Many novice Office 365 (O365) shops do not know where platform-specific security vulnerabilities lie, or even that they exist. The threats that you are unaware exist do not cause pain until they rise up and bite – then the agony is fierce.
Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy. While the O365 platform comes with some security features and configuration options – that all customers should take advantage of – native or built-on tools do not address many vulnerabilities or other security issues.
Below you will find four common areas that enterprises neglect when they adopt O365.
1. Impossible to implement zero trust with native tools
Enterprises are increasingly relying on zero trust cybersecurity strategies to mitigate risk and prevent data breaches. With the zero trust model, an organization only allows access between IT entities that have to communicate with each other. IT and security teams secure every communication channel and remove generic access to prevent malicious parties from eavesdropping or obtaining critical data or personally identifiable information (PII).
One problem with using a zero trust strategy is that implementing it in Azure Active Directory (Azure AD) is highly complicated. For instance, IT and security teams can label an employee an “Application Administrator,” which gives them and anyone else with that label the ability to perform/change 71 different attributes. The problem with these cookie-cutter roles is that organizations do not know precisely what all of the corresponding admin-controlled attributes mean nor do they know what functionally they are granted.
2. Difficult to manage privileged permissions
Under the O365 centralized admin model, all administrators have global credentials, which means they have access to/can see each and every user. Not only is this deeply inefficient, it also creates huge security problems. Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all? In O365, user identity must be treated as the security perimeter.
The native O365 admin center focuses on providing global admin rights, giving admins who tend to work locally too much power and privileges they do not need. This centralized management model of setting privileges with O365 entirely relies on granting “global admin rights” – including regional, local, or business unit administrators.
The native O365 Admin Center does not enable you to easily set up rights based on business unit or country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly, so they can only perform limited and specific functions, such as changing passwords when requested.
So, how do you mitigate the risk related to O365’s operator rights? Some IT veterans may answer with role-based access control (RBAC) as it allows organizations to partition permissions based on job roles, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your O365 environment.
3. Difficult to set up log and audit functions
O365 collects millions of bits of information on even the smallest implementation. Unfortunately, from a security standpoint, these data points do not exist for long and far too few are ever used for protection or forensics. Microsoft historically offers logs for only the last 30 days (though that is being increased to a year soon, but only for high-end E5 licenses), but businesses must ask themselves:
- Why do they need to collect data logs?
- How do logs impact regulatory compliance?
- What happens if the logs aren’t saved or otherwise mined and audited?
- What business value do these logs offer?
When used strategically, logs provide valuable forensics that not only help detect a breach, but also identify cybercriminals that may still reside on the network. Before businesses can even think about leveraging audits, IT and security teams have to turn on logging and implement a process to save log data far longer than Microsoft’s standard 30 days. It’s also important to know that even when logging is set up, event tracking is not an O365 default setting so businesses must turn that on.
Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their O365 environment.
4. The “right to be forgotten” challenge
Compliance is a big security and economic issue. There are almost daily incidents of fines occurring due to GDPR and other privacy regulations like CCPA. There is a lot involved in being compliant with GDPR, foremost among its statutes is the right to be forgotten. This statute states that individuals have the right to ask organizations to delete their personal data. However, as many businesses have learned, it is difficult to fulfill this requirement if the IT or security team cannot locate personal information or know how it was used.
Organizations must be able to track and audit individual user accounts to make sure that they not only comply with this request but have processes in place to differentiate between users with similar (or even identical) usernames, even if one of them exercises their right to be forgotten.
At their core, each of these challenges is centered around a general lack of visibility into the O365 infrastructure. Microsoft’s SaaS platform introduces a number of important business benefits and capabilities but requires enterprises to take proactive measures to account for their data and how it is accessed and shared externally. Organizations need to fulfill their end of the shared responsibility model to maintain a solid organizational security posture.