Microsoft 365 Business Admin Guide: Securing and Managing Microsoft 365 Business Download Free E-Book →
Emergency? Urgent?
Please Call 763.593.3017 or 888.707.3017

Remote
Control

When you work with SUCCESS, you have the opportunity to share your computer screen, mouse and keyboard with one our help desk technicians. Using this technology, we can see what you see on your screen. We can diagnose and fix problems as if we were sitting at your desk. We can demonstrate tricks and tips to help you in the future. Of course, when we disconnect, we cannot get back unless you permit it.

To share your desktop, enter your session code and click Connect.

Customer
Support

Our Customer Support Portal provides a window into our internal service ticketing, invoicing and knowledge base systems. Using it, you'll be able to create, modify or close a support ticket (or just give us some instructions or information). You'll also be able to access pdf copies of each of your invoices and service statements, while also viewing statistics about your use of our services. What's more, each service ticket becomes a searchable knowledge base article, created only for the people within your organization.

You'll be given access to our Customer Support portal when you sign up for our Managed Services. Please contact us if you need help.

To access our Customer Support portal, click the launch button below.

Launch

Service
Request

Click the button below to send an email to our support team. To better serve you, please include the following information in your email:

  • First and Last name
  • Company name
  • A detailed description of your problem
  • Preferred way to be contacted
  • Best times to reach you
Email Support
5 Ways to Implement Next-Level Security with Microsoft Office 365

5 Ways to Implement Next-Level Security with Microsoft Office 365

By Alex Fields,
Senior Solutions Architect, SUCCESS Computer Consulting

Recent research by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency revealed that many Office 365 tenants in the United States are left wide open, leaving them vulnerable to attacks and exploits.

Why? They weren’t properly configured. That isn’t to suggest that Office 365 is an inherently risky platform; it’s just that, like any other technology, it’s only as secure as you are willing to make it.

In fact, there are now so many security tools available from Microsoft (and other vendors) that it can be difficult to know where to start. What licensing is required? How can you get it all set up, assuming you even know what you’ll need?

For starters, it’s important to understand that there’s no such thing as a magic bullet. Some people do the multifactor thing and assume they’re good, and if you’re one of those people, I’m sorry to burst your bubble—while it’s definitely THE number one thing you can do to get started, it’s not enough on its own.

There are so many things you can do to protect your assets in the cloud, but you’ll need to architect a solution that includes monitoring and protection at every link in the chain—end-user identity, apps, devices, and data.

Have no fear—SUCCESS is here to help. Keep reading to learn about five security enhancements you should be making with your investment in Microsoft 365 and any other cloud apps.

This image illustrates the steps an attacker takes to gain access to a network

1.  Enable Multifactor Authentication (AND disable basic)

Compromised passwords (e.g. via phishing or brute-force login attempts) are still the number one attack vector bad actors are using to gain access to resources, exfiltrate data, and execute destructive processes like ransomware. Multifactor Authentication (MFA) is therefore the number one thing you can do to protect your company’s data in the cloud.

MFA enforces an additional step to prove identity before gaining access to resources and data. The easiest and most secure way to accomplish this is using the Microsoft Authenticator app for iOS and Android, which will prompt users to click “Approve” or “Deny” on their mobile device when they authenticate.

But beware, if you enable MFA and forget to disable basic authentication in the process, you could be left wide open to brute-force attacks anyway, because basic authentication does not support MFA. Microsoft now provides a free baseline policy that will do this for you, but it is not turned on by default. According to Microsoft, disabling basic authentication (mutually exclusive from enabling MFA—but it’s only the first step) will reduce your risk of compromise by more than 66 percent.

Note: Multifactor Authentication and baseline policies are available with every major Office 365 bundle.

2. Configure Conditional Access

One of the biggest barriers to adopting new security controls is the pain of change. It’s annoying, right? But with conditional access, you can reduce user frustration while simultaneously improving security. For example: enforce MFA, but only under certain circumstances that are deemed to be “riskier” than others—impossible travel events, or sign-on from untrusted locations. We can even force a password reset if a user’s credentials are found on the dark web, for instance.

This image shows the options for conditional access and controls in Azure AD Premium P1

To take it even further, you can tailor a different experience to the end-user if they attempt to access resources from a BYOD or unmanaged device, versus one that is corporate-owned and corporate-managed. That means you can enforce extra protections no matter where you roam, and no matter which device you use.

