Microsoft’s products are now used by almost all organizations and can no longer be ignored within organizations. Think of the well-known Microsoft Office, Microsoft Outlook for the email and since Covid-19 also of the use of Microsoft Teams. Not to forget SharePoint/OneDrive and the Azure platform.
With the merger of all this under the name Microsoft 365, Microsoft has taken a big step. But what about the security and privacy of these applications?
The easiest thing is to say that security is fine, but that’s too short-sighted. There is a lot to set up and monitor, and Microsoft 365 lends itself to the basis of security by design. However, you have to configure this yourself in the Microsoft 365 environment!
There are many standard settings in the Microsoft 365 admin centre, Azure Active Directory, and Microsoft Endpoint Manager. But did you know that there are also separate settings to ensure that Microsoft Teams is secure? One of the basic principles of information security is that authorizations are granted to the need-to-know principle, which applies for no access unless those settings are all possible, also in Microsoft Teams.
One of the biggest concerns for the IT department and security officers is possible data loss via laptops, tablets, and smartphones. Fortunately, Microsoft 365 offers many possibilities to secure it.
Fresh off the press is the addition of Microsoft Compliance Manager in Microsoft Compliance Center. Microsoft Compliance Manager was a reasonably static tool in the trust portal; Microsoft Compliance management now works very dynamically. For all licenses in the Data Protection Baseline, you can get started with your compliance right away. If you have the correct license, you can access more than 150 laws and regulations/standards frameworks, and you can even add custom standards frameworks.
Microsoft Compliance Score gives you direct insight into how you are doing. The more actions you perform, the higher your score.
When we think of privacy, we often think of customers’ data and – when it comes to employees – about the payroll administration. But of course, there is more! Within the security domain of Microsoft 365 and Azure, there is a lot to monitor regarding user behaviour. You can also see that in MyAnalytics, for example. From a security point of view, there are several things you want to monitor for security. But not everything is necessary. Think carefully in advance about what you do and do not want to record and consciously turn off certain things.
Microsoft 365 lends itself to a GDPR-compliant design. Microsoft has already taken care of that. It’s just about choosing the right configuration yourself. Also, keep in mind things that Microsoft turns on by default. For example, do you want Bing to collect data to improve search experiences? Collect and monitor more (but of course within the framework of the law); then be transparent about that. Clearly tell us what you do and why.
In short: with Microsoft 365 and Microsoft Azure, you can set up your organization securely and privacy compliant. But you have to do that yourself and keep doing it! Need help? Audittrail has all the necessary knowledge inhouse. We are happy to help you!
Audittrail Group is an audit and advisory organization in the field of security, privacy and GRC. Audittrail is a Microsoft Partner on the field of security & compliance and helps organizations set up their Microsoft environment secure and privacy compliant. Do you have any questions following this article? Let us know via email@example.com or through +31 71 747 17 17.