The popularity of Microsoft 365 has grown enormously among organizations in recent years. But using it does not immediately mean that you are security and privacy compliant. What steps should an organization take to safeguard information security and privacy? We spoke about this with Carlien Daniels, Consultant Microsoft Security & Compliance at Audittrail. "The core is enabling organizations to keep an overview and insight into the risks of their Microsoft 365 environment."
Many organizations are currently making a move to Microsoft 365. "It sometimes seems simple, but there are things that need to be thought about in advance," says Carlien. "Take sharing a file, for example; do you want all documents to be shared with everyone or only certain files? By putting the possibilities side by side and weighing the pros and cons, you can make the right decisions that fit your organization. Because if you don't think about the layout properly, don't involve the users and don't look after it again once installed, you open a door for unauthorized people. One of the biggest dangers of Microsoft 365 is that no well-founded decisions are made in advance about information security. Security by design really pays off."
MFA and roles
Making Microsoft 365 technically secure is the first step when addressing information security. "Microsoft has recently gone through several great developments to be able to work more and more securely," Carlien explains. "Multifactor authentication (MFA) is a well-known example of this, but it is now also complemented by conditional access and identity protection. But there are also more options for administrators of the Microsoft 365 environment. For example, this is now set up based on roles. By means of privileged identity management, you can also temporarily assign administrative tasks to an administrator. This ensures a clear separation of functions; you are either working as an administrator or as a user. The main advantage is that it reduces the risk of unauthorized access in the management environment."
Because Microsoft 365 allows organizations to work anytime, anywhere, it takes on other risks. "Working in a location and time-independent manner means that you have to raise employees' awareness actively. At home, we often feel freer than in the office and are less alert to threats. A wrong e-mail is overlooked, but the information is also more often 'literally' transported. Think of a smartphone in the jacket pocket or a laptop in the backpack. You not only have to be aware of this, but you also need to protect this hardware properly. So that unauthorized people cannot access the data in case it gets lost."
Reduce the risk of data breaches
Reducing the risk of data loss could be done in various ways within Microsoft 365, Carlien continues. "This starts with provisioning your access based on roles, something that is easy to set up using the groups in Azure AD. From there, you'll better protect confidential documents through data classification. You can also secure devices such as laptops and smartphones via an Endpoint Manager. In which there is also room to ensure that data cannot be extracted from the managed apps. In this way, the risk of a data breach or security incident is reduced as much as possible.
According to Carlien, protecting the privacy within Microsoft 365 goes beyond customer data alone. "Microsoft 365 lends itself to a GDPR-compliant design, but then the organization still has to take a few steps. Logging is an example of this. Within Microsoft 365, there are many logging options. Although this is important for security, this does not apply to all logging options. You, therefore, always have to consider what weighs heavier, the privacy of the employee or the importance of security. If you do decide to enable logging, you must be transparent about this to employees. We don't see the latter happening much yet." "An advantage of logging is, for example, the fact that Microsoft is making more and more predictions through Artificial Intelligence. For this, the data of employees is often used. For example, suppose an employee logs in at the same time from two different countries. In that case, access can be blocked, or more authentications can be requested to log in. This improves information security but can only be signaled when the location of the user is known."
Overview and insight
When asked whether it is difficult for an organization to work safely and compliantly within Microsoft 365, Carlien concludes: "Through the Microsoft Compliance Center and the Microsoft Security Center, this is becoming increasingly easier. Here you can see step by step what you can modify to comply with certain legislation. But that requires some knowledge of Microsoft 365 to be able to see the changes and any additional risks. As a Microsoft partner with a lot of knowledge of security and compliance within Microsoft 365, Audittrail can help with this. We are also aware of the latest and future developments. We mainly help organizations to make all the different parts within Microsoft 365 clear. From the perspective of privacy and security, we look at an environment that is often only viewed with an IT view and translate this to the organization. In this way, those responsible can actually make well-founded choices without needing a lot of IT knowledge. In this way, the organization can keep an overview and insight into the risks of the Microsoft 365 environment."