So, unless you've been living on the moon for the past few years you'll know that most of us mortals here on Earth have moved our businesses to the cloud. When I refer to Microsoft 365, I also of course mean Office 365, as these are now both inseparable. Anyway where was I? Ah yes, so you've moved from Windows Server Active Directory to Azure AD. You've done all the Microsoft training and migrated all your stuff into the cloud. You've even finished setting up your mobile devices using Intune (Mobile Device Management). The next big question is how the heck do I secure everything? Initially this could seem a little daunting, however have no fear, this short article will tell you everything you need to know.
Firstly, think of security like an episode of Game of Thrones, in which you play Ser Gregor Cligane, the kingsguard. How do you protect a king? The answer is you think in layers. Room within a room, or in the king's case, a wall within a wall until you have a castle, a moat, guards and a good set of armour. Now of course we can't all be a knight of the seven kingdoms, but we can be a champion of security using the same approach. So in Microsoft 365 think of security in different layers.
1 - Logging on with simple usernames & passwords are so 90s dude. Simply by adding your thumbprint to your mobile device can prevent your worst nightmares. By incorporating Something you have rather than just Something you know into your login process can improve your overall security a thousand percent by enabling multi factor authentication. Here's how to do it. https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
2 - Next, deploy Azure Conditional Access. This is a powerful set of tools that act as a gatekeeper into your digital world. Traditional user management employs the concept of the user entering a username and a password, and then access is granted. However, with Conditional Access, there are additional checks that can be run. The user, app or device must go additional screening before entry is authorised. As it says on the tin, the user must meet certain conditions, which can be based on location, device, app, etc, and it can be extremely granular. If you'd like a step by step guide, then take a look here. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
3 - Protect your Information with Azure Information Protection. The inadequacies of traditional file sharing still give me nightmares. However, this clever piece of tech combines labelling / classification along with Information Rights Protection or rights management. this essentially means when you classify your data, a label is applied (manual or automatically). The document is then encrypted with a clever call home feature. So, let's say you have a file which is labeled internal only, you can create a policy which prevents the documents contents from being read outside the organisation, even if it's accidentally transmitted or shared. This combined with data loss prevention features mean that your critical data is protected from both accidental deletion and unauthorised access. Again, if you'd like a step by step guide, take a look here. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
4 - Finally, my favorite. Ok now so you're thinking I'm pretty secure right? Well, there's one piece missing, your apps."But my apps are secure Andy aren't they?" Actually, I'm not talking about your business apps, I'm talking about your personal apps. Managing devices with Microsoft Intune is awesome, take a look here at how to do it. https://docs.microsoft.com/en-us/intune/what-is-device-management Once you you're managing users personal devices, you can deploy corporate apps, manage updates and many other things like partial remote wipe. This will delete your corporate data from the users device, whilst leaving that all important personal data, including that copy of Angry Birds intact. My only issue with this, is what about those other apps that the user is using. That chess game that needs mysterious access to the users contacts, camera and microphone. Hmm, that's not right. This is where CloudApp Security is a godsend. It's a catalogue of apps that provides risk scores that will let you know how risky that app is. From there, you can make an informed decision on whether to allow the app to interact with your apps while connected to your network. That's only the beginning, you can investigate potential user anomalies, like logging in from unknown locations or downloading unauthorised data and then secure your environment with security policies. For security professionals this is an absolute must. You can see a presentation that I did at the 2018 Microsoft Ignite here https://myignite.techcommunity.microsoft.com/sessions/66434#ignite-html-anchor There is also a step guide available here. https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security
So there you have it. My short guide of the essential things that you can do that will improve your security in Microsoft 365. If you have any feedback or questions, you can follow me on Twitter @AndyMalone or leave a comment below. Many thanks.
(c) Copyright 2019 Andy Malone
Cheers Matt
Excellent blog Andy, suberb advise as always.