The Admins guide to securing your Office 365 data

Wed, 17 Oct 2018 02:05:06 Z

During my time at Microsoft and SkyNorth, one of the hottest cloud migration topics we have with clients, is around access and data security.

While most companies believe their on-premises data is secure, we’ve found it is usually at higher risk then data stored in a correctly configured Office 365 tenant. If you can properly answer the four primary concerns of the public cloud, O365 solutions will increase your security and flexibility.

How do we limit and control access?
How to ensure it’s the correct person?
How do we secure our data?
How do we secure our devices?

Out of the box, O365 cloud identities are accessible everywhere via internet, and secured with only username and password. This appears sketchy at best, until you start looking at all the built-in features that O365 & Azure Active Directory offer. When developing your O365 access policies you need to put together a plan that focuses on the 3 core areas.

The Who and Where
The What
The How

Please keep in mind, some of these technologies cross boundaries and can be used in conjunction with other features to maximize your cloud security strategy. If you haven't seen the Microsoft Identity and Device Access article. it is a must read (after you finish reading my blog post).

The Who and Where

Do you know who is accessing your cloud services, and where they are logging in from?

Option 1 - ADFS Server
- Pros
  - Many people already have this infrastructure in place from past SSO requirements
  - Uses Microsoft technologies
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Limited Options
  - This has became the 'outdated' way of providing a secured Single Sign-On solution
- Extras
  - Limiting Access to Office 365 Services Based on the Location of the Client
Option 2 - Conditional Access
- Pros
  - Extremely configurable and stackable rules
  - Tied to your cloud login
  - Available to all Azure Applications and internal apps that are published via Azure Application Proxy
- Cons
  - Requires Azure AD Premium Plan 1
- Extras
  - Limit logins based on the following policies
  - Allows you to limited login based on the following
    - Select Users
    - Trusted IP Range
    - Trusted Applications
    - Browser or Client Application
    - Device Platforms
    - Device Compliance (Requires Intune)
    - Login Risk (Requires Azure Active Directory Premium Plan 2)
    - Allows SharePointusers to only have READ access via Browser session, and others WRITE/EDIT via controlled Application

How do we ensure it’s the correct person?

Option 1 - Multi-Factor Authentication (MFA)
- Pros
  - Helps ensure the person is who they say they are
  - Easy to use and configure
  - Available for on-prem applications, rdp, and VPN via MFA Server
- Cons
  - Limited to call/text or mobile application
- Extras
  - A second form of user identification such as a phone call, email, or mobile app

Option 2 - ADFS Server 2016 – MFA First
- Pros
  - Skews attempts to brute-force login attempts
  - Validates the users device before the username/password
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
- Extras
  - ADFS 2016 allows you to prompt for device MFA first, ensuring no password is passed to the session until the first factor has been passed
Option 3 - Password-free Login
- Pros
  - Very secure
  - Easy to use
  - No passwords to remember
  - Corporate Credentials are not passed through the session
  - Only devices with an approved certificate/key will be allowed access
- Cons
  - Certificate Based requires infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Authenticator/Hardware Key have limited support at this time
- Extras
  - ADFS: Certificate Authentication with Azure AD & Office 365
- - Windows Hello for Business
  - Why a PIN is better than a password
  - Can Use Biometrics as a form of PC Authentication
    - Fingerprint
    - Facial recognition
  - Microsoft Authenticator App
    - Password-less phone sign-in with the Microsoft Authenticator app (public preview)

The What?

What data are people accessing and how do we secure it?

