Securing Microsoft 365

Summary:

Microsoft 365 is a comprehensive, complex cloud computing system hosted on Microsoft Azure, extending far beyond a traditional office suite. It operates on a shared security model, dividing responsibilities between Microsoft (security 'IN the cloud') and tenant companies (security 'OF the cloud'). The suite's security is people-centric, focusing on identities and access rather than traditional network security, and necessitates specific administration skills. Key components include Microsoft 365 Defender for security management, Azure Active Directory for identity and access management, Microsoft Purview for information protection, and Intune for endpoint security. The security roadmap is incremental, beginning with basic steps like activating Multi-Factor Authentication and protecting information for GDPR compliance, and gradually strengthening over 90 days. This approach requires continuous management and optimization of security features, underscoring the importance of tenant companies being proactive and responsible in their security measures.

Key Takeaways:

1. Microsoft 365 as a Computing System to be Secured

Microsoft 365 is a complex, distributed, elastic computing system that requires administrator competencies for operational and security maintenance. Its components, including Azure AD and collaborative spaces, form a mix of SaaS, PaaS, and IaaS. Therefore, the responsibilities for security are shared, which is not the same configuration as an ordinary SaaS application. This difference should not be underestimated.

1. Azure AD as the Pillar of Microsoft 365 Security

Migrating from Azure to AWS, GCP, or others, with Microsoft 365 is complicated and often disadvantageous. An alternative is offered for the Office 365 suite by OVHcloud, with additions for Exchange and SharePoint. The advantage comes from the extended capabilities of Azure AD, a complete IAM solution that contributes to the security of a hybrid computing system with Active Directory.

1. The Risk of Losing Control Over Pricing and Introducing Vulnerabilities

For Microsoft 365, the risk of budget blowouts due to malice must be taken seriously. This risk is inherent to the elasticity of cloud architectures that offer boundless resources on a pay-as-you-go basis, while budgets remain finite. Budget blowouts represent a new security risk associated with the cloud. Similar to combating denial-of-service attacks, DOS/DDOS, security architecture should systematically include protections such as an SD-Circuit Breaker.

1. Azure AD, a Complete IAM Solution, Accelerates the Zero Trust Approach

Azure AD is at the heart of securing the Microsoft 365 computing system. Hence, Azure AD features can contribute to modernizing the company’s hybrid information system.

1. Deploying Microsoft 365 Encourages Combining Security and Safety

Deploying Microsoft 365 should be integrated into a broader Zero Trust approach, which should also anticipate network resilience. In other words, it involves adopting a secure and resilient hybrid multi-cloud architecture that eliminates critical single points of failure.

Introduction: Microsoft 365 - More Than Just a Cloud Application

Microsoft 365's cloud-based collaborative suite isn't just ready for secure deployment straight out of the box. Far from being a mere cloud-hosted office application suite available as a SaaS (Software as a Service), Microsoft 365 is a comprehensive, complex, distributed, and elastic computing system hosted on Microsoft’s Azure cloud service. Microsoft ensures the physical infrastructure and services' security, covering aspects like availability, integrity, confidentiality, and the traceability of its services. This responsibility on Microsoft's part is referred to as IN the cloud. However, the security of data, user-generated documents, SharePoint collaborative spaces, and OneDrive, falls under the tenant company's jurisdiction, known as OF the cloud. The security actions OF the cloud are direct, while those IN the cloud are contractual. Consider the impact of an OVH datacenter fire (IN the cloud), which compromised the security of numerous businesses. In this context, a third party responsible for maintaining the OF the cloud portion’s security must wisely consider this shared responsibility model in its commitments.

The security of the Microsoft 365 collaborative suite is people-centric, focusing on identities and access permissions, moving away from the network security model used for Microsoft Office On-Premise. This article summarises the key steps in securing this complex solution for a typical structured enterprise with an information security department. The often-overlooked preliminary step involves having the requisite skills for secure Microsoft 365 administration.

The roadmap for securing is pragmatic, driven by action, and relevant to cloud challenges. The astute reader will note that, despite its seeming simplicity, our approach addresses security risks identified by CLUSIF, ANSSI in its hygiene guide, or by the Cloud Security Alliance.

I) Pre-requisite Activities for Securing the Microsoft 365 Computing System

"No matter how skilled, an administrator can only use what they have access to." (Proverb)

Managing Security

The security management component is called Microsoft 365 Defender. It cohesively and unifiedly addresses all activities related to prevention, detection, investigation, and response for email (Exchange, Outlook), collaboration spaces (SharePoint, OneDrive, and Teams), endpoints, and Microsoft 365 identities. Here, the Office ATP (Advanced Threat Protection) component is essential for protecting collaborative spaces, unlike email protection solutions like anti-phishing, which can come from third-party publishers. The Document Vault feature for protecting sensitive documents in collaborative spaces like SharePoint, OneDrive, and Teams, requires a secure licensing plan (E5).

Managing Threats

Microsoft’s Cloud Access Security Broker (CASB), Microsoft Defender for cloud apps, combats shadow IT, detects abnormal behaviors, analyzes SaaS application compliance, and protects data. Only the EMS E5 subscription natively includes Microsoft's CASB.

Securing Identities and Access

The component for securing identities and access is Azure Active Directory (AAD), a complete cloud IAM (Identity and Access Management) service.

Ordinary Users

Plan 1, known as AAD P1, detailed below, is a de facto standard for regular users.

Administrators

Plan 2, known as AAD P2, is essential for privileged users, administrators of the Microsoft 365 computing system.

Role-based Access Distribution

It involves distributing responsibilities according to the dichotomy “In the cloud (enterprise), Of the cloud (Microsoft)”.

