Reading time:
16 min

A Blueprint for Financial Service Alignment to Microsoft 365

Twitter
LinkedIn
Facebook

Financial Services firms are moving to the cloud and Microsoft 365 (M365) environment for 4 key reasons:

  1. Compliance: Meeting compliance regulations and avoiding fines is different when the data is housed in a Software-as-a-Service (SaaS) solution like M365. Extra steps must be taken for SaaS-held data to be compliant.
  2. End-User Access, Identities, and Authentication: Financial institutions must tightly control access to data and applications from employees, partners, and outsiders which takes new approaches when identities are cloud-based.
  3. Loss of Data Control: Due to security and compliance concerns, financial organizations need assurance that their data is safe and under corporate control when in the cloud.
  4. Security Fears: A breach into a major bank or financial services firm is front-page news. The invasion harms (sometimes destroys the reputation of the victim company), invades customer privacy, and subjects the victims to large fines.

There are several more considerations, including:

  • Can M365 be trusted with confidential financial and compliance-regulated data?
  • How do I migrate my full enterprise to the Microsoft SaaS solution?
  • How do I replace proven on-premises Microsoft Office management with equally effective M365 administration?
  • How do I overcome IT struggles in managing M365 and scaling their ability to manage?

This whitepaper pinpoints key issues and solutions Financial Services firms face managing and governing M365.

Section One: A Better Way to Manage – The Power of Single Pane of Glass Visibility

Let’s be honest. Microsoft built a killer cloud productivity suite in M365. On the other hand, the Microsoft 365 Admin Center, which manages this bevy of services, has a lot of functionality but doesn’t do everything a Financial Services institution needs. Moreover, the Admin Center is complex, labor-intensive, and often confusing.

One accounting firm experienced this firsthand. “Our expectations of what Microsoft was going to bring to the table were proven to be underwhelming. We initially felt that Microsoft must have this nut cracked. It was somewhat inconceivable that a third-party company, external to Microsoft, built a better interface to M365 than Microsoft did,” said Stephen Chris, COO for accounting firm Baker Tilly Canada Cooperative.

In contrast to the native Admin Center, CoreView offers total visibility into your entire Microsoft 365 environment – from a single pane of glass. This gets rid of the need to rely on the dozen-plus different Admin Center portals to manage your M365 environment. On average, this saves a single admin 48 hours per month – more than 25% of their time.

SMPs to the M365 Rescue

The weaknesses in native, built-in SaaS management features are in many cases holding back Financial Services’ SaaS adoption – M365 in particular. Typically, organizations choose between delaying adoption or succumbing to suboptimal capabilities.

A SaaS Management Platform, (SMP) is the solution to this problem. Providing a clear, singular view of your SaaS applications to gain greater insights around your day-to-day operations.

SMPs Ease M365 Admin Pain (And Boost IT Efficiency)

With limited native tools, SaaS admins are forced into many unnecessary manual duties – scripting, custom reports. All of which are time-consuming activities that require checks and balances.

With an SMP, busy Financial Services IT administrators can automate time-consuming responsibilities. Zeroing in on one in particular – provisioning users. With an SMP you can control permissions to automated workflows for routine tasks to a regional level – like creating a new user and all that goes along with it to ensure corporate standards are met. By delegating these tasks out, your IT team can reap the many benefits of workflow automation.

Governance That Pays Dividends

There are two ways to look at IT governance – governance in the broadest sense and governance as it applies to Microsoft 365. We will delve deeply into the latter, while also offering advice on overall IT governance.

Governance is a broad area and demands high-level organizational involvement and commitment. Fortunately, the return is more than worth the effort, as MIT Center for Information Systems Research (CISR) can attest. “MIT CISR research has found that firms with effective IT governance have 20% higher profits than their competitors,” MIT CISR explained.

Microsoft 365 must also be managed in what Gartner calls “an effective, efficient and compliant fashion” – which means IT administrators must be highly skilled and working with a large enough staff to master all M365 complexities or get a technology solution that does this for them.

