Co-written by Monica Meiterman-Rodriguez (Privacy Consultant) and Brian Ching (Information Security and Privacy Analyst)
A majority of global enterprises are now using Microsoft 365 (“M365”) as their primary office application. In fact, Microsoft has reported that there are 1.2 billion individuals worldwide that use some kind of Office product or service. At the same time, survey/research reports – such as this report, for example – indicate that many organizations likely haven’t performed necessary due-diligence and implemented appropriate security safeguards.
Consequences of not implementing appropriate security safeguards are well known and have been proven through various security breaches resulting from exploits such as phishing, account takeover and so on, as can be seen in Microsoft’s September 2020 Digital Defense Report.
These consequences are further evidenced in industries that have breach reporting obligations, such as healthcare. A review of organizations on the Department of Health and Human Services Office for Civil Rights’ breach portal shows that as many as 177 healthcare organizations have reported breaches that involved email so far in 2020. Given the predominance of Office 365, it is safe to conclude that a significant number of these organizations likely use the M365 suite of tools.
And yet, email compromise is not the only risk that organizations using Office 365 face. Our experience shows that many Office 365 user organizations have not implemented appropriate security controls in other components of Office 365, including OneDrive, SharePoint and Teams.
What can organizations do to improve the security posture of their Office 365 implementations? The first step is a formal security assessment to identify any gaps against good security practices for such cloud-based solutions, followed by implementation of necessary safeguards, in a prioritized manner.
Conducting the M365 Assessment
Organizations leveraging M365 should perform at least one security assessment of their M365 ecosystem to establish a baseline for their security posture moving forward. Such an assessment of the organization’s M365 deployment can be conducted in three distinct stages that will facilitate a comprehensive evaluation of security risks as well as reporting that enables prioritized undertaking of remediation activities.
The Initiation Stage requires identifying the relevant internal and external teams and personnel involved in the governance of M365. This can include, but is not limited to, stakeholder teams that oversee initial deployment, identity and access management, and audit logging and monitoring. Additionally, a list of M365 components and anticipated use cases should be developed to assist with prioritizing the assessment. This phase often requires direct communication and cooperation with the leaders of the stakeholder teams.
Next, the Assessment Stage requires meeting with each identified team or stakeholder to discuss and document a walkthrough of their use and involvement in the design, engineering, operations of security monitoring of M365 components.
This walkthrough should include a detailed demonstration or walkthrough of controls, capabilities and uses including:
- Formalized policies and procedures for privacy and data security;
- Results of past assessments or benchmarking against identified standards;
- Initial login process and authentication;
- Roles of different users (privileged and non-privileged access);
- Provisioning and deprovisioning of users;
- Types of communications being transmitted, including any sensitive personal data or proprietary business information;
- Sharing of documents and attachments using M365;
- Data retention or deletion procedures;
- Data storage locations; and
Audit logging and monitoring formal benchmark assessment templates such as the benchmarks developed by Center for Internet Security (CIS) in collaboration with Microsoft, are highly recommended. Using such an industry-accepted framework allows an organization to measure security performance and discuss security ratings in a manner that can be understood and accepted by the stakeholders.
The last phase is the Reporting Stage, in which the information collected during the assessment phase is analyzed and summarized into a formalized report. This report should detail the key findings, identified security gaps with risk rankings, and prioritized remediation recommendations with practical steps and a timeline for implementation.
Remediation Focus Areas
Depending on the outcomes of the assessment, most organizations performing this assessment for the first time will benefit from the following remediation steps.
- Security by Design: Security-by-Design is a proactive approach where organizations build security into their systems, documents, and business processes to prevent security breaches. M365 should have security governance features built into their ecosystem at the time of implementation which may include tools for developing policies and procedures, assigning formal roles and responsibilities for security operations, automating data security controls, and building security into an organization’s management processes.
- Audit Logging and Monitoring: For awareness and prevention of suspicious activity, an organization should develop automated logs of M365 activity including notification of anomalies. These logs should be reviewed and monitored on a regular basis by a designated individual. Identified anomalies should be addressed and formally documented, a process which can be operationalized using Microsoft’s Security and Operations Center solution.
- Access Reviews: Organizations should perform periodic reviews of individuals’ access rights for components of the M365 environment. Depending on the size of the organization, privileged access should generally be reviewed monthly to quarterly, and nonprivileged access should be reviewed bi-annually to annually. These type of reviews are critical, as they provide a level of assurance that only who need to access data or tools relevant to their job function are granted access. In the event that job functions or data access needs of individuals change, these periodic reviews facilitate updates of access rights to match current needs.
- Formalized Policies and Procedures: Formal governance documents should be developed to provide practical guidance on the internal rules and limitations of using M365 components. The governance documents should be communicated clearly to M365 users in order to establish the boundaries regarding permissible use of the applications, including restrictions on certain communications within each communication tool, document classifications and protections, and rules on data transfer, storage, retention, and deletion.
Focus on Teams
Microsoft Teams is a M365 application that has seen skyrocketing growth recently, now counting over 75 million daily users. Organizations that make significant use of Microsoft Teams should be aware of security risks associated with the tool and consider the following recommendations:
- Security Governance: Formal governance standards should be developed and implemented for the operation of Teams within the M365 ecosystem, including creating custom levels of access appropriate to the organization, implementing formal Data Loss Prevention (“DLP”) Policies, and using the data retention mechanisms in M365 and applying them to Teams. The Teams application offers many customization options which organizations should leverage, such as minimizing users’ ability to create Teams, only allowing creation of Private Teams (thereby removing future creation of Public Teams), and requiring IT approval for all external access.
- External Access and 3rd Party Applications: Organizations using Teams to communicate with individuals from external organizations should work with IT Security to develop a formal process to request approval, activate and periodically conduct access reviews of external organizations. Similarly, if third-party applications need to be integrated with Teams, a process should be developed for review and approval of applications within Teams.
- Meetings Settings: To ensure that data transmitted over Teams is secure from unauthorized internal or external access, the organization should conduct a review of Teams settings, which may include disabling the following features:
- Permission for anonymous users to start or join meetings;
- Allowing external users to request control; and
- Automatic entry into meetings for all users (including external users).
- Threat Management: To increase the safety of sharing links and attachments within Teams, organizations can look to leverage the Microsoft Azure Advanced Threat Protection (ATP) solution.
- Access Provisioning: Documented responsibilities should be developed and assigned to an appropriate role for handling the creation and removal of individual and group access to Teams, as well as performing periodic access reviews.
- Conditional Access: To allow or prohibit access from locations and devices that may have been identified as carrying unacceptable risk, organizations can utilize Azure AD Conditional Access Policies. Enhancing conditional access policies to block authorized access to Office 365 from unmanaged devices ensures that personal devices with weaker security features cannot be used. Criteria for allowing or disallowing access from certain countries based on a threat model or assessment should be documented in order to support the ongoing use of these access policies to block high-risk users and high-risk sign-ins from accessing Teams (and other M365 applications.
While organizations may be tempted to rely on Microsoft’s built-in security functions, additional steps should be taken to ensure an organizations systems and data are properly safeguarded in a manner consistent with internal standards.
For organizations that have been using M365, an organization-wide M365 assessment is highly recommended in order to determine how M365 has been used and how stored communications are being handled. Organizations that are seeking to implement M365 should consider a pre-implementation assessment to ensure that necessary security safeguards are implemented and appropriately maintained.