MS Office 365 Security & Monitoring
I wrote a short post recently with some guidance for start-ups – if you read it you’ll notice I assume that any start-up will be making use of cloud services, rather than trying to build and host infrastructure internally. It’s not just start-ups using cloud services of course – everyone does, and with good reasons; flexibility, cost etc. and also often improved security. However there are some security related responsibilities that remain with the customer which address some additional risks that come from using online services – I want to talk here about Microsoft Office 365 (O365) because I think it’s good to be specific and also because it’s probably one of the most widely used cloud services, even if it often doesn’t fall under that product heading. Everything I have to say applies to other services too.
As I said O365 is probably the most common cloud service that most businesses, regardless of size, will be familiar with. It’s not my job to sell MS services, but I’ll note that O365 use really does span the spectrum of businesses sizes, with packages for very small businesses, all the way through to enterprise services. What is interesting that this is all the same service, running on the same infrastructure, meaning that the smallest of businesses can benefit from a service which is secure enough and available enough to be trusted by the very largest organisations (obviously this is true of Gmail and others too).
The flexibility and scalability of the service mean that a lot of the setup, including some of the security features, are left to the customer to configure, and some extra protections come with additional cost. If you are using O365, and especially if you have migrated from an existing on-premise installation, it is important you consider these options. O365 is an excellent, and very safe, service but it does bring some new risks – you can access O365 through a web browser from anywhere, so your users can be phished, or use weak passwords potentially jeopardising your company’s information.
Don’t think this won’t happen to you. Compromising O365 accounts through phishing, trying weak passwords or credential stuffing (taking email & password combinations from other breached services and trying them elsewhere) is big business. Once breached accounts can be used for multiple purposes – simple theft of information, to send further spam, or for financial fraud (e.g. by sending faked invoices to your customers).
Prevent his happening by enforcing two-factor authentication for all users. There is guidance here on how to do this – it is a vital defence. Without two factor authentication you are reliant completely on your users having unique passwords and being resistant to phishing (both of which you should also encourage – check out our training section).
You should also monitor your O365 instance for unusual or suspicious activity. Again, MS provides you with a tool to do that, Cloud App Security (CAS). You can find out more about CAS here. As with many MS cloud offerings, it can do a lot for you. For a small business it will provide you with visibility of who is accessing your O365 estate, from where, and what they are doing, along with alerting of suspicious activity. However, it does require a security analyst to look at the alerts, and take action on them when something odd is detected.
We can field any questions you have around cloud security and of course we can do the monitoring for you. CloudSecurity+ can help you and your business mitigate these risks. We will monitor your O365 tenancy, alerting you promptly to suspicious or unusual activity, which will include:
- Connections from unusual countries (or from anywhere outside your home country if your staff don’t travel)
- Connections from suspicious IP addresses
- Multiple failed logins, or failed logins from place where you have no staff
- Connections from unusual devices
- Email forwarding rules to addresses outside your organisation (a common tactic for cyber criminals
- Anything else that seems suspicious or odd
I hope you have found this helpful. If you have questions, requirements or comments, please get in touch.
As always, thanks for reading. Rob