Features of Azure Active Directory Subscription Plans

Azure Active Directory Premium Plan 1 (AAD P1): Azure MFA, Conditional Access, Application Proxy, Group Lifecycle Management, Advanced Password Protection, Integration with third-party MFA or identity governance solutions;

Azure Active Directory Premium Plan 2 (AAD P2): Azure AD Identity Protection, Risk-based Conditional Access, Azure PIM (Privileged Account Management with Just-in-Time Access), Access Reviews, Entitlement Management.

Protecting Information

Microsoft Purview helps discover, protect, and prevent data loss. It’s built on a sensitive data search engine using regular expressions, keyword dictionaries, and information classifiers (machine learning algorithms, predefined or custom models). Documents and emails are classified using the engine. Shared spaces can be classified, and non-Office 365 documents are also eligible for classification. Data encryption and access restrictions protect information based on its classification. The same applies to the protection of classified shared spaces' access. In addition to protecting stored data, their dissemination is controlled with Office DLP. Audits for information discovery detect gaps and address them.

Implementing Governance

This involves implementing data retention policies (data preservation, legal recordings, data deletion) based on data or shared space labelling. These retention labels complement confidentiality labels.

Advanced logging traces user or administrator actions. Content investigations help trace the context of data leaks. Specifically, Data Subject Request identifies and exports data related to an individual.

Securing Endpoints

The component is Intune, managing endpoints (MDM) and their access (MAM). The issue of using personal devices (BYOD) is addressed here. Intune manages all endpoints, not just mobile devices.

Internal risks (insider threats, data leaks by departing users, illegitimate access) are managed with Insider Risk Management and Information Barriers.

Mastering Services and Data Geolocation

Multiple geolocations allow data at rest to be stored in a specified geographic area. Personal and shared spaces are geo-differentiated.

II) The Incremental Security Roadmap for the Microsoft 365

Computing System With prerequisites in place, we are certain to have the right subscriptions to carry out security activities. We then follow Microsoft’s incremental roadmap, reaching ordinary security (CIS Level 1) after 90 days. Once this security foundation is deployed, specific risks will be addressed with targeted actions. This is more than just work to be done.

30 Days to Achieve Easy Wins

Managing Security

Review dashboards and reports from Microsoft 365 Defender. Implement immediate and obvious actions.

Protecting Against Threats

Implement Multi-Factor Authentication (MFA) for admin accounts. Secure the administrator’s workstation.

Managing Identities and Access

Activate Azure Active Directory Identity Protection. Apply account security measures (password length, lifespan, complexity).

Protecting Information

Protect Office 365 information for GDPR compliance. Verify stored data locations by controlling organization settings with admin access (Exchange, SharePoint, OneDrive, Teams) in the configuration center. In case of non-compliance, contact Microsoft support for correction. Configure Teams according to three protection levels: Baseline (C1), Sensitive (C2), Highly Sensitive (C3). For each level, Microsoft documents the configurations for people access, private or shared channels, guest access level, site sharing settings, access from an already enrolled device, people allowed for sharing, and the use of confidentiality labels. Microsoft provides security baselines that simplify securing and control implementations.

90 Days to Strengthen Security

Security is enhanced for each of the themes started in the first 30 days.

Managing Security

Conduct phishing simulation attacks, password spraying, and brute force attacks. Microsoft provides a Red Teaming guide referring to the MITRE ATT&CK framework.

Protecting Against Threats

Set up a SIEM. Strengthen protection for admin accounts and terminals.

Managing Identities and Access

Generalize Multi-Factor Authentication for all users. Implement access conditions.

Protecting Information

Use Microsoft Purview, extending data protection to multi-cloud environments and non-Microsoft applications.

Beyond, Implement Specific Measures

Now, Microsoft 365 is ready for secure use. It involves identifying specific risks, analyzing them, managing them, and monitoring the effectiveness of the implemented actions. A formal method like EBIOS Risk Manager allows adaptation to the company's context and the sustainability of solutions (native Microsoft, third-party solutions).

Conclusion: The Risk of Overlooking Microsoft 365 Tenant Security

In conclusion, deploying Microsoft 365 in a business is not a simple Plug-and-Play followed by a pay-as-you-go approach. Ventures down this path expose companies to dangers that could harm their reputation, finances, and position as a trustworthy player in their ecosystem.

Microsoft 365 isn’t just about outsourcing the Microsoft Office suite to SaaS. In practice, it's a complex, distributed, elastic cloud computing system with user-centric security. This necessitates acquiring administrator competencies at the Microsoft 365 certified administrator level or equivalent (AWS certified sysops + Azure Administration for AWS SysOps). This is a significant departure from administering the Microsoft Office On-Premise suite, where user support was more critical than infrastructure administration. The same paradigm shift applies to security. It's not about hardening an office software suite and then deploying it on secured workstations. Securing Microsoft 365 involves the whole cloud computing system. Therefore, in hybrid configurations, it's not just adding a SaaS application to a secured application portfolio, but integrating the security of an On-Premise computing system with that of an On-Cloud system. Thus, recognizing Microsoft 365 as a full-fledged cloud computing system is crucial and changes the security paradigm compared to the traditional Office suite.

Microsoft enables reaching an acceptable security level (CIS Level 1) after 90 days, provided the subscription prerequisites are met to activate the necessary security features. This requires considering security from the outset, then continuously managing and optimizing it. The technical and contractual aspects are correlated, and managing co-responsibilities is a crucial aspect of Microsoft 365 security. Finally, companies must not forget that they are tenants of the solution. They must guard against payment defaults, as service interruptions could impact the availability of their data. A 25% rent increase is not out of the question.