Secure your Investment with Microsoft 365 Security Best Practices

|
Chief Technology Officer

There has never been a more important time to look at Microsoft security best practices. Employees will continue to work from home on either a full-time basis or the more sought-after hybrid home/office environment. This shift means that the days of containing common or advanced threats to a controlled environment will disappear faster than ever.

The threat landscape is evolving, and an increase in attack surfaces has overwhelmed cybersecurity resources and resulted in overworked teams. To build resilience in your organization, your security team needs solutions that provide comprehensive threat intelligence.

Microsoft Solution Guide Series | Security: A Guide to Building Resilience

If your organization already leverages Microsoft 365, you are in luck. It is never too late to leverage Microsoft 365 as your primary digital workplace technology. Microsoft’s years of investments in cloud technology have made them a front runner in understanding and helping mitigate security threats using cloud scale.

We hope to provide you with an understanding of the security advantages that hosting your Intranet on Microsoft 365 can provide. However, if you have any targeted questions that you would like to gain a better understanding around, we would love to provide you with insight from our years of experience and over 100 Microsoft 365 intranets deployed.

Protecting your organization with Microsoft 365 Business Security Features and Best Practices

Microsoft 365 reduces the burden of performing routine IT management tasks such as keeping security updates current and performing back-end upgrades. Naturally, an Intranet on Microsoft 365 may be more secure with less overhead from an IT management perspective.

It’s important to understand continually improving security management and security-enhancing features that are delivered to Microsoft 365.

In this article, we will review:

Dynamic Group Membership & Rule-Based Security | Microsoft Security Best Practices

One very common requirement in SharePoint and other Intranet solutions is to have the ability to target content to a dynamic audience of users and similarly secure information based on dynamic rules.

Conditional Access Exceptions - Dynamic Membership Rule
Conditional Access Exceptions – Dynamic Membership Rule

Traditionally we have done content targeting with Audiences in SharePoint. An Audience is a dynamic set of users compiled, usually once a day, and at compile-time, the Audience rules are evaluated. A SharePoint Audience is used to target information but cannot be used to protect content. Microsoft 365 Groups are powered by Azure Active Directory and support something called Dynamic Membership.

This enables group membership and content or collections within the Intranet to be secured based on dynamic rules and not just based on traditional group membership – a powerful innovation and pattern for security that is enabled based on the integration between Microsoft 365 and Azure Active Directory.

To learn more about this feature, be sure to read this article on using attributes to create advanced rules.

Support & Escalation | Microsoft 365 Security Best Practices

Microsoft provides support for Microsoft 365. There are also premier support options for Microsoft 365. Lastly, you can pay vendors (like 2toLead – that’s us!) to provide additional support, troubleshooting, and issue resolution around Microsoft 365 issues.

An initial support request can be made in two ways. Save time by starting your service request online in the Microsoft 365 admin center or call in. Get the support phone number for your country or region.

The initial support path will connect you with a support engineer who can assist callers with basic end-user features and admin scenarios. You may probably need to escalate your support request sometimes until you get a sufficiently senior engineer.

What we have found is that these senior-level engineers are quite capable. They have been open to communicating directly, which has often helped us rapidly understand customer-specific issues and the best solution(s).

Speed up the process with these tips

When you interact with a support engineer, note that there are a few ways to expedite support escalation to get you a senior-level engineer.

Tip 1

You can use premier support options for Microsoft 365.

Tip 2

You can work with a partner (like 2toLead) who can have access to escalated support paths.

Tip 3

You can ask the engineer to escalate you. One technique for this is to request a business impact statement when you have a critical impact on your business (as this leads rapidly to the escalation of an issue).

Privacy & Regulatory Issues Microsoft Security Best Practices

Some privacy-related sub-topics can be relevant when planning a Microsoft 365 Intranet. The legal and regulatory needs of an organization can be complex and often vary based on organizational needs.

As you are probably aware, the strict requirements of North American and international data protection laws and their national implementations are difficult to reconcile with several aspects of Cloud computing. Particularly problematic aspects related to:

  • the cross-border transfer of personal data.
  • the very broad definition of personal data and the potentially very wide definition of sensitive personal data.
  • the reduced level of control that customers can exercise due to the decentralized approach and the dependency on the service provider.

Things to consider and questions to ask when exploring Microsoft 365 to power your Intranet

Remember that even in a Hybrid state with SharePoint 2016 or SharePoint 2019, if you are unifying the index, your content will be contained in Microsoft 365 datacenter(s).

Most of these considerations are part of a broader analysis of privacy in Microsoft 365. Looking at this from an intranet perspective should help simplify the conversation as many issues get more complex when dealing with mail/Exchange.

You will want to work with Microsoft and a reliable expert to answer questions like:

How might you migrate to a different provider or back on-premises?

  • This isn’t your first choice, but having the ability is important.
  • There are some great options here depending on the content/technology you are looking at migrating. For an Intranet, this is something that, while extremely rare, is done with relative ease using proven third-party tools that have relatively low costs.

Who owns the data? Who is liable in the case of company data loss?

How is the termination of the contract handled? What happens to the data?