Deep Reporting, Action-Enabled

Reporting is vital to the success of Financial Service firms. The native Microsoft 365 Admin Center comes with a fair share of built-in reports, but without a PowerShell guru, these reports can take weeks to pull. Wouldn’t it be better to have reports showing ALL activities and EVERY configuration?

Generating M365 reports often involves creating PowerShell scripts, – which slows down IT processes. PowerShell is limited because it gets data from one information silo at a time, and doesn’t have a database to cross-reference usage, device, user, and configuration information. PowerShell-driven reports are rarely automated, so you can’t launch and run with one click, and they are not action enabled. 

To quantify it – It takes a typical license manager 10-15 hours a month to produce licensing reports. CoreView does these complex reports in less than 10 minutes.  

Section Two: Virtual Tenants, RBAC and Delegated Administration – All Add up to True Least Privilege

Financial Services companies have many departments each holding different types of confidential data that need securing. You don’t want one department’s data available to another group that can potentially leak or misuse that information. You want to isolate the data from each department – and then secure that data within that department.

How Virtual Tenants Ease Delegation

CoreView’s administrative sweet spot is our ability to allow you to segment your organization into individual ‘Virtual Tenants’ that you can use to delegate permissions based on the selected criteria.

Virtual Tenants can be defined using a Security, Distribution, or Microsoft 365 Group, leveraging existing structures already in place in many organizations. Virtual Tenants can support:

  1. Assigning regional administrators to manage their user communities
  2. Enabling management of users and groups by department IT or operations teams
  3. Empowering help desk engineers with support services

Use Case: Baker Tilly’s Virtual Tenants

Baker Tilly solved their data and administrative isolation issues when it migrated to M365. The accounting firm identified two key issues:

  1. How to easily manage M365 and give each of the 19 member firms IT independence.
  2. How to layer a level of security on top of M365 with a third-party solution.

The company soon found that the granular security management in M365 was not granular enough and did not offer the user segmentation Baker Tilly Canada required.

“Part of our build-out was deciding whether to go multi-tenant or single tenant. We are disparate organizations that all wanted to share a common domain name. That factor of sharing a common domain name required us to have a single-tenant environment,” said Baker Tilly’s Chris. “We quickly realized that sub-tenanting or sub-administration of users just was not going to exist with the native M365 Admin Center to enforce the migration. We would have much rather had CoreView in place from the early days. That would have alleviated a lot of the pain that we had in those early days with user management and tenant management.”

With CoreView’s help, Baker Tilly Canada today operates as a multi-tenant environment, even though it is technically a single M365 tenant. “CoreView brought all of that to the table with the V-tenant capabilities. We can slice and dice administration into functional areas. We can have user managers, Teams managers, Teams administrators, or security administrators. All of those functions and feature sets are critical to the solution we have today,” Chris said.

Virtual Tenants are vital to Baker Tilly’s security. “When you come from a decentralized IT environment and ask everybody to come on board with a common platform, that is asking people to put their eggs in one basket. We have the assurance, with CoreView, that administrator A cannot do something nefarious or accidental to administrator B’s users. That is a huge comfort for IT administrators across the country,” Chris said. “We would have much rather had CoreView in place from the early days. That would have alleviated a lot of the pain that we had in those early days with user management and tenant administration.”

The ROI of Delegated Administration 

The set of administrative roles provided by Microsoft for a Microsoft 365 deployment are designed around a centralized management model. Within the native M365 Admin Center, there is no way to set up regional management rights for administrators who ONLY want to monitor and manage their local business unit or geographical site users. For large enterprise organizations or companies that are split into multi-department or geographic areas, there are complex administration requirements to support their deployments. What if they want to delegate admin tasks to different countries, business units, or office locations? What if they want to enable help desk engineers to perform ONLY simple admin tasks on their regional users?  

By delegating tasks formerly done by M365 Global Admins, your IT staff saves a myriad man-hours that can be taken as pure savings or devoted to more strategic tasks and projects.

