Microsoft Office 365 Security Best Practices for Admins

Let’s Talk about Office 365 Security Best Practices

Businesses are quickly moving business-critical systems, data, services, and other roles to the public cloud. Public cloud environments are becoming increasingly powerful, with new features and functionality being added regularly. Microsoft’s Office 365 public cloud is an extremely popular and feature-rich cloud offering that provides numerous capabilities to businesses wanting to migrate resources from on-premises to the public cloud.

Administrating public cloud environments is much different than the traditional on-premises environment. There are certainly best practices that go along with public cloud environments such as Office 365 that ensure migrating to and managing public cloud effectively, securely, and in a way that allows administrators to satisfy the needs of the business. In this post, we will look at the Top 5 Office 365 Security Best Practices, what they are, how they can be implemented, and why they are essential.

Microsoft Office Backup Solution from SpinOne

Start 15-Day Free Trial

Top 5 Office 365 Security Best Practices

The migration to the public cloud can present challenges in terms of moving from the familiar landscape of on-premises environments and tooling to public cloud infrastructure, which has its interfaces, processes, and controls. This includes new and different permissions controls, network configurations, and cloud security mechanisms. This means that businesses need to adhere to recommended best practices to ensure data is migrated and the environment is accessed, managed, and secured appropriately. The following top 5 Office 365 security best practices are by no means the only things Office 365 administrators need to do. However, they represent some of the oversized items that must be given attention from the point of migration today two operations in the Office 365 public cloud.

1. Choose the appropriate Office 365 data migration option
2. Office 365 Backup
3. Secure Access to Resources Appropriately
4. Use Data Loss Prevention Policies
5. Utilize Mobile Device Management (MDM) policies

Let’s consider each of the above items and see how administrators can address them appropriately by looking to minimize issues and have stable, secure, and efficiently operating Office 365 environments.

Choose the Appropriate Migration Option

There are certainly best practices when considering day two operations in the Office 365 public cloud. However, simply getting to the cloud can be filled with potential “gotchas” if not planned and thought through correctly. As can be imagined, many of the Office 365 security best practices revolve around security initiatives. However, the first order of business is choosing the appropriate migration option that will appropriately fit the company’s needs. There are quite a few options to get your data into the Office 365 public cloud. These include the following:

• Hybrid deployment and migration – Organizations may choose only to migrate certain services to the Office 365 public cloud and leave some services on-premises. This may be for business or compliance reasons.
• Staged migration – The staged migration performs the migration in “batches” of users, etc.
• Cutover migration – The cutover migration allows migrating all services/users in one operation or batch and then going live by “cutting over” to the new Office 365 public cloud environment.
• IMAP migration – generally associated with the cutover migration. Using the IMAP method, user mailboxes can be cut over to the Office 365 environment.

Choosing the right migration strategy and option is essential to access data and services successfully and in a way that is expected. The different options basically provide different levels of data migration and determine if any data/services are left on-premises, either temporarily or permanently.

Backup Solution for Microsoft Office 365

Perhaps one of the most essential best practices in the list is backing up Office 365. So many businesses choose to migrate to the public cloud and forget to think about data protection in the public cloud. Many inappropriately treat the public cloud as an ironclad mechanism in which it is impossible to lose data. While the public cloud is ultra-resilient, data loss can happen easily, either by accidental/intentional deletion, ransomware, or other data disasters.

Additionally, even if organizations have thought about data protection after the migration is complete and the business is “in production,” what about during the migration process? If you think about it, there can potentially be data loss even during the migration phase of the operation. Businesses need to think seriously about putting data protection mechanisms in place before the migration takes place. As soon as data begins to migrate, it is being protected by the mechanisms available.  Office 365 Backups are essential to the integrity of data. Data is the lifeblood of the business. Not protecting it, even in the public cloud, is asking for disaster. How can you effectively backup data in the Office 365 public cloud?

The native Office 365 environment is limited by a lack of data protection functionality across the board. The closest thing that organizations have to data protection is the ability to roll back to the previous file version in OneDrive for Business for up to 30 days back. However, the functionality for this limited rollback mechanism is sorely lacking when thinking about the capabilities of a proper data protection solution. Being limited to 30 days for recovery is not acceptable for many businesses. Also, for now, Microsoft is only offering this functionality for OneDrive and no other services. Where does this leave businesses migrating to the Office 365 public cloud who want to adhere to Office 365 security best practices? Essentially companies must choose a third-party provider to protect the Office 365 environment using proper enterprise-grade backups.

