Improving your Microsoft Cloud Security for FREE!

Thu, 24 Jan 2019 17:55:08 Z

So your organization has made the jump, at least on some level, to the Microsoft cloud. That’s a great forward thinking strategy.

I’m sure somewhere along this journey you were questioned about security. You assured them that it would be covered and the organization would be safe. Now that you're there, how are you living up to that promise? Wouldn’t it be great if there was a place you could look that would tell you?

Say hello to Microsoft’s free tool, Secure Score

Secure Score looks at your settings and activities for the Office 365 (and recently added Modern Workplace) services your organization is using (SharePoint, Exchange, One Drive, etc.), and compares them to a baseline established by Microsoft to give you a score on how well you are doing security wise. Examples of things you are scored on are multi-factor authentication status, policy progress, mailbox auditing, etc. You can then use this information to take action to improve your score based upon recommendations presented by the tool.

Did I mention it’s all FREE! That’s pretty cool.

Show value and justify actions

IT typically understands the big picture of what needs to be done, but often has a hard time quantifying the need. Because of this securing resources is a challenge especially when an initiative around security looks like a giant black hole to those on the outside. How do you combat this?

Metrics. Leadership loves metrics, as they should. They give you an accurate representation of a position.

Secure Score to the rescue by allowing you to identify and communicate your efforts in addition to the benefit received. Even better you can see how your security has changed historically, so once you complete a control you can see the before and after.

But wait there's more, Secure Score also holds the documentation around these areas and controls in place!

I’m in. (It’s FREE after all) How can I see my organizations Secure Score?

You can view your organizations Secure Score by logging in at https://securescore.office.com with an ID tied to your organization. Note: You must have Global Admin or a custom Admin role with permissions on an Office 365 Enterprise, M365 Business, or Office 365 Business Premium subscription In order to view the results. While non admins won't be able to access Secure Score directly, admins can share the results with others in their organization.

Caveat. You may see actions that are labeled “Not Scored”. Unfortunately these are not scored in the tool yet, but completing them will still benefit the security of your environment.

So will utilizing Secure Score mean my organization is safe?

There is no way of predicting if your organization will be subject to a breach. There are just too many variables. Secure Score simply gives you a view in to the measures taken to minimize that risk, and that is huge. Considering the price there is no reason you aren’t utilizing the tool.

I don’t understand everything being reported by Secure Score.

Unfortunately the bad guys do. The good news is that you now know what you don’t know.

If your organization doesn’t have the expertise to interpret and implement these controls there are third parties like us at SkyNorth Software that can help. Pick your favorite or feel free to drop us a line and if you have questions.

The Admins guide to securing your Office 365 data

Wed, 17 Oct 2018 02:05:06 Z

During my time at Microsoft and SkyNorth, one of the hottest cloud migration topics we have with clients, is around access and data security.

While most companies believe their on-premises data is secure, we’ve found it is usually at higher risk then data stored in a correctly configured Office 365 tenant. If you can properly answer the four primary concerns of the public cloud, O365 solutions will increase your security and flexibility.

How do we limit and control access?
How to ensure it’s the correct person?
How do we secure our data?
How do we secure our devices?

Out of the box, O365 cloud identities are accessible everywhere via internet, and secured with only username and password. This appears sketchy at best, until you start looking at all the built-in features that O365 & Azure Active Directory offer. When developing your O365 access policies you need to put together a plan that focuses on the 3 core areas.

The Who and Where
The What
The How

Please keep in mind, some of these technologies cross boundaries and can be used in conjunction with other features to maximize your cloud security strategy. If you haven't seen the Microsoft Identity and Device Access article. it is a must read (after you finish reading my blog post).

The Who and Where

Do you know who is accessing your cloud services, and where they are logging in from?

Option 1 - ADFS Server
- Pros
  - Many people already have this infrastructure in place from past SSO requirements
  - Uses Microsoft technologies
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Limited Options
  - This has became the 'outdated' way of providing a secured Single Sign-On solution
- Extras
  - Limiting Access to Office 365 Services Based on the Location of the Client
Option 2 - Conditional Access
- Pros
  - Extremely configurable and stackable rules
  - Tied to your cloud login
  - Available to all Azure Applications and internal apps that are published via Azure Application Proxy
- Cons
  - Requires Azure AD Premium Plan 1
- Extras
  - Limit logins based on the following policies
  - Allows you to limited login based on the following
    - Select Users
    - Trusted IP Range
    - Trusted Applications
    - Browser or Client Application
    - Device Platforms
    - Device Compliance (Requires Intune)
    - Login Risk (Requires Azure Active Directory Premium Plan 2)
    - Allows SharePointusers to only have READ access via Browser session, and others WRITE/EDIT via controlled Application

How do we ensure it’s the correct person?

Option 1 - Multi-Factor Authentication (MFA)
- Pros
  - Helps ensure the person is who they say they are
  - Easy to use and configure
  - Available for on-prem applications, rdp, and VPN via MFA Server
- Cons
  - Limited to call/text or mobile application
- Extras
  - A second form of user identification such as a phone call, email, or mobile app

Option 2 - ADFS Server 2016 – MFA First
- Pros
  - Skews attempts to brute-force login attempts
  - Validates the users device before the username/password
- Cons
  - Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
- Extras
  - ADFS 2016 allows you to prompt for device MFA first, ensuring no password is passed to the session until the first factor has been passed
Option 3 - Password-free Login
- Pros
  - Very secure
  - Easy to use
  - No passwords to remember
  - Corporate Credentials are not passed through the session
  - Only devices with an approved certificate/key will be allowed access
- Cons
  - Certificate Based requires infrastructure and setup (ADFS, Proxy, x2 for HA)
  - Authenticator/Hardware Key have limited support at this time
- Extras
  - ADFS: Certificate Authentication with Azure AD & Office 365
- - Windows Hello for Business
  - Why a PIN is better than a password
  - Can Use Biometrics as a form of PC Authentication
    - Fingerprint
    - Facial recognition
  - Microsoft Authenticator App
    - Password-less phone sign-in with the Microsoft Authenticator app (public preview)

The What?