Section Three: Automation Pays Big Dividends

Common repeatable tasks should be automated. Workflow automation speeds up processing, reduces errors (and related support tickets), and improves the quality and professionalism of IT administration. This all adds up to optimized IT resource costs, more efficient execution of daily tasks and more time for IT admins to spend on core business functions and innovation.

Automate M365 Administration with Workflow

Many of the tasks of Microsoft 365, like user provisioning and re-provisioning, are repetitive, manual, and consume hundreds of hours of IT admin time each year. They’re also prone to human error. An SMP with workflow automation capabilities can help. Here different steps in a task are “chained” together into a pre-set process that automatically runs from the workflow engine, ideally with full auditing capabilities. When an SMP offers this automation in a fully customizable way, organizations open the door to unlimited automation scenarios.

Workflow automation speeds up processing, reduces errors (and related support tickets), and improves the quality and professionalism of IT administration. This all adds up to optimized IT resource costs, more efficient execution of daily tasks and more time for IT admins to spend on core business functions and innovation.

The Big Automation Pay Off

By delegating tasks formerly done by M365 Global Admins, your IT staff saves countless man-hours that can be taken as pure savings or devoted to more strategic tasks and projects. By automating common and often complex tasks, this work is performed far more quickly. And since it is usually one click, these common M365 tasks can be delegated even to non-IT staff – saving even more time.  

How much time? Let’s look at a 10,000-seat example, where 1,000 processes per month can be automated. Each of these goes from 20 minutes to just 2 minutes (or less) with automation. The result? Some 300 hours a month are saved.

Provisioning is a great example. With CoreView automation, deprovisioning goes down to well under 10 minutes. One customer with over 50,000 users saved 210 hours per month by automating the provisioning, deprovisioning, and onboarding of users. Another reduced their user provisioning process from 3 days to a few minutes.  

Section Four: Invest in Security and Compliance

Meeting compliance regulations and avoiding fines can be more difficult when the data is in a SaaS solution. Extra steps must be taken for SaaS-held data to be compliant. When security mistakes are made, there are hefty fines from data breaches, and bad publicity and reputation damage that can be far more expensive – and in fact can easily put you out of business.

Breaches – Defining the Problem

35% of all data breaches affect the Financial Services industry, found Forbes. Not only is the data so valuable hackers can’t resist, but financial IT systems are so complex and interconnected, there are myriad ways to break-in.

Security attacks never stop for the finance market. Technology researcher Vanson Bourne surveyed 100 UK business decision-makers in Financial Services organizations. 70% were victims of a security incident in the last year. The researchers said that most security incidents were “from employees failing to follow security protocol or data protection policies.” Other factors “included the introduction of malware and viruses via 3rd party devices, including USBs and BYOD (32%), file and image downloads (25%), and employees sharing data with unintended recipients (24%).”

If that sounds scary, there is far worse news. “Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack,” the Boston Consulting Group argued. “Dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.”

Ovum’s research on banks discovered that 40% of banks surveyed receive 160,000 mistaken, redundant, or irrelevant alerts daily. One cause of the alert overload is security tool overload. Here, 73% of the banks surveyed run at least 25 different security tools.

Breach Forensics

Most Financial Services firms don’t know they’ve been breached until it is far, far too late. It takes about 191 days on average to figure out that you have had a data breach. Since most IT shops discover the incursion months or even over a year after it happened, how then do you figure out how and why it happened?

The answer is data breach forensics that relies on long-term log data retention so you can perform a proper security audit. Here you discover what happened so you can minimize ongoing damage, and by finding the source, stop it from happening again. Microsoft natively saves log files for 90 days (depending on your license level), which is long before the average breach is detected. CoreView out-of-the-box saves data for one year and can be saved up to 7 years if requested.

Employees as the Enemy

Financial Services employees control critical and confidential data, and when these workers turn bad, the damage is incalculable. The Verizon Data Breach Investigations Report finds that 14% of breaches come from insiders. Insiders are more dangerous than most outsiders are. Insiders are already on the network, and sometimes with high-level privileges.