SpinOne provides an excellent solution for businesses to fill the need for enterprise-ready data protection that provides robust features and capabilities. SpinOne delivers the following functionality for companies looking to protect their Office 365 environments.

1. Automated backups 1x or 3x daily – Includes OneDrive for Business, Email, Contacts, Calendar, and People.
2. Provides the ability to store data from OneDrive outside of the Office 365 public cloud – Either AWS or GCP storage
3. Version control
4. Ultra-secure backups – AES 256-bit encryption in-flight and at-rest
5. Unlimited storage capability and backups
6. Migrate data between user accounts
7. Search for items backed up from Office 365
8. Report on the status of protected data
9. Upcoming  Office 365 security features!

Backing up Office 365 services using SpinOne Office 365 Backup

Using the SpinOne solution, businesses migrating their business-critical data to the Office 365 public cloud can confidently count on their data to be stored safely and securely. SpinOne provides a powerful and cost-effective solution for data protection that allows “checking all the boxes” to ensure business-critical data in the cloud meets the requirements of the business, compliance, and regulations. With the upcoming security features for Office 365 that match what is available in the Google G Suite version of SpinOne, the capabilities of SpinOne will allow organizations not only to backup business-critical data in Office 365 but also implement the exact world-class security mechanisms that are found in SpinOne for G Suite, including data leak protection, third-party apps control, insider-threat protection, etc.

Secure Access to Resources Appropriately

Inappropriately provisioned permissions on public cloud resources have led to some of the most prolific breaches in public cloud data. Often hackers and other groups look and scan for “open” permissions on some of the more common storage services in public cloud environments to find permissions that have been improperly configured or not configured at all. Public cloud security permissions are an often-targeted resource since they are generally less understood than on-premises security permissions secured by administrators using more standard technologies. Public cloud environments often have new mechanisms for securing resources that administrators can easily misconfigure from purely on-premises backgrounds.

Microsoft Office 365 comes with a set of admin roles assigned to users in the Microsoft Office 365 organization. These admin roles map to standard business functions and allow users assigned to the roles to perform specific tasks. Additionally, Microsoft Office 365 groups simplify the administration of users, resources, and Office 365 security in general. There are four types of groups in Office 365. They are:

1. Office 365 group – used for collaboration between users, both inside and outside the company. Members get a group email and shared workspace for conversations, files, and calendar events.
2. Security group – Used for granting access to Office 365 resources, such as SharePoint. Can contain users or devices. It can be based on dynamic membership in Azure Active Directory.
3. Mail-enabled security group – Function the same as regular security groups, except they cannot be dynamically managed through Azure Active Directory and can’t contain devices.
4. Distribution lists – used for sending notifications to a list of people. Can receive an external email if enabled.

A mistake can be made in trusting the “default” permissions assigned to users accessing specific resources in Office 365. Just because it is configured as default permission does not make it the correct configuration for the user. Each user, group, etc, should be evaluated to determine the correct set of permissions based on the actual business need for that user. Assigning permissions based on the group instead of the user can make this process easier. It allows setting the permission to the group and then simply adding the user to the correct group with the assigned permissions needed.

The principle of least privilege should always be followed when determining what permissions a user should hold in the Office 365 environment.

Use Data Loss Prevention Policies

Data leakage is one of the dangers that businesses face when migrating to the cloud. The worst thing that can happen is companies having sensitive information with personally identifiable information leaked onto the Internet. This can lead to fines, lost customer confidence, and a tarnished reputation. To prevent these types of incidents from happening, businesses must put mechanisms to protect sensitive information in the public cloud. Microsoft Office 365 contains data loss prevention mechanisms to protect sensitive information in the Office 365 public cloud. However, businesses have to take full advantage of the capabilities to be protected.

Using the data loss prevention (DLP) policy in the Office 365 security & compliance center, businesses can identify, monitor, and automatically protect sensitive information across Office 365. This PII information can include credit card numbers, social security numbers, or health records. DLP policies work by detecting sensitive information using deep content analysis and not simply a text scan. This deep analysis uses keyword analysis, dictionary matches, regular expressions, internal functions, and other methods to detect content that matches your DLP policies. With DLP, administrators can define policies that:

• Identify sensitive information across locations (Exchange, SharePoint, OneDrive, etc.)
• Prevent accidental sharing of sensitive information
• Monitor and protect sensitive data in desktop versions of Office
• Help users learn how to stay compliance without interrupting their workflow
• View DLP reports showing content that matches your organization’s DLP policies

A DLP policy is made up of a where, when, and how component. Administrators decide the locations to protect content, such as Exchange Online, SharePoint Online, OneDrive for Businesses, etc. Then, the when and how conditions are matched, and actions are taken based on the conditions found.

