Security Neglect: Office 365 Worst Practices

Everyone is worried about putting corporate files, data and emails on the cloud – or Office 365. This worry continues after deploying Office 365. Paradoxically, the actual efforts put into maximizing Office 365 are inadequate. Of course, Microsoft data centers follow and often create new, global security standards. However, there is Security Neglect at the individual tenant (customer) level. Most do not even know that there is a Office 365 Secure Score. Find out more. Reading time 7 min.

Security Neglect - Secure score

Universal Concern yet Security Neglect

It is difficult to explain this paradox. All customers are worried about storing data, documents and mails on Office 365 (and cloud, in general). The correct way to alleviate these fears is to compare the security of your own desktops and servers with Microsoft Data Centers. A quick glance at such a comparison will satisfy even the most demanding security professional. Why so? Because, at an individual organization level, there are neither enough people, nor a dedicated engine to monitor all kinds of security breaches and advances in security technology so that it can be applied quickly to the local environment.

On the other hand, Microsoft is forced to take security very seriously, because their entire business depends upon it. Thousands of customers store data in MS data centers. Furthermore, MS gives money backed guarantees for uptime and other SLAs. Needless to say, they must implement the highest possible (and currently available) security standards at all times.

Desktop Data Backup

Here is one glaring example. Even today, all users instinctively store files in My Documents folder on local machines. IT is not responsible for local backups – end users are. But nobody has the discipline to take local backups periodically and store these in a separate location. This risk has been around for decades but nobody bothers.

Once all users move to OneDrive, the data is backed up on a daily basis with three copies stored in three separate data centers.

Personally created corporate files are valuable assets which are usually unprotected. Now they are. This alone can give you great ROI for Office 365 investments.

Office 365 Security Neglect

O365 contains a lot of products that are pre-integrated. Therefore, there are lots of security settings to manage. Most IT folks have managed security for one or two of the components but not all. Usually, after O365 procurement, the IT Team reduces as the need for local hardware and software maintenance is eliminated.

There are too many options to choose from. Many of these options affect more than one tools. New options are getting added all the time. Therefore, keeping track of exactly what to do in order to maximize security remains an elusive goal.

To make matters worse, the maintenance of O365 tenants is often outsourced to partners. Most partners follow a fixed checklist for security management across customers. This checklist itself needs to be revised at least on a monthly basis. But in reality it is fairly static.

Due to all these reasons, the security implementation is always below par – on a long-term basis.

The solution: Office 365 Score

This is something like a best practices analyzer with specific focus on Security. It eliminates Security Neglect. The score analyzer checks your security configuration against a baseline set by Microsoft. Needless to say, that baseline is dynamically altered by Microsoft engineers as they incorporate new or enhanced security measures.

Go to Office Secure Score and login using an administrator account.

Just run the score analyzer and it gives you the current score. The score is compared with the baseline score for YOUR environment. The gap in the scores is your checklist for security tightening.

Secure score target

Choose the desired score. Now the list of necessary actions is dynamically created.

Security checklist

Each action has a description and impact assessment. It also shows how much the score will improve after taking the corrective action.

Security action detail

The score can be compared over time to assess incremental improvement in security level. It can also be compared with the MS baseline.

This is the 12th article in the series: Office 365 Worst Practices.

Practical considerations

  1. Perform the score assessment immediately
  2. Depending your threat perception and business impact of data breach, decide the target score
  3. Take action as per the generated checklist
  4. Focus on items with high impact potential
  5. Consider user convenience before implementing any kind of action
  6. Include daily or weekly monitoring of the score and corrective action as a part of scope of work for outsourced vendors.

Umbrella

2 thoughts on “Security Neglect: Office 365 Worst Practices”

Comments? Suggestions? Wish list?