Microsoft Office 365 Secure, as the name indicates, is focused on Microsoft Office 365 security. Its replacement, the new Microsoft Secure Score now includes Azure security, and so is a broader measure of Microsoft security. “The Microsoft Office 365 Secure Score has evolved into the Microsoft Secure Score. This tool assesses the security state of multiple aspects of Microsoft Office 365 by evaluating which controls are enabled and presenting a score — the sum of the point values for each control. The score is a reasonably meaningful starting point for measuring and improving your Microsoft Office 365 security posture,” Microsoft explained. “To help you devise a plan for a staged rollout of controls, the tool combines recommendations into five categories: identity, data, devices, apps, and infrastructure.”
According to Gartner analyst Neil MacDonald, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”
The CoreView Microsoft Office 365 Health Check (a complete scan of your M365 tenant to determine security posture, application usage, and license state) shows many ways you can boost your Secure Score. The Health Check is a deep analysis, and offers an O365 Security Action Plan based on the findings. It also includes an enhanced version of the Microsoft Secure Score.
Passwords are a big deal for any application, service, or environment. They are even more critical for a Microsoft Office 365 tenant. Whether you have a hybrid or a cloud-only Microsoft Office 365 environment, you will have cloud users. In this case, Microsoft Office 365 is the authentication provider for these users. That is why it is so vital to implement the right password policy to protect your users’ identities and account security. Once an M365 password is cracked, the hacker has access to everything that end user does.
The old way of protecting passwords was to demand complexity, and require these complex passwords to be changed regularly, often every 90 days. This causes users to forget their passwords and often put them on Post-It notes to remind them – a security flaw if we ever saw one. The new approach is event driven password changes. If there is a breach, or other security events, this is when end users should change their passwords. CoreView tracks these events, and can automatically alert users to update their passwords. We can report on these password changes, and again, automatically alerts users that failed to take them.
Multi-Factor Authentication (MFA) is one of the most important security practices you can employ. Fortunately, Microsoft Office 365 has a robust and proven MFA solution built-in. Forward-thinking organizations are implementing MFA to improve user identity security. MFA has become so recognized that the National Institute of Standards and Technology (NIST) guidelines on password security now specifically recommend the implementation of MFA. Also, the United States Department of Homeland security now recommends that all Microsoft Office 365 users implement MFA.
MFA only works if it is activated. “Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts,” the NIST guidelines stated.
CoreView shows how many users have MFA activated, have MFA disabled, and how many users with MFA disabled have administrative roles, which presents a substantial security risk. With CoreView, it is simple for you and your administrators to monitor, set, and enforce an appropriate MFA authentication policy.
Are you shocked to learn that 94% of all cyberthreats start with email?
Here are more shocking email facts courtesy of the ‘Mimecast ‘State of Email Security 2020’, which finds that:
Mailboxes are the number one way hackers breach systems, steal identities and credentials, and launch phishing and ransomware attacks. One step to take is to set access rights to mailboxes to protect data, mail content, and mailbox owner identities. This can include items such as access to more than five mailboxes, auto forwarding, and accessing mailboxes of others.
Fortunately, CoreView can apply key rules for mailbox security, especially in regard to access rights. CoreView, for instance, flags user accounts that have been provided with access rights to more than 5 other user mailboxes. These are not for Room, Shared, or Team mailboxes, but rather actual User Mailbox accounts. Such cases should be investigated to ensure they are being used for acceptable business purposes.
Often, mailbox security can be compromised by spam and malicious malware. CoreView can discover the exact number of instances of malware sent by email from your organization.
Knowing the internal sources of malware is critical to stopping the spread. CoreView keeps IT informed of unusual patterns or targeting, which may attempt to compromise mailboxes in your organization. CoreView also provides details on potentially compromised accounts and the malware which may have been sent from your organization, enabling your shop to take action to support investigations and remedy issues.
Malware often spreads from mailbox to mailbox – right under IT’s nose. The answer is tracking all actions and file movement from mailbox owners hit by malware, and other unusual activity.
To the average end user, setting up automatic email forwarding rules is a harmless exercise. But for those whose job it is to prevent data breaches and ensure compliance, email forwarding rules can quickly turn into a nightmare scenario. The indiscriminate forwarding of emails outside of your organizational control is a common vector for information theft, as well as GDPR and similar data protection regulations violations.
CoreView can identify mailboxes that have auto-forwarding to external addresses such as “Gmail.com”. This is a major data leakage concern. These should all be reset to internal e-mail addresses or have the auto-forwarding removed completely.
Ensuring that M365 administrative privileges are limited to those that absolutely need them is critical to a safe Microsoft Office 365 environment. An internal threat, such as a disgruntled employee, with access to global admin privileges, is a major risk that can be prevented simply by limiting the number of users with admin privileges — and restricting the scope of those permissions.
Unfortunately, Microsoft Office 365 Admin roles have limited flexibility. Microsoft offers some roles that limit administration rights on a specific workload, but these are not available across all workloads. For example, you can configure an operator as an Exchange administrator and another operator as a SharePoint administrator. The major issue with many Microsoft Office 365 deployments is that administrators have global access to all the company users as well as access to all configuration capabilities for the assigned workload. Unfortunately, this permission model doesn’t match with most enterprise organizations’ requirements. For example, if you have a local support team in a specific country, you should limit their administrative control to users within their area of work. Or, if you have a tiered support structure, you should limit administrative rights for support staff based on their responsibilities.
CoreView shows how many admins your shop has, and their roles. The report to the right is an example of a tenant with 178 total admins, 7 of whom also have a company admin role. The good news is that by using CoreView, your organization can implement a granular Role-Based Access Control (RBAC) policy. This will enable your organization to assign administrative privileges to operators which appropriately match their responsibilities.
Whether your organization is large or small, sharing content with users is a powerful capability provided by Microsoft Office 365 collaboration features. This is especially true when working with clients, vendors, and partners.
With SharePoint and OneDrive, users have multiple choices when they need to share documents externally:
Shareable, also known as Anonymous Sharing, is the most insecure way to share a document since you cannot track how the link will circulate and be shared outside of your organization, and who will have access to your data.
CoreView can detect OneDrive sharing activities, SharePoint sharing activities, as well as creation and use of anonymous links. Also, with CoreView admins can be alerted when new anonymous links are created or used. You can then immediately address any problems.
Gartner argues that “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes.” Providing proper configuration, as well as monitoring and enforcing policies, are the responsibility of Microsoft Office 365 IT professionals, and is a must-do best practice to reduce your breach perimeter.
To reduce mismanagement issues, CoreView implements segregation of your tenants in many critical ways. You can separate your tenant into sub-tenants or virtual tenants. This way you can have local administrators that keep an eye on a smaller, more defined set of users. Specific policies can apply to just these user sets. Moreover, because fewer admins have global rights, end users in these sub-tenants are protected from global admin mistakes or malfeasance.
With CoreView, you can monitor your configurations and usage policies, and report and alert on the account and device misconfiguration. If a misconfiguration or a misusage has been detected, you can immediately remediate it as well as enforce those policies using the CoreView workflow automation capability. Moreover, with CoreView, policy management moves from a manual and error-prone process to one that is intuitive, easy, and automated.
