Microsoft’s products are now used by virtually all organizations and are the backbone of many processes within organizations. Think of the well-known Microsoft Office, but also Microsoft Outlook for the email and since Covid-19 also of the use of Microsoft Teams. Not to forget SharePoint/OneDrive and the platform Azure.
With the amalgamation of all this under the name Microsoft 365, Microsoft has taken a big step. But what about the security and privacy measures within these applications?
Security
The easiest thing to say is that the security measures and configuration options are great; But that’s too short-sighted. There is a lot to set up and monitor and Microsoft 365 lends itself to the basics of security by design. However, you have to configure it yourself in the Microsoft 365 environment!
There are many general settings in the Microsoft 365 admin center, in Azure Active Directory, and in Microsoft Endpoint Manager. But did you know that there are also separate settings and to make sure that Microsoft Teams is secure? One of the basic principles of information security, of course, is that authorizations are assigned to a need-to-know principle and that applies: no access unless authorized. These settings are all possible, including in Microsoft Teams.
One of the biggest concerns for the IT department and security officer, may be data loss via laptops, tablets and smartphones. Fortunately, Microsoft 365 offers many opportunities to secure these.
Breaking news is the addition of Microsoft Compliance Manager in Microsoft Compliance Center. Where Microsoft Compliance Manager in the Trust Portal was a fairly static tool, Microsoft Compliance Management is now very dynamic. For all licenses in the Data Protection Baseline, you can start working directly with your compliance. If you have the appropriate license schedule, you have access to more than 150 legal and regulatory/standards frameworks and you can even add custom standards frameworks.
Microsoft Compliance Score gives you instant insight into your current situation and areas to improve. The more measures you take or have taken, the higher your score.
Privacy
With the privacy revolution coming, and taking laws like the GDPR and CCPA in account, privacy is a hot topic. In privacy, we often think about customers’ data and – when it comes to employees – payroll. But of course there is more! Within the security domain of Microsoft 365 and Azure, there is a lot to monitor when it comes to user behavior. MyAnalytics, for example. From an security point of view, there are several things you want to monitor for security. But not everything is needed. Think carefully in advance what you want to capture and what you don’t want to capture and deliberately turn off certain things.
Microsoft 365 lends itself to a GDPR-compliant design, which Microsoft has already taken care of. It’s just about choosing the right configuration yourself. During configuration be advised to take into account the settings that Microsoft turns on by default. For example, do you want Bing to collect data to improve search experiences? Collect and monitor yourself more (but of course within the framework of the law); be transparent about that. Tell clearly what you’re doing and why.
In short, Microsoft 365 and Microsoft Azure allows you to create a secure and privacy compliant organization. But you have to do it yourself and keep doing it!! Need help?? Audittrail has all the necessary knowledge in-house. We’re happy to help you!
Audittrail Group is an audit and advisory organization in the field of security, privacy and GRC. Audittrail is a Microsoft Partner on the field of security & compliance and helps organizations set up their Microsoft environment secure and privacy compliant. Do you have any questions following this article? Let us know via mail@audittrailgroup.com or through +31 71 747 17 17.