Option 1 - SharePoint Site Permissions
- Pros
  - Highly customizable at different SharePoint levels (Site/Web/Library/Item)
  - Have remained the same with all versions of SharePoint
- Cons
  - Can get complicated with breaking inheritance
  - Auditing/Ensuring users are correctly setting permissions
- Extras
  - Understanding permission levels in SharePoint
Option 2 - External Sharing Settings
- Pros
  - Allow or prevent external users from accessing your SPO data
- Cons
  - A misconfigured policy could mean bad news for your company
  - It's not meant for every type of business or scenario
- Extras
  - Manage external sharing for your SharePoint Online environment.
Option 3 - Tenant Restrictions
- Pros
  - Increased security
- Cons
  - Makes external collaboration difficult
- Extras
  - Use Tenant Restrictions to manage access to SaaS cloud applications
    - Prevent your users from accessing other data
    - This is handled via proxy server and HTTP Headers that identify and prevent external access
Option 4 - Azure Rights Management / Azure Information Protection
- Pros
  - Increased data security
  - Available to many data formats
  - Set up on the SPO library or global rules via Azure
  - Labeling Support for O365 Data Classification
- Cons
  - Multiple setup/config areas that do not span a broad spectrum of services
  - Typically requires an internet connection to pass ACL validation
- Extras
  - Protect SharePoint libraries to prevent read/write/edit/print/etc.
    - Enabled on the document library or list level.
  - Protect files with Azure Information Protection
    - Gives you the option to classify, encrypt, and secure your data at a local level
      - For use with O365 documents, as well as on-prem file storage
      - Uses Azure RMS to encrypt and secure access
Option 5 - Data Loss Prevention
- Pros
  - Easy to configure rules
  - Used for SharePoint/OneDrive/Exchange
- Cons
  - Other similar methods make it confusing to determine the best use
    - AIP / Transport Rules / Classification & Labels
- Extras
  - Overview of data loss prevention policies
    - Searches through your existing data to find matches that may need protection
- - - Create a DLP query to identify what sensitive information now exists in your site collections.
    - Create a DLP policy to monitor and automatically protect sensitive information in your site collections.

The How?

How are people accessing cloud services, and how do we secure it?

Option 1 - Azure AD Device Registration / Workplace Join
- Pros
  - Identifies what users and devices are using cloud services
  - Configure MFA for first-time registration
  - Allows easy SSO access to all of your apps
- Cons
  - There isn't much security you can place around the device without extras
  - MFA Conditional Access rules are met with registered devices so you will not receive a call/text
- Extras
  - Azure AD Device Registration
Option 2 - Azure AD Joined Device
- Pros
  - Same as Option 1
  - Azure AD Bitlocker Recovery
  - PIN Sign-In
  - Enterprise State Roaming Features
  - Automatic MDM Enrollment (With AAD Premium P1)
- Cons
  - On-premises domain access would typically require VPN client
  - There isn't much security you can place around the device without extras
Option 3 - O365 Mobile Device Management (MDM)
- Pros
  - Comes with O365 E3
- Cons
  - Limited control
- Extras
  - Provides Selective Wipe and removal of certain data
  - Set up O365 MDM
Option 4 - Microsoft Intune
- Pros
  - Highly configurable
  - Tied with your cloud identity and your device
  - Can manage Windows/iOS/Android Devices (limited MAC OSx Support)
- Cons
  - Requires Intune or EM+S subscription
- Extras
  - What is Intune?
  - Contains Mobile Application Management policies (MAM)
    - Prevent Cut/Copy/Paste
    - Prevent SaveAs
    - Require a PIN for specific Mobile Apps
    - *With or without device enrollment*
  - Selective or Full Wipes of the device
  - Manages device compliance settings
    - Encryption/Password Rules/Etc.
  - Manages device configuration settings
    - Blocks to cameras, screen shots, USB ports, and tons more
  - Conditional Access via Compliance Policy and Device Registration
    - Allow only ‘domain joined’ devices to access cloud data

I hope I've made an extremely complex topic a little easier for everyone to understand. Like I mentioned above, there isn't a single solution that you should decide on for all business & security scenarios. You may need to mix-and-match and you may also need to use features I didn't even mention here. If you find yourself in a confusing situation and need help finding the best approach please feel free to reach out to SkyNorth!

Need Help?

Be sure to contact SkyNorth Software today for an O365 Data Security Assessment or any of your data security needs!

What is our Data Security Assessment?

It’s a comprehensive technology and process review for how you handle data security within your organization.

How much does it cost?

It’s FREE! Out introductory package is completely free and includes a 1-hour finding call with self-help documentation. If you’d like to have a more comprehensive review or added support, you can look at our PREMIUM or PREMIUM – WITH SUPPORT options on our website.