What data are people accessing and how do we secure it?

Option 1 - SharePoint Site Permissions
- Pros
  - Highly customizable at different SharePoint levels (Site/Web/Library/Item)
  - Have remained the same with all versions of SharePoint
- Cons
  - Can get complicated with breaking inheritance
  - Auditing/Ensuring users are correctly setting permissions
- Extras
  - Understanding permission levels in SharePoint
Option 2 - External Sharing Settings
- Pros
  - Allow or prevent external users from accessing your SPO data
- Cons
  - A misconfigured policy could mean bad news for your company
  - It's not meant for every type of business or scenario
- Extras
  - Manage external sharing for your SharePoint Online environment.
Option 3 - Tenant Restrictions
- Pros
  - Increased security
- Cons
  - Makes external collaboration difficult
- Extras
  - Use Tenant Restrictions to manage access to SaaS cloud applications
    - Prevent your users from accessing other data
    - This is handled via proxy server and HTTP Headers that identify and prevent external access
Option 4 - Azure Rights Management / Azure Information Protection
- Pros
  - Increased data security
  - Available to many data formats
  - Set up on the SPO library or global rules via Azure
  - Labeling Support for O365 Data Classification
- Cons
  - Multiple setup/config areas that do not span a broad spectrum of services
  - Typically requires an internet connection to pass ACL validation
- Extras
  - Protect SharePoint libraries to prevent read/write/edit/print/etc.
    - Enabled on the document library or list level.
  - Protect files with Azure Information Protection
    - Gives you the option to classify, encrypt, and secure your data at a local level
      - For use with O365 documents, as well as on-prem file storage
      - Uses Azure RMS to encrypt and secure access
Option 5 - Data Loss Prevention
- Pros
  - Easy to configure rules
  - Used for SharePoint/OneDrive/Exchange
- Cons
  - Other similar methods make it confusing to determine the best use
    - AIP / Transport Rules / Classification & Labels
- Extras
  - Overview of data loss prevention policies
    - Searches through your existing data to find matches that may need protection
- - - Create a DLP query to identify what sensitive information now exists in your site collections.
    - Create a DLP policy to monitor and automatically protect sensitive information in your site collections.

The How?

How are people accessing cloud services, and how do we secure it?

Option 1 - Azure AD Device Registration / Workplace Join
- Pros
  - Identifies what users and devices are using cloud services
  - Configure MFA for first-time registration
  - Allows easy SSO access to all of your apps
- Cons
  - There isn't much security you can place around the device without extras
  - MFA Conditional Access rules are met with registered devices so you will not receive a call/text
- Extras
  - Azure AD Device Registration
Option 2 - Azure AD Joined Device
- Pros
  - Same as Option 1
  - Azure AD Bitlocker Recovery
  - PIN Sign-In
  - Enterprise State Roaming Features
  - Automatic MDM Enrollment (With AAD Premium P1)
- Cons
  - On-premises domain access would typically require VPN client
  - There isn't much security you can place around the device without extras
Option 3 - O365 Mobile Device Management (MDM)
- Pros
  - Comes with O365 E3
- Cons
  - Limited control
- Extras
  - Provides Selective Wipe and removal of certain data
  - Set up O365 MDM
Option 4 - Microsoft Intune
- Pros
  - Highly configurable
  - Tied with your cloud identity and your device
  - Can manage Windows/iOS/Android Devices (limited MAC OSx Support)
- Cons
  - Requires Intune or EM+S subscription
- Extras
  - What is Intune?
  - Contains Mobile Application Management policies (MAM)
    - Prevent Cut/Copy/Paste
    - Prevent SaveAs
    - Require a PIN for specific Mobile Apps
    - *With or without device enrollment*
  - Selective or Full Wipes of the device
  - Manages device compliance settings
    - Encryption/Password Rules/Etc.
  - Manages device configuration settings
    - Blocks to cameras, screen shots, USB ports, and tons more
  - Conditional Access via Compliance Policy and Device Registration
    - Allow only ‘domain joined’ devices to access cloud data

I hope I've made an extremely complex topic a little easier for everyone to understand. Like I mentioned above, there isn't a single solution that you should decide on for all business & security scenarios. You may need to mix-and-match and you may also need to use features I didn't even mention here. If you find yourself in a confusing situation and need help finding the best approach please feel free to reach out to SkyNorth!

Need Help?

Be sure to contact SkyNorth Software today for an O365 Data Security Assessment or any of your data security needs!

What is our Data Security Assessment?

It’s a comprehensive technology and process review for how you handle data security within your organization.

How much does it cost?

It’s FREE! Out introductory package is completely free and includes a 1-hour finding call with self-help documentation. If you’d like to have a more comprehensive review or added support, you can look at our PREMIUM or PREMIUM – WITH SUPPORT options on our website.