Have you retired your on-premises servers, storage, and business applications in favor of cloud-based alternatives? Are you considering a move to cloud? Or do you run a hybrid environment, utilizing some company-owned IT equipment combined with some level of cloud adoption?
Many small and medium-sized businesses no longer rely on what was considered traditional, required IT infrastructure just a decade ago. Server rooms filled with gear — and the periodic capital expenses needed to refresh that gear — are a thing of the past, and cloud technologies like Microsoft 365 and Microsoft Azure are now considered essential building blocks of modern IT environments.
But what about security?
- Are you taking precautions to a ensure that your critical business data, email, and applications are secured from threats, both internal and external?
- Are you protecting yourself from phishing attacks on your users?
- How about protecting your organization from access by non-authorized parties?
Every cloud-based organization should consider implementing basic technology safeguards to maintain a secure posture in Microsoft’s ecosystem.
The shared responsibility model
Before digging deeper, it’s essential to understand the concept of “shared responsibility” in Microsoft’s cloud. The Shared Responsibility Model means that while Microsoft is responsible for securing the physical servers and networking underpinning their cloud operations, you (the customer) are responsible for securing your own users, data, and applications within their cloud. You are in control, and you can make access to your users, email, data, and applications as easy or as restricted as you like. The impetus is on you. Consider these essential steps:
Start with the basics: passwords, MFA, and end-user training
Have you tried to obtain or renew a cyber liability insurance policy recently? There are some security precautions considered so basic that you can’t even be insured without implementing them, and all businesses need to be doing at least these basics no matter what their IT environments look like. Whether you have server rooms full of gear, cloud operations, a remote workforce, or even if you are a small mom-and-pop shop, these are essential:
- Complex passwords. You’re familiar with the idea: passwords of a certain length, with rules around uppercase/lowercase letters, numbers, special characters, and other limitations. If you are only using Microsoft’s Azure Active Directory for user accounts, then you are covered — this is enforced by default.
- Multi-Factor Authentication (MFA). If you can access your cloud-based email with nothing more than a password, then you have work to do. MFA is a tried-and-true technology that has been around for many years, ensuring that a user cannot access their email, cloud applications, or other remote environments without entering both a password AND having a second form of authentication like a smartphone with a token.
- End-user security training. Training your users to identify phishing emails and teaching them to avoid installing viruses or malware is critical. Lately, almost every breach you see in the news is caused by a phishing attack of some kind — it’s much easier to “hack” a user than to break into a secure network environment. Regular training and testing (sending simulated phishing emails, for example, to test the vulnerability of your user base) can be the difference between operating normally and spending weeks cleaning up from a ransomware attack on your business.
Know your Microsoft Secure Score
Did you know Microsoft has a recommendation tool built into 365 to help you secure your environment? The Microsoft 365 Defender toolkit is located at https://security.microsoft.com and is a hub for securing and monitoring your 365 environment. After accessing the site, click to expand the “Microsoft Secure Score” panel to see how you stack up against other organizations like yours and what recommendations Microsoft has to help increase your score and make you more secure.
Your Secure Score and recommendations are updated regularly and may change as Microsoft’s and the industry’s best practices are refined and expanded. Not only will Microsoft give you an easy checklist of security practices to follow, but they also provide additional information and instructions to actually implement the changes. Some recommendations are simple, and some will require a more involved project by your IT department or an outside technology provider.
Establish your conditional access policies
Once you have the basics covered, it’s time to take the next step. Microsoft’s Conditional Access Policies allow you to control access to your cloud-based resources based on specific conditions such as user location (block connections from Russia, for example), device health (require certain Windows updates), and general risk level based on other factors of your choosing. More examples of what you can do:
- Require an MFA prompt for any user attempting to access resources from outside your company’s network, while allowing machines in the office to connect without that precaution.
- Block access to sensitive data and applications from devices that do not meet your organization’s security standards, like outdated or unpatched devices or those without antivirus software.
- Limit access to certain applications or data based on the user’s risk level, location, operating system, behavior, or other factors.
A user’s risk level is an indicator “low, medium, high” that Microsoft assigns based on the probability that the user’s account has been compromised. You can then use this information to further restrict access.
Understand Privileged Identity Management (PIM)
One feature many security-conscious organizations overlook is the PIM capability Microsoft provides with some of their advanced licenses. Privileged Identity Management enables you to manage, control, and monitor access to resources in your Microsoft cloud environment in order to minimize the number of people with access to your secure information and resources. Sprawling administrative rights are a real problem in many environments, and PIM is the tool to control it.
Have you needed to give access temporarily to a contractor, vendor, or short-term employee? Or to a user who needs administrative access to a tool occasionally, but shouldn’t have access all the time? Often, privileged access is granted in order to get a job done, but then that access is never revoked. If a user is compromised, the attacker has full access to everything the user does, including administrative rights and privileges.
In security terms, PIM is a way to implement the principle of “least privilege” — making sure users have the rights they need to do their jobs, and ONLY those rights. What can PIM do in your organization?
- Assign temporary (expiring), just-in-time administrative access to users when needed, reducing the number of users with permanent access.
- Ask users to explain their request for role elevation so you can understand why they are requesting particular roles/rights.
- Require approval to activate privileged roles, with a built-in workflow and approvals that are logged and can be audited.
- Send notifications for suspicious activities so you can take immediate action when a potential security threat is detected.
- Conduct access reviews to ensure users still need their assigned roles and revoke unnecessary privileges, helping to maintain least privilege access.
Next steps
These are only the first steps on your cloud security journey, and they only scratch the surface of what Microsoft can do to secure your organization’s IT environment. It is critical to monitor not only Microsoft’s Secure Score recommendations going forward, but also industry best practices and new Microsoft 365 and Azure security features and functionality as they are introduced. Security tools and recommendations are constantly changing, and it is critical to stay informed on both new technologies and new threats.
If you are concerned about your own security posture, consider having a risk assessment performed by Rehmann’s security professionals to get an idea where your organization stands and where you can improve. Rehmann Technology Solutions can assist in implementing all of the tools and technology described above and more — we have the expertise to guide you on the path to a more secure IT environment. With the right tools and advice, you can significantly improve your organization’s security posture.
