Any Office 365 environment offers a complex mixture of information, functionality and identities. It’s a place where information is easily created, shared, stored and (if properly configured) managed and dispositioned. Fortunately, Microsoft offers a lot of options to safeguard the confidentiality, integrity and availability of this information. But make no mistake: it’s still your responsibility as a customer to use these options and become secure. This is known as the “shared responsibility model”.
Setting a secure baseline
When consulting with my clients I always urge them to work towards a secure baseline for Office 365. There are a lot of options which can be used immediately and without the need for any additional licenses. By the way…. I’m writing this with an Office 365 Enterprise E3 licence model in mind. Microsoft 365 also includes Enterprise Mobility and Security which allows us to create an even better baseline. But that’s for next time….
I’ve come to call this a “Secure baseline for Office 365” and to be fair, it’s no rocket science. It’s more common sense coupled with the best-practises by Microsoft (https://docs.microsoft.com/en-us/office365/securitycompliance/security-roadmap). But let’s face the facts: this is complex stuff. And not all enterprises are well versed in security & compliance. So, a baseline might make sense (I hope).
Let’s start with some categories. In my view you will need to look at Office 365 from four different pillars. These pillars aim to protect:
- Your identities;
- Your information;
- The access to your information using devices;
- Your platform.
And this is where the baseline kicks in. Every pillar has one or more security/configuration measures aimed at making the environment more secure. Some of these measures are part of the baseline and other will need more effort or even additional licenses.
Make sense? I’ve tried to fit this theory in this figure. The “enterprise” icon represents the homework the organization needs to do. But to get a secure baseline, you will look at the “Basic” settings. And let’s look.
Knowing who accesses your environment and what permission they have is very important. You will need to make sure you have an (up to date) process for Identify and Access Management (I&AM) – which includes role-based access, access reviews and preventing “role-creep”. You’ll also will need to determine the level of guest-access and the process for creating a guest account. You might want to set-up a whitelist for specific domains, for example.
Data governance and information protection are important parts in this pillar. These are not options for a secure baseline, as they will need additional effort to be thought out. But you can use some (semi)standard data loss prevention rules based on compliance rules like GDPR. Or perform a health-check based on sensitive information types found in your environment.
Our baseline for Office 365 allows us to set some settings for either OneDrive synchronization and the use of Office apps on iOS and Android. Why not use them?
The Office 365 platform itself has several options to be implemented right away. Some might raise an eyebrow (a custom login screen?) but believe me: they make sense!
The secure baseline
These are the components of the secure baseline. These are subject to discussion but are used as a guideline.
- Enable Multifactor authentication for admins, users and even guests;
- Don’t forget to set-up a break glass account and process;
- Create your custom login-page for Office 365;
- Set-up standard DLP rules for GDPR compliance in test-drive mode. Evaluate and start using them;
- Block any non-modern authentication protocols;
- Block self-service app-registration in Azure;
- Block the admin-pages to Azure for non-admins;
- Set-up standard alerts and reporting in the security & compliance center;
- Use specific admin-accounts and role based access for admins.
- Set the default “Sharing link” option to “Specific people”;
- Guests must sign in using the same account;
- Do not allow guests to share items they don’t own;
- Enable sharing notifications (OneDrive);
- Only allow synchronization of OneDrive to domain joined devices;
- Check the settings for the SharePoint app-catalog. If not set, users can easily add any app to a SharePoint site;
- Block any automatic forwarding of e-mail, unless there is a specific business reason;
- Block any e-mail messages with (malware sensitive) attachments;
- Start using Office 365 message encryption.
Again – these items may be subject to discussion. But in my experience, these will get you a secure baseline for Office 365. And you might ask: why is setting up a black-list for external sharing not part of this baseline? Or any other example.
And you are right. But those settings depend on the enteprise itself and are therefor not generic. And that’s why they’re not in the list above.