Saturday, August 20, 2016

Office 365 Secure Score and Information Security Planning

Office 365 customers are provided a highly security solution for business productivity.  Microsoft ensures that the Office 365 service is secure and demonstrates this commitment through many of the third-party accreditations it receives.  Yet that is only half the battle as the customer who manage the Office 365 tenant shares in that security responsibility.  There are a tremendous amount security features and capabilities that are available to Office 365 customers that require configuration and management.  Customers frequently miss they too have a security responsibility to manage and continuously monitor their tenant.  In this blog I will discuss:
  1. The new Office 365 Secure Score analytics tool.
  2. Office 365 Information Security Planning.
Microsoft is invested in providing a safe and secure productivity cloud solution for your end users.  A clear differentiator for Microsoft is that they provide you plans, frameworks and tools that help you plan and continually monitor your security risk with Office 365.

Office 365 Secure Score
Microsoft has released “in preview” a new capability called Office 365 Secure Score.  This is a new analytics tool that can review the configuration of your tenant and make recommendations (based initially on 77 different factors).  Think of it as a “credit score”.  The higher the score, the more controls you have configured into your tenant.  The goal is to create a score that is aligned to your business requirements which do not impact your user experience.

Features of this capability are:
  • There is a summary panel that provides you your score and when you last ran it.
  • There is a modeling tool that allows you to do analysis to determine if you introduce more controls how those new controls will impact your score.
  • There is detailed information about each control it evaluates and the risk that it mitigates.
  • There are remediation instructions for each control that you introduce and how it would impact your end users.
  • There is a score analyzer that allows you to measure your performance over time.  You can download the scores from the reports and make them part of continuous monitoring program.
  • New controls will be introduced into the tool as new features are added to the service.
Plan for Office 365 Information Security
Since I have discussed this new Office 365 Secure Score tool that helps you continuously evaluate your security position, it is also worth mentioning there are several new Office 365 Information Planning worksheets you should review (see references below).
What these references will do is provide you direction on how you can utilize and configure all of the Office 365 security features (several new ones). 

Here are features I talk about a lot:
  • Federated Authentication (ADFS) and ADFS Client Access Policies.
  • Two-factor Authentication with Office 365 MFA and integration with third-party 2FA (smart cards, PIV, CaC).
  • Data Loss Prevention for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Rights Management Service (RMS) Exchange Online, SharePoint Online, OneDrive for Business and Office 365 ProPlus.
  • Office 365 Message Encryption (OME) and S/MIME support.
  • eDiscovery, Legal Hold and Retention policies for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Advanced eDiscovery with text analytics, machine learning and predictive coding.
  • Exchange Online Inactive Mailboxes.
  • Data spillage and deletion methods.
  • Permissions management.
  • Service usage reports.
  • Customer Lockbox
  • Office 365 MDM and Exchange ActiveSync policies.
  • Intune MDM advanced features for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Office on the Web (OWA) client policies for data sync and attachment downloads.
  • Exchange Online Protection.
  • Advanced Threat Protection for Exchange Online.
  • Office 365 Advanced Security Management.
  • Azure AD usage and audit reports.
  • Exchange Online mailbox auditing and administrator auditing reports.
  • SharePoint Online usage audit reports.
  • Rights Management Service (RMS) audit reports.
  • External sharing policies for SharePoint Online, OneDrive for Business and Skype for Business Online.
There are a lot of features available to customers and planning is required.

In Closing
It can be daunting to see the amount of information security features that a customer has available to them in Office 365.  Customers need to plan and develop continuous monitoring plans to evaluate their risk in the Office 365.  Microsoft, unlike many of the cloud vendors out there, provide comprehensive solutions to help you plan and measure your risk.

No comments: