{"id":5898,"date":"2020-11-12T14:02:05","date_gmt":"2020-11-12T12:02:05","guid":{"rendered":"https:\/\/tekmart.co.za\/t-blog\/?p=5898"},"modified":"2020-11-12T14:02:06","modified_gmt":"2020-11-12T12:02:06","slug":"12-microsoft-365-security-best-practices-to-secure-the-suite","status":"publish","type":"post","link":"https:\/\/tekmart.co.za\/t-blog\/12-microsoft-365-security-best-practices-to-secure-the-suite\/","title":{"rendered":"12 Microsoft 365 security best practices to secure the suite"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time-approximately:<\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<h2 class=\"wp-block-heading\"><strong>Migrating to or operating cloud-based Microsoft 365 can bring with it a host of problems and misconfigurations. Check out 12 best practices to tighten Microsoft 365 security.<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/johnson-till_johna.jpg\" alt=\"Johna Till Johnson\"\/><\/figure>\n\n\n\n<p>By <a href=\"https:\/\/www.techtarget.com\/contributor\/Johna-Till-Johnson\">Johna Till Johnson<\/a><\/p>\n\n\n\n<p>Part one of this two-part series on\u00a0Microsoft 365 (formerly Office 365)\u00a0security weaknesses\u00a0examined some of main misconfigurations that cause problems when trying to\u00a0<em>securely operate or migrate to the cloud-based Microsoft 365 suite of services.<\/em>\u00a0<\/p>\n\n\n\n<p>While knowing the challenges is half the battle, what about addressing those challenges? Based on our work with clients, our research data and a review of available information, Nemertes recommends the following 12\u00a0best practices to secure Microsoft 365.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><strong>Implement a Microsoft 365 cybersecurity task force.\u00a0<\/strong>To address known concerns with Microsoft 365, we recommend enterprises form a cybersecurity team focused specifically on\u00a0Microsoft 365 cybersecurity. This team should be responsible for the following:<\/li><\/ol>\n\n\n\n<ul class=\"wp-block-list\"><li>educating itself on the known issues;<\/li><li>recommending remediations and best practices;<\/li><li>developing a security-based project plan for the Microsoft 365 migration;<\/li><li>working directly with any third-party providers to ensure migration and implementation align with best practices; and<\/li><li>working directly with Microsoft&#8217;s technical experts if issues arise.<\/li><\/ul>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\"><li><strong>Review Microsoft documentation<\/strong>. Microsoft has an extensive library that grows daily, documenting security vulnerabilities &#8212; particularly those related to configuration issues. As a regular practice, the task force should review the library. Earlier this year, for example, Microsoft\u00a0added a recommendation\u00a0to the repository that businesses should use Domain-based Message Authentication, Reporting and Conformance (DMARC) to validate and authenticate mail servers to ensure destination email systems trust messages sent from company domains to help companies fortify their systems.<br><br>Using DMARC with <strong>Sender Policy Framework (SFP)<\/strong> and <strong>DomainKeys Identified Mail (DKIM)<\/strong> provides additional protection against spoofing and phishing emails. The library has hundreds of recommendations like this. As a result, the task force should familiarize itself with the library&#8217;s documentation and, as a regular practice, continue reviewing the library on a regular basis.<\/li><\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\"><li><strong>Enable and use DMARC, SPF and DKIM.<\/strong>\u00a0When used together, these three protocols dramatically reduce the risk of spoofing and phishing. Use\u00a0Microsoft Exchange\u00a0as your email service provider in this configuration.<\/li><li><strong>Enable multifactor authentication (MFA) by default, at the very least for administrator accounts and, ideally, for all accounts.<\/strong>\u00a0The May 2019 U.S. Cybersecurity and Infrastructure Security Agency (CISA) report noted that MFA for administrator accounts isn&#8217;t enabled by default, yet Azure Active Directory (AD) global administrators in a\u00a0Microsoft 365 environment\u00a0have the highest level of administrator privileges at the tenant level. Modifying this configuration to require administrator MFA is a huge step toward ensuring security.<\/li><li><strong>Enable mailbox auditing by default.<\/strong>\u00a0The CISA report also revealed Microsoft didn&#8217;t enable auditing by default in Microsoft 365 prior to January 2019. The Microsoft 365 task force should ensure this step is enabled by default.<\/li><li><strong>Determine if password sync is required.\u00a0<\/strong>By default,\u00a0Azure AD Connect\u00a0integrates on-premises environments with Azure AD when customers migrate to Microsoft 365. In this scenario, the on-premises password overwrites the password in Azure AD. Therefore, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs. If password sync is required, the team should carefully think through the implications of a premises-based attack on cloud systems, or vice versa.<\/li><li><strong>Move away from legacy protocols.