Tips in Securing Microsoft 365 (M365)

Digital Transformation

By: Crystal Joy Solis, CompTIA Pentest+, Information Security Senior Analyst

Majority of the employees are in a work from home (WFH) setup during this pandemic, except for work functions that require physical presence. The probability of these employees returning to their office is minimal to moderate in a post-pandemic scenario. Because of this, companies must provide their employees the necessary tools to maintain productivity while securing confidential business and sensitive personal information.

One of the in-demand productivity tool is Microsoft 365 (M365). M365 is an all-in-one bundle that is made up of office applications such as Word, Excel, Outlook, PowerPoint, OneNote and other services that uses cloud technology with relevant security measures. This can be a monthly or an annual subscription-based service that offers users access to various Microsoft applications and services.

Here are some tips on how to secure your M365 to address regulatory, legal, contractual obligations and operational requirements (not an exhaustive list and some may require an upgrade of or additional licenses):

1. Establish Mobile Device Management (MDM)
MDM is a built-in feature that is included in Office 365 to safeguard and manage users’ mobile devices such as iPhones, iPads, Androids Phones, and Windows phones. Employees can only gain access to their Company’s email and documents from mobile devices that are registered and configured based on approved security policies.

2. Enable Multi-Factor Authentication (MFA) for all users

Multi-Factor Authentication (MFA) helps the Company protect its information asset by providing more secure access to applications and data. It offers additional security by requiring a second form of authentication via mobile phone (voice call or SMS), fixed-line phone (call my desk phone), or mobile application (Microsoft Authenticator App).

3. Enable Modern Authentication

Modern authentication is a combination of authentication and authorization methods. It is a safer authentication method than the basic authentication method, which depends only on a username and password. The modern authentication method enables multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

4. Establish a Data Loss Prevention (DLP) policy

DLP policy analyzes user activities on sensitive data at rest, in transit, or in use. It helps safeguard sensitive data from being exposed to unauthorized person, unauthorized use and/or unintended disclosure.

5. Establish an Advanced Threat Protection (ATP) policy

ATP policy is an email filtering tool that safeguards the company from business email compromise, malicious software and/or social engineering attacks.

6. Establish a Domain Keys Identified Mail (DKIM)

DKIM is an email authentication mechanism that allows the receiver to verify that emails were sent and authorized by the domain owner. This will prevent spoofers from sending emails which look like they come from a legitimate domain.

7. Establish an Exchange Online Spam Policy

Spam policy is an overall defense against spam emails. It protects the company by evaluating the emails and notifying the administrator when a sender within or from the outside the company has been blocked/quarantined due to sending spam emails.

8. Enable the admin consent request (Preview)

The admin consent request (Preview) workflow provides the administrators with a secure way to grant access to applications.

In conclusion

M365 can significantly help increase productivity at work regardless on where you are. But, companies must also enable or activate the built-in security measures for the protection of confidential business information and sensitive personal data. Some of the features are built-in within your environment and some may require an upgrade to your current M365 licenses.

But, before implementing these security measures, organizations must (1) identify and assess risks, (2) identify the appropriate controls for these risks, (3) work with your stakeholders on the viability of these security measures, (4) conduct awareness to all end-users, (5) implement the approved security measures, (6) monitor and report the effectiveness and efficiency of these measures to stakeholders and (7) adjust and improve control measures as necessary.

Contact Us

Exceture has extensive hands-on expertise in information security and data protection across different application systems and platforms. Our consultants can assist in the development of your security architecture and implementation of it.

Contact us today at contactus@exceture.com.

Reference:
CIS Microsoft 365 Foundations Benchmark v1.2.0 – 07-06-2020