  • Keep in mind that SharePoint online provides encryption of the data. Additionally, Microsoft has disclosed that they intend to provide customers the ability to ‘bring their key,’ enabling more options around who can ‘effectively see the data.’

What laws are different based on various jurisdictions on access to data for your organization?

How are the data centers secured? What policies are in place?

What compliance auditing does Microsoft support?

How would server seizure be handled, and what are the implications for all parties involved?

Microsoft Compliance & Privacy Policies | Microsoft 365 Security Best Practices

Microsoft 365 is a multi-tenant service (meaning your company data is present on some of the same infrastructures as other Microsoft customers). Microsoft 365 is verified to meet requirements specified in ISO 27001, EU Model clauses, HIPAA BAA, and FISMA. All of those have privacy rules that Microsoft must follow and indicate that Microsoft is making a considerable investment continuously in compliance and privacy.

For a comprehensive view of the privacy policies Microsoft 365 follows, you should review the Microsoft 365 trust center and request the latest audit reports as needed from your Microsoft team.

VIDEO: https://www.microsoft.com/en-ca/videoplayer/embed/RE44T4B?autoplay=true

In short, Microsoft provides an extremely strong privacy policy. There are over 300 people focused on data privacy at last count, including Software Engineers, Scientists, IT Pros, Marketing and Lawyers at Microsoft. So, they probably have better privacy protection than many organizations concerned with privacy regulations and rules. There is a significant benefit gained from Microsoft taking on the auditing and compliance costs related to some of these kinds of challenges.

Encryption & Bring Your Key | Microsoft Security Best Practices

While your data is encrypted at rest automatically with Microsoft 365 Cloud Security, you can further encrypt content with Azure Information Protection (AIP).

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions manually by users or a combination where users are given recommendations.

Leverage Azure Rights Management (often abbreviated to Azure RMS)

This technology is integrated with other Microsoft cloud applications and services, such as Microsoft 365 and Azure Active Directory. It can also be used with your line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.

Leverage encryption, identity, and authorization policies

Similar to the applied labels, protection that is applied by using Rights Management stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications. This information protection solution keeps you in control of your data, even when shared with other people.

For example, you can configure a report document or sales forecast spreadsheet so that it can be accessed only by people in your organization and control whether that document can be edited or restricted to read-only or prevent it from being printed. You can configure emails similarly and prevent them from being forwarded or preventing the use of the Reply All option.

These threat protection settings can be part of your label configuration so that users both classify and protect documents and emails by merely applying a label. However, the same protection settings can also be used by applications and services that support protection, but not labeling. For these applications and services, the protection settings become available as Rights Management templates.

The Azure Information Protection tenant key

You can also control the overall tenant key that you use for this. Managing your tenant key is also referred to as bring your own key, or BYOK.

Azure Information Protection | Microsoft 365 Security Best Practices

The Azure Information Protection tenant key is a root key for your organization. Other keys can derive from this root key, such as user keys, computer keys, and document encryption keys. Whenever Azure Information Protection uses these keys for your organization, they cryptographically chain to your Azure Information Protection tenant key.

There is a lot of confusion around BYOK, so keep in mind this is for Compliance regulations, additional security, and control over all lifecycle operations. For example, your key must be protected by a hardware security module (HSM).

Remember that through the use of techniques like SharePoint Data Loss Prevention (DLP), Azure Information Protection, and its existing Information Rights Protection capabilities, you could automate the discovery of key privacy data and encrypt it with Rights Protection. This enables deeper security and protection levels beyond the encryption and protection offered at the container level (site, library, tenant-level).

Data Residency | Microsoft 365 Security Best Practices

You should understand whether Microsoft 365 is available in the region you plan to host your tenant. Microsoft provides a data residency option to existing Microsoft 365 customers covered by the data center listed in the table below.

M365 Security Need to Know: List of Microsoft Data centers

While this may ensure your data is within that region, there is a separate offering that you can pay for from Microsoft to enable multi-geo support and still support data residency requirements. This can ensure OneDrive data or SharePoint data is stored in the appropriate geography. For large-scale global Intranets, this could be a significant benefit worth exploring.

Whether you are reinvigorating your Microsoft 365 digital workplace or thinking about starting your journey, Microsoft 365 is a surefire way to improve digital communication and collaboration.

Microsoft 365 out of the box is already a massive step in the right direction, but the advantages can be astronomical with the proper guidance. We would love to be the consultants who help guide you to your optimal digital workplace. Our team is ready to show you that you will love the way we work. Together.

Secure your M365 Intranet Knowledge with the Big Picture

Do you feel like you are now better prepared to prevent things like data breaches and stay on top of issues in real time? Strong security is only one of the ways your organization can benefit from Microsoft 365. They continuously innovate to improve all aspects of the solution.

We have combined years of knowledge and experience in the Microsoft 365 Intranet space to provide you with most of the information you will need to empower employee engagement, improve content management systems, increase productivity through increased team collaboration, and enhance your internal communication efforts on a large scale. You can find it all in our Intranet Whitepaper.

No Comments

Post A Comment

Read More.

BRIDGE

the technology gap