<\/strong>\u00a0Several protocols, including Post Office Protocol 3 and Internet Mail Access Protocol 4, don&#8217;t effectively support authentication methods such as MFA. CISA recommended moving away from all legacy protocols.<\/li><li><strong>Upgrade all software and OSes prior to migration.<\/strong>\u00a0Earlier versions of Microsoft software, such as Office 2007, have known security vulnerabilities and weaker protection thresholds. Upgrade all software to current versions\u00a0prior to migrating\u00a0to Microsoft 365.<\/li><li><strong>Test all third-party applications before integrating them into Microsoft 365.<\/strong>\u00a0If you are using Microsoft 365 in conjunction with third-party applications &#8212; developed in-house or by outside companies &#8212; be sure you conduct solid cybersecurity testing before integrating them with Microsoft 365.<\/li><li><strong>Develop and implement a backup and business continuity plan.<\/strong>\u00a0Many organizations wrongly assume that, because Microsoft 365 is cloud-based, it is automatically backed up. That&#8217;s not the case; Microsoft uses replication rather than traditional data backup methods. As a result, it can&#8217;t guarantee an organization&#8217;s files will remain available if files are compromised through ransomware or accidental deletion.<\/li><li><strong>Implement cloud-based single sign-on (SSO).<\/strong>\u00a0Known vulnerabilities in Microsoft 365&#8217;s security protocols involve using cross-domain authentication to bypass federated domains. The best approach to mitigating these issues is to deploy SSO as a service from a provider such as identity and access management company\u00a0Okta or identity security company Ping Identity.<\/li><li><strong>Assess your Microsoft Secure Score and Compliance Score.<\/strong>\u00a0Microsoft has developed two registries for Microsoft 365: Secure Score and Compliance Score. These registries list hundreds of steps customers should take to improve their overall scores and include a way to indicate whether they&#8217;ve done it, not done it yet or accept the risk. Secure Score is aimed at traditional security, such as &#8220;Did you enable MFA?&#8221; Compliance Score offers a general assessment, as well as regulation-specific assessments, such as\u00a0GDPR\u00a0and the\u00a0California Consumer Privacy Act.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Microsoft 365 security effort requires focus<\/strong><\/h3>\n\n\n\n<p>In summary, Microsoft 365 is peppered with cybersecurity vulnerabilities, in its architecture and design and in the default configuration. The known vulnerabilities and best practices discussed here are just a start. What&#8217;s more important is that enterprise technology pros maintain a focused and ongoing cybersecurity effort to protect their environments.<\/p>\n\n\n\n<p>Organizations are facing a lot of pressure to migrate to Microsoft 365. Nemertes believes the platform&#8217;s cybersecurity challenges can be overcome with effort and attention.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p> In particular, it is\u00a0<em>vital<\/em>\u00a0to have a Microsoft 365 cybersecurity task force. This is not an optional component of any migration to Microsoft 365. That means companies need to consider the cost and effort involved in creating and maintaining an ongoing Microsoft 365 task force when computing the\u00a0ROI\u00a0of migrating to the platform. <\/p><\/blockquote>\n\n\n\n<p>If the perceived benefit of agility and a cloud-based environment exceeds the cost of maintaining a focused internal group, a move to Microsoft 365 is warranted.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time-approximately:<\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>Migrating to or operating cloud-based Microsoft 365 can bring with it a host of problems and misconfigurations. Check out 12 best practices to tighten Microsoft 365 security. By Johna Till Johnson Part one of this two-part series on\u00a0Microsoft 365 (formerly Office 365)\u00a0security weaknesses\u00a0examined some of main misconfigurations that cause problems when trying to\u00a0securely operate or migrate to the cloud-based Microsoft<\/p>\n<p><a class=\"more-link\" href=\"https:\/\/tekmart.co.za\/t-blog\/12-microsoft-365-security-best-practices-to-secure-the-suite\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[128,30,16,3,167,95],"tags":[],"class_list":["post-5898","post","type-post","status-publish","format-standard","hentry","category-email-and-messaging-threats","category-expert-advise-and-opinion","category-how-tos-and-other-useful-tips-and-tricks","category-industry-news-and-expert-advise","category-information-security-threats","category-timeless-tips"],"_links":{"self":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/5898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/comments?post=5898"}],"version-history":[{"count":1,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/5898\/revisions"}],"predecessor-version":[{"id":5899,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/posts\/5898\/revisions\/5899"}],"wp:attachment":[{"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/media?parent=5898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/categories?post=5898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tekmart.co.za\/t-blog\/wp-json\/wp\/v2\/tags?post=5898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}