When creating the DLP policy, either simple or advanced settings can be chosen. The simple settings make it easy to create the most common types of DLP policies without using the rule editor to create or modify rules. The Advanced settings use the rule editor to give you complete control over every setting for DLP policy. The advanced settings allow you to create more customized DLP policies. DLP policies can be rolled out in test mode to determine the impact on users before fully enforcing them. This helps to prevent unintentionally blocking access to thousands of documents that are required for business continuity. DLP reports can be read in test mode to determine the impact of incidents caught with the test mode DLP policies. After any false positives are identified, and the policies are adjusted accordingly, you can move up to full enforcement of the guidelines.

Office 365 DLP policy template for defining protected information (image courtesy of Microsoft)

Using policy templates, you can choose a template of the type of information you want to protect. This allows saving the work of building a new set of rules from scratch and figuring out which types of information should be included by default.

Utilize Mobile Device Management (MDM) policies

There is no question that mobile devices are utilized more than ever today. Employees are using their devices anywhere and everywhere they are located and where they travel. Part of the extraordinary power of the public cloud is the ease with which the infrastructure and services can be accessed from anywhere and from any device. While mobile device access and BYOD mindsets have allowed employees to be liberated from the confines of offices and be productive from anywhere, the mobile device landscape has created a concerning situation for security. Office 365 provides Mobile Device Management (MDM) policies to help solve this problem.

What do MDM policies allow organizations to do? It helps secure and manage users’ mobile devices like iPhones, iPads, Androids, and Windows phones. Using the MDM policies, organizations can create and manage device security, such as remotely wiping a lost or stolen device. In addition, with MDM policies, detailed device reporting is possible to know which devices are connected to and accessing the Office 365 environment.

The MDM policies are part of the Security and Compliance Center and are where the MDM policies are set up and configured. To set up MDM policies, you will need to complete the following tasks in Office 365 Security and Compliance Center:

• Activate the Mobile Device Management service
• Set up Mobile Device Management
• Configure Domains for MDM
• Set up multi-factor authentication (recommended)
• Manage device security policies
• Ensure that users enroll their devices

Setting up multi-factor authentication in Office 365 (image courtesy of Microsoft)

Using MDM policies in Microsoft Office 365, policies that apply to a user’s device can be used to force compliance to policy requirements before allowing access to particular Microsoft Office 365 resources. In addition, policies and access rules created in MDM in Microsoft Office 365 will override Exchange ActiveSync mobile device mailbox policies and device access rules made in the Exchange admin center. What are some of the policy settings for mobile devices that may prevent them from accessing Office 365 resources? For instance, if users have any of the following settings in the specific sections, they can be prevented from accessing:

• Security
• Encryption
• Jailbroken
• Managed email profile

Workflow of mobile device access used for Office 365 access and MDM policy (courtesy of Microsoft)

Enforcing these kinds of controls on the mobile devices accessing the Office 365 environment is essential to ensuring the environment’s security. While the ease of access from mobile devices provides tremendous benefits, it can open the door to definite security implications. MDM policies help to alleviate that threat. It is undoubtedly recommended that Office 365 admin best practice implement MDM policies to control access to data and services from mobile devices.

Secure your corporate data with the market’s top backup tool for Microsoft Office 365!

Request a demo

Wrapping Up on Microsoft Office 365 Security Best Practices

Microsoft Office 365 is robust and provides a tremendous opportunity for businesses today to accelerate access to Microsoft’s latest services and technologies for the enterprise. The agility and flexibility gained from utilizing the public cloud are highly beneficial. However, along with the tremendous benefits, there are certain aspects of the public cloud that organizations must carefully consider. Following Office 365 security best practices can help alleviate these concerns and potential security issues that arise by utilizing the Office 365 public cloud environment. Using powerful integrations such as SpinOne Office 365 backup allows businesses to have the features needed for such important aspects of their migration to the public cloud, such as disaster recovery.

SpinOne allows businesses to have the features and functionality for backups and disaster recovery that companies are accustomed to on-premises. It does this simply, effectively, and efficiently. The public cloud is here to stay. Businesses are making use of it and will continue to use it more and more. By following Office 365 security best practices outlined to get there and manage day two operations, the transition can be made, and business continuity can be maintained.