Microsoft Office 365 Archives

Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

It can be challenging for financial institutions to manage security, identity, and compliance within Microsoft Azure Active Directory (Azure AD) and Microsoft 365 (also known as M365 and formerly branded as O365). Understanding the services and settings of the Azure AD and M365 ecosystem can make the process easier for IT administrators.

Some of the basic security settings that apply to most organizations fall under the free license level for Azure AD. These are also some of the low-hanging fruit that institutions can easily implement to make a dramatic difference in their security.

Security Defaults

One of the settings that can have the biggest impact is security defaults, which can be enabled to enforce a set of non-configurable conditional access policies. The policy set in Azure includes the ability to require multifactor authentication (MFA) and MFA registration for all users. It also offers the capability to block legacy authentication, which should be a high-priority goal for any organization.

Hackers can exploit basic authentication to effectively bypass MFA, which is a fundamental security service we recommend that every institution implement. If your institution has gone through the effort of enforcing MFA for users—but you’re not blocking basic authentication explicitly—there’s a major security gap. That gap should be addressed immediately, especially given Microsoft’s plans to decommission basic authentication protocols in Exchange Online in October 2022.

Identity Considerations

It’s also crucial to review the identity architecture for your financial institution. Any user, device, or app connecting to Azure should have an identity, whether it’s a guest user, mobile device, Mac OS device, or a Windows computer, so it can be assigned data access rights or even take on administrative capabilities. Every identity outside of Active Directory—which is the primary identity for users in many institutions—is another attack vector in a different system. An effective way to manage different identities is to consolidate them by sourcing them at the AD level and then synchronizing users and their password hashes to Azure AD. You should also review the level of access for all administrators as well as partners as they represent a huge risk downstream. Reviewing the level of access for partners goes beyond security; it’s also a matter of regulatory compliance.

Additional Considerations

Depending on your institution’s license level, there are additional Azure and M365 settings you can adjust in the areas of protection, compliance, and administration. For example, global auditing is an essential setting that should be enabled to augment security and facilitate troubleshooting after attacks. You should also block settings allowing for open collaboration and outbound email forwarding to avoid data loss and minimize cyberattacks.

If your institution is at the M365 level, it also needs the mobile device management (MDM) platform that offers sufficient protection. Exchange Online has built-in MDM capabilities but these capabilities do not extend to all M365/O365 apps.

Conditional access policies govern sign-ins and attempts. They can enable the enforcement of MFA and are the highest control layer for determining who has access to the data within Azure’s security ecosystem.

Since data lives outside of Exchange Online in the M365 world, if your institution has specific compliance requirements for retention, your retention policies will generally need to extend to all data.

M365 Security Basics

Adjusting all the security settings of Azure AD and M365 can be a daunting task, especially since Microsoft is constantly updating the features of its technology services. Our CloudInsight™ M365 Security Basics solution provides insights into security settings for Azure AD and M365 tenants. It helps IT administrators navigate the complexities of customizing their institution’s security settings through three services: reporting, alerting, and quarterly reviews.

The reporting service provides ongoing Microsoft data and packages it into a readable format that shows security settings at a glance, allowing institutions to easily see irregularities, such as when users sign in from Outside of the USA. Alerting sends a notification when an activity indicates that a potential compromise has occurred. With the quarterly reviews, trained experts analyze the settings, reports, and alerts and review them with administrators so they can speak with confidence to their board, steering committees, and auditors about their institution’s technology services and cloud security.

If you need help understanding how M365 Security Basics can support your financial institution’s risk mitigation or strategic planning efforts, contact us. You can learn more about this topic with our “How to Manage Security Identity and Compliance within the Microsoft Azure and M365 Ecosystem” webinar.

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

Understanding Microsoft O365/M365 Settings to Ensure Your Security Controls Are Effective

It’s important for financial institutions to understand Microsoft Office 365 (O365) and M365 settings, so they can optimize the security controls and quickly detect potential areas of compromise. The educational journey begins with acknowledging the role of Azure Active Directory (Azure AD), Microsoft’s cloud-based user authentication platform.

When your institution purchased O365 (recently rebranded as M365), it established a Microsoft tenant with Azure AD. Since that tenant belongs to you and your institution—not the licensing reseller—it is your responsibility to understand Azure AD and its controls. This is where you can customize the settings to create more sophisticated and appropriate security policies for your institution.

Monitoring for Exceptions to Security Controls

Once your institution has good policies in place, it’s essential to monitor for exceptions. There are so many security controls to check; it can be difficult to know if there is a policy exception or even an active compromise. As an added challenge, some controls can have a major impact on the user experience, and these controls cannot be created arbitrarily by a third party simply based on what is presumed to be best practice.

Therefore, you must build policies around what users are allowed to do, what your institution’s risk assessment defines, and what users will tolerate. Making appropriate policy-related adjustments to O365/M365 requires knowing how to connect with and analyze specific Microsoft data to modify the related security controls. Microsoft has created a plethora of controls, which can be difficult for many customers to navigate. That’s where it can be beneficial to partner with a value-added reseller like Safe Systems.

M365 Security Basics

Safe Systems consults with clients to help them best use O365/M365 controls and uncover their cloud security “blind spots.” M365 Security Basics is the first CloudInsight™ offering that provides visibility into security settings for Azure Active Directory and O365/M365 tenants.

M365 Security Basics consists of three main parts—reporting, alerting, and quarterly reviews— that your institution can choose from based on its needs. The reporting feature pulls Microsoft data that may not be easily accessible and compiles it into a user-friendly format. The reports show the fundamental settings at a glance, so institutions can track configuration changes over time. There are summary reports that IT administrators can use to quickly identify anomalies in their organization as well as detailed reports that include the specifics of a given anomaly.

While reporting generates important ongoing details, it can produce a substantial amount of information for you to review. Alerts can notify you as soon as possible about the most common setting changes or activity that can represent an indicator of compromise, so you can investigate and respond.

With the quarterly review component, Safe Systems will help you walk through the content of all your reports and discuss your overall strategy for adjusting the configurations. Having all this data at your fingertips makes it easier to make assessments to determine which settings are right for your organization. Two key settings to enable are multi-factor authentication—which should be universal for every user because it adds a critical layer of protection to the user sign-in process—and auditing which is crucial for investigating changes.

Educate. Expose. Empower.

The goal of M365 Security Basics is to educate financial institutions about the unfamiliar concepts related to O365/M365, expose the reality of what they are already living today, and empower them to take action where changes are needed.

For more information about how to understand O365/M365 settings to ensure your security controls are effective, listen to our webinar on “Cloud O365-M365 Security – Do You Know if You Are Currently Compromised?”