To fight off the insider threat, you need a full approach to security, along with the ability to address Microsoft 365-specific vulnerabilities. A key issue is knowing what is going on in the network and controlling dangerous activity.

Verizon advises IT to implement strong access controls and provide access levels fitted to true needs, trust, and levels of responsibility. “Having identified the positions with access to sensitive data, implement a process to review account activity when those employees give notice or have been released,” Verizon suggested.

The Insider Threat – IT as the Enemy

While most Financial Employees have access to SOME of your financial data, IT pros can often access ALL that information.

Too often those in IT blindly trust others in IT and give these workers higher-level privileges than they need, and which can be used to abuse access to corporate and personal information. According to a survey by Cyber-Ark, a third (35%) of IT pros spy on other company employees.

A sizeable portion of insider breaches come from technical staff: 6% from developers and another 6% from admins, according to the Verizon Data Breach Investigations Report. Many insider incursions result from privilege abuse, though there are many other ways IT abuses its access.

Section Five: The Dollars and Cents of Microsoft 365

For many Financial Services enterprises, Microsoft 365 is one of their largest software expense. With so much money at stake, you want to ensure every dollar counts. M365 IT efficiencies can save hard dollars taken as pure savings or devoted to other IT investments. Or as is often the case, money and time saved on M365 IT operations can be spent better securing M365, improving the user experience, or promoting new Microsoft services.

License Lifecycle Management

Microsoft 365 licensing is too often a big black hole. How many licenses do you have, how are they being used – and are they the right licenses to do the job?

The key to license lifecycle management is understanding the complete state of your M365 licenses and their usage. Proper license management means that all users are equipped with the right level of functionality, and new licenses are brought in when they are needed – and at the right size and level.

This is the essence of a data driven M365 license lifecycle management approach and being on top of it will help you truly maximize your SaaS investment and gain optimum ROI.

Optimize M365 Usage and Adoption

Financial Services firms believe in the value of an investment, and certainly don’t want to waste the money spent on Microsoft 365. A big part of this is M365 adoption, argues Gartner in its report: The SaaS Management Platform (SMP): A ‘Single Pane of Glass’ to Make SaaS Management More Secure, Streamlined & Cost-Effective.

Microsoft 365 is a key SMP adoption target. “Organizations only get a fraction of the productivity gains they’re paying for with an Office 365 investment. An SMP can help organizations:

  • Accurately track actual usage of SaaS applications and features
  • Efficiently and cost-effectively administer user adoption campaigns
  • Monitor campaign effectiveness
  • Analyze metrics and run reports

SMP’s user adoption capabilities support other areas, like licensing and training. By tracking specific tasks and behaviors, organizations can gain a clearer picture of the types of licenses they need for departments, business units, and job roles. Organizations can also identify which employees and business units require training—and on what features and tasks,” Gartner concluded.

CoreView drives adoption by understanding which users are taking advantage of what services and pushing them to fully exploit key applications such as Microsoft Teams.

M&A: M365 Due Diligence, Security and Governance Afterward

Financials Services are among the most active in the mergers and acquisitions (M&A) space. Many Financial Services firms already use M365 and are buying companies that either already has M365 or will need to migrate.

An M365 assessment is critical because IT does not know the details of what each side of the deal has, or how M365 is set up and managed. Luckily, basic analysis and reporting reveal how people use the platform, how they are licensed, the number of users, plus which applications are used, and which are not.

M365 Management Ready for M&A, Perfect for the IT Budget

Overcome your Financial Services issues with CoreView. We make M365 shine in 3 keyways:

See it – Through Action-enabled Reporting

Manage it – With Granular Privileges for Each User

Automate it – With SaaS Workflows

See firsthand how a major accounting firm reigned in M365 with CoreView in Baker Tilly Canada Case Study.

Find out more about CoreView by requesting a demo.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.