While some conditional access policies are provided for free by Microsoft, to reap the full benefits described here you would need Azure AD Premium P1 (at a minimum), which is also available in these SKUs:

  • Enterprise Mobility + Security E3 or E5
  • Microsoft 365 E3 or E5

3. Protect against threats both known and unknown

Office 365 Advanced Threat Protection (ATP) is a good way to start defending against phishing attacks and zero-day malware, as it includes AI-based anti-malware detection for attachments, protection against malicious links embedded in email and documents, and anti-phishing and anti-impersonation intelligence that will warn protected end-users against suspicious emails.

Office 365 ATP P1 is available as a standalone subscription, but it’s also included with any of the following plans:

  • Microsoft 365 Business (highly recommended for small + mid-sized businesses)
  • Office 365 E5
  • Microsoft 365 E5
  • Microsoft 365 E5 Security

Note: It is still recommended to combine this AI-based anti-phish/anti-malware strategy with end-user education and testing. Office 365 ATP P2 (also in the E5 plans) contains an attack simulator to assist with this, as do some other third-party products.

4. Modernize Device Management

In the past, different types of devices were managed with disparate technologies. To make matters worse, some of those tools might only work when the device was attached to the local area network, or via VPN.

In a modern framework, we want to manage ALL devices using the same tools. And we want those tools to work from anywhere—not just the corporate office. More importantly, you can actually turn the device itself into part of your identity. This means the device can be leveraged as a condition to grant, limit or deny access to resources—so we can integrate it with conditional access to eliminate excess password and MFA prompts, too!

When it comes to managing BYOD or employee-owned devices, an alternative to full mobile device management (MDM) is mobile application management (MAM). This means enforcing the use of Microsoft applications such as Outlook, Teams, and OneDrive for iOS and Android users.

This image illustrates mobility and security concerns and how modern device management solves them.

Using these modern applications ensures the best experience with cloud-hosted email and files for end-users, while at the same time preventing exfiltration of data to other apps or locations (e.g. DropBox or GSuite). When an employee leaves the company, corporate data can be completely wiped and removed from the applications, without disturbing the employee’s personal apps, data, and pictures on the device.

To pick up these capabilities, implement Microsoft Intune, available in:

  • Enterprise Mobility + Security E3 or E5
  • Microsoft 365 Business
  • Microsoft 365 E3 or E5

5. Discover – and manage – your other applications

Managing multiple identities and passwords is hard. Microsoft 365 includes tools that allow us to tie third-party applications into the Azure Active Directory, so that we can eliminate logins and control access while gaining more visibility into those other cloud environments. We can also benefit from all the same advanced security, like:

  • MFA
  • Blocking downloads on unmanaged devices
  • Conditional access
  • And so forth—extending those same types of protections into other cloud providers such as Google and Box, with minimal configuration or re-work.

While Office 365 and Microsoft 365 Business plans will allow you to set up single sign-on to third-party cloud apps, you will derive the most benefit from this arrangement with the addition of Azure AD Premium, and Microsoft Cloud App Security. Both together can be obtained within:

  • Enterprise Mobility + Security E5
  • Microsoft 365 E5 Security
  • Microsoft 365 E5

In Short

So, what does “good” security look like? Strong authentication is a good start, sure. But don’t stop at protecting the front doors. You need to guard against threats both known and unknown. And, you must increase your visibility into that cloudy mess of apps and data sitting out there in the ether; once you have visibility, then you can implement controls. Once you have data, then you can get alerts on it. Once you have alerts on that data, you can choose how to respond.

Microsoft 365 provides many, many tools to help you learn what it is you even have, to start with; because you cannot protect what you do not know you have.  Once the relevant data is gathered, we can impose better protections, such as:

  • Enforcing device compliance
  • Blocking risky sign-in attempts
  • Limiting access under specific conditions
  • Alerting you to unusual activity
  • Enforcing automated remediation, via policy

Do you currently have visibility into when your company is being targeted?  Or when a risky event is taking place? Think: mass download or exfiltration of data, unusual file sharing activity, unusual email patterns, sign-in attempts from foreign countries, admin activities from unauthorized IP addresses, and so forth. You get the idea.

If you can’t answer this with certainty, then you need to be talking to your fully-equipped team at SUCCESS about improving your security posture in the cloud.

Give us a call at (763) 593-3000 if you have questions, or if you are ready to continue on this secure cloud journey.