the recipient is using another email server, there will be a link to either sign in to read the email, or an option to request a single-use passcode to view the message in a web browser.
Sensitivity labels are another powerful option for controlling access to documents that travel outside of your Office 365 environment.
They are effectively metadata that lives on the document, and that allows IT to apply specific access rules to documents themselves that will be interpreted by Office Apps.
So, whether a document is opened internally or externally to your organization, the access rules will persist.
Audit logging is another powerful feature included in Office 365 that will allow extensive visibility into the various events taking place within your environment.
These events can include both user and administrator actions and will help you to know exactly what is being accessed by whom.
When paired with the audit reporting and analysis features, i.e. Audit Alert Reports included with CoreView, IT teams have a powerful means of tracking events of interest without having to pull the reports manually and comb through massive amounts of stored data.
Identity controls allow your IT team to limit access to specific applications or portions of applications according to a set of rules that are applied at the group level. For example, a particular department may require access to a set of resources that others don’t.
Identity controls allow for the creation of an access rule that allows members of that department to access the resource in question.
That way should an employee transfer out of that department when his or her account is updated to reflect that change, the access rules associated with the account are automatically updated to reflect his or her current role and related permissions.
Finally, you’ll want to keep close tabs on your Microsoft Secure Score, which will help you to identify gaps in your security practices and improve them.
The Security Score is based on a point system in which points are awarded for configuring recommended security features and keeping up to date with security-related tasks generally.
CoreView makes Office 365 security monitoring simple and convenient for IT staff, as it can all be accessed from the same, web-based UI.
Managing security in Office 365 is certainly a major undertaking, but with the right tools in place, it is very manageable and the benefits of maintaining a strong security posture are truly significant.
CoreView makes managing each of the above elements and many more a simple and efficient tool for IT teams of all shapes and sizes with built-in automation and a user-friendly UI.