Many companies are currently considering moving to the office cloud. Characterized by supposed risks such as security concerns, however, the path to the cloud is made more difficult.
The Office Cloud from Microsoft (Microsoft 365) offers your company the ideal entry into a world full of flexible Office functions from a single source.
We have summarized the most important security features for you to make it easier for you to get started in the cloud and to set up your Microsoft tenant as securely as possible according to Microsoft security standards.
1. Multi Factor-Authentication (MFA)
A convenient registration process for the end user is not always the most secure. The standard login process includes the simple specification of credentials (username & password).
MFA adds another authentication method to this process, making the login one step more secure. This includes the additional entry of authentication codes via SMS or Microsoft Authenticator app, which are linked to the respective user account. This method prevents unauthorized third parties from accessing the data if the user credentials are leaked to third parties through a security gap
Alternatively, Microsoft provides the Azure MFA as an add-on, which forms an even more individual solution for registration monitoring and can be booked in the Microsoft portal (this service is not part of the standard MFA and can therefore only be booked at an additional cost.)
MFA can be used by all users and is highly recommended by Microsoft!
Our tip: In any case, use the MFA function provided by default to protect yourself from unauthorized login processes by third parties. You can find the setting in Azure Active Directory (AD) > Security > MFA.
2. Conditional Access
Unrestricted access to company resources is a serious security risk for all companies. Microsoft provides the key to this problem with the Conditional Access. In Azure AD > Security to find, you have the possibility to define access guidelines for your company and to deny access according to defined conditions. For example, define countries as “not secure” or allow access only via VPN, specifying the VPN point IP.
You have the option of designing access policies individually and adapting them to your company requirements.
In this context, Microsoft provides extensive monitoring logs that log all actions in the Microsoft 365 account.
These logs can be used to track activities and users.
But beware: Don’t shut yourself out! Setting conditional access incorrectly can block your access to the Microsoft tenant! In this case, contact Microsoft Support for activation.
Already with the Microsoft 365 Business Premium licenses and the Enterprise licenses you have access to functions for conditional access.
Our tip: Set your own individual security policy in Azure AD. Make sure that the user can work optimally, depending on the business case. Restrict foreign access as required.
3. Microsoft Defender / Advanced Threat Protection
Ransomware poses an ever-increasing risk for companies. A virus or Trojan horse can spread to the user’s and company’s system simply by moving the mouse over a link in an email, without anyone noticing.
Microsoft Defender for Microsoft 365 protects your organization from threats via email, links (URL) and collaboration tools
It offers a large portfolio of policies to define your individual protection and to monitor the functions with the help of real-time reports.
You have the option of identifying and simulating threats (attack simulator) in order to optimally protect your data.
the Advancend Threat Protection helps them to identify and eliminate risks at an early stage. By opening the links / attachments in a secure environment, detached from your Microsoft tenant, a risk assessment is carried out so that harmful content does not even reach the inboxes of your employees and colleagues.
Microsoft Defender Plan 1 is already included in Business Premium. The advanced feature (Microsoft Defender for Microsoft 365 Plan 2) is included in the Office 365 E5, Office 365 A5, Office 365 E5 Security, and Microsoft 365 E5 licenses. However, they can also be booked flexibly as an add-on to other license packages.
Our tip: Plan 1 already gives you real-time detection of malicious files. This is particularly important to enable rapid action in the event of a cyber attack. Depending on the business case, we recommend Plan 2, which includes security campaigns and attack simulators, to our enterprise customers.
4. Privileged Identity Management (PAM)
Although it is easy to provide each user with administrator rights, it poses a significant security risk when implemented.
As a global administrator, you have full access and functions that the Microsoft 365 Cloud offers you. This includes access to user data, financial data and, for example, access to all team data. According to the guiding principle “As much as necessary, as little as possible!” Authorizations are to be assigned in the Microsoft tenant.
Here comes this Privileged Identity Management used by Microsoft. It gives the company the opportunity to create users as temporary administrators. The users are marked as temporarily authorized admins and have the opportunity to request administrator access.
You are responsible for controlling how long and to which information a user may have access to administrator rights. In the request, the user has the option of specifying the period and reason for the request.
PAM is available as an add-on and in the Azure Active Directory Premium P2 plan.
Our tip: limit your super admins / global administrators to the bare essentials. in the Azure AD > Schnellstart > Privileged Identity Management you can assign privileged roles to your users. We recommend the use of user-based requirements management, in which each user can make justified administration requirements. These are then released and managed from a central location in the company.
5. Encrypted E-Mail + Data Loss Prevention (DLP)
In almost every company there is sensitive data, such as personal data or business information, which, due to legal or internal regulations, must not be released outside of the business world.
Microsoft offers the possibility of identifying this risk and limiting it using encrypted e-mails and data loss prevention.
the Email Encryption ensures that users can only see end-to-end content. Microsoft provides various encryption types, such as Office Message Encryption (OME), S/MIME Certificates or Information Rights Management (IRM).
With the Data Loss Prevention, DLP for short, Microsoft has developed a function that prevents sensitive company data from being sent into the company environment. However, this function does not only include the pure mail dispatch. Office applications such as SharePoint Online, OneDrive for Business, Microsoft Excel/Word, etc. are also monitored and external access to confidential documents is also restricted.
Create trustworthy locations and prevent company data from being shared in Microsoft teams, for example.
Every company has the option of creating its own DLP policies in Azure AD and thus controlling the company’s data transmission in order to meet sometimes complex compliance requirements.
To use encrypted emails and data loss prevention, you need at least one mailbox with an Exchange Online Plan 2 license or an Enterprise license (E3 and higher).
Our tip: Secure both your internal and external communication channels. With OME you secure your data traffic by default. If you prefer more secure encryption, we recommend using S/MIME, PGP, TLS or gateway encryption.
6. Azure AD Identity Protection
Do you want to protect your employees’ user accounts from unauthorized access? Do you want to detect hacker attacks before they penetrate your system? Azure AD Identity Protection is the solution!
With the help of machine learning, the system learns when and where your employees and colleagues log in and out of the system and how they work.
This has the advantage that the system can quickly detect irregularities and inform you as the system administrator. Regardless of whether the location or the time indicate unusual behavior, you have the option of automatically using defined guidelines to ask the user to authenticate themselves via MFA or to block access.
For example, the “traveller function” offers the possibility to recognize that a user cannot register in Germany and an hour later in the United States.
It is important to emphasize here that the data is linked to the user account and encrypted, so that if the employee is dismissed or the account is blocked, the data can no longer be accessed.
To get access to the full functionalities, you need the Azure AD Premium P2 plan. You already get limited information in the Azure AD Premium P1 plan.
Our tip: The majority of cyber attacks come from abroad. There are always new threats that you as a security officer may not be aware of. With the use of this machine learning solution, your system automatically understands which accesses are to be classified as a risk. Use this function for early risk detection. You can find the service at Azure AD > Security > Identity Protection.
Do you have questions about entering the cloud or about existing cloud solutions? Ask the cloud experts!