Security Pro’s Guide to Digital Transformation › security › A Security Pros Guid… · new...
Transcript of Security Pro’s Guide to Digital Transformation › security › A Security Pros Guid… · new...
A security professionals guide to digital
transformation
Contents What is Digital Transformation? ........................................................................................................................... 3
What are the benefits of Digital Transformation?.......................................................................................... 3
Reduction of Costs per Transaction ................................................................................................................ 3
Improved Customer Care and Strategy ......................................................................................................... 3
Advanced Reporting and Analytics ................................................................................................................. 4
Increased Technologic Agility and Innovation ............................................................................................ 4
Integrated System for better Security and Access Controls .................................................................. 4
What is the Modern Workplace? .......................................................................................................................... 4
Modern Workplace Trends ................................................................................................................................. 4
Collaboration without Barriers .......................................................................................................................... 4
Always on Mobile access .................................................................................................................................... 5
Geographically Diverse Workforce .................................................................................................................. 5
Common Challenges to a Modern Workplace ................................................................................................ 5
Security and Access Control .............................................................................................................................. 5
Device and Data Management ......................................................................................................................... 6
The 'Bring Your Own Device' quandary ......................................................................................................... 6
Legal and Regulatory Compliance requirements ...................................................................................... 7
Understanding Provider and Customer responsibilities .............................................................................. 7
Core Security Features ........................................................................................................................................... 10
Baseline Security components ....................................................................................................................... 10
Identity and Access Management ................................................................................................................ 10
Logging and Auditing ....................................................................................................................................... 10
Threat Intelligence .............................................................................................................................................. 11
Encryption controls ............................................................................................................................................ 11
Securing your Business in the Modern Workplace ..................................................................................... 13
Protection for all devices and networks ..................................................................................................... 13
Protecting and controlling sensitive information ................................................................................... 16
Controlling data and content access ........................................................................................................... 19
Organizational management controls ........................................................................................................ 24
Suggested Approach and Recommendations .............................................................................................. 29
Summary ......................................................................................................................................................................... 30
What is Digital Transformation? Digital Transformation is the process of combining technology into every area of the
business. It fundamentally changes how end users operate and deliver value to their
customers. The most significant part of the transformation is cultural, which requires
organizations to challenge the standard way of working continually, experiment with
new ideas as well as becoming comfortable with failure while executing the
transformation. An essential element of digital change is technology. Often, it's more
about modifying or removing outdated processes and legacy systems than it is about
adopting new technology. If businesses want to keep up with the rapid pace of digital
change today, they must work to increase efficiency with technology wherever possible.
For many organizations, that means adopting agile practices across the business and
include automation technologies to gain speed and to gain the technical edge.
Working with end users, helping them to change their current processes, habits to
adopt new and improved and streamlined procedures while utilizing technology as a
facilitator, is the true essence of Digital Transformation.
What are the benefits of Digital Transformation? There are five core benefits to Digital Transformation that can apply to all organizations.
These benefits cover a spectrum of areas from costs to analytics to better focus on
customers.
Reduction of Costs per Transaction
When businesses shift focus and optimize technology and operations as part of the
digital transformation, cost-per-transaction decreases, meaning there is an increase in
sales. Utilizing new technology to perform previously manual tasks, or using faster
mechanisms helps to bring the cost of retaining a client to the smallest dollar value
possible. The overall effect on the business is reduced running costs while providing
better services.
Improved Customer Care and Strategy
Digital transformation’s core goal is to use technology in conjunction with business
processes to enhance the customer experience. When businesses shift focus and pay
more attention to what customers want, the service is improved consistently across all
areas of the business and customer channels.
Advanced Reporting and Analytics
Moving the organization to new platforms such as Cloud offerings, gives companies the
ability to combine data from all customer interactions and repositories, whether
unstructured or structured. Combining these sources into a useful, actionable format,
allowing the business to optimize customer experiences and expenses.
Increased Technologic Agility and Innovation
By removing the dependency on old, slower legacy IT systems, businesses can make
themselves more nimble and agile to change. A business that can respond quickly to
current market trends, customer demands or even internal change is a more successful
company.
Integrated System for better Security and Access Controls
Connecting enterprise-wide systems and technologies simplifies and universalizes the
employee experience. It can also have a significant impact on the customer experience.
However, security needs to be at the forefront of the transformation. Combing new
technology platform implementation with best practice Security solutions and
guidelines increase the organization's overall Security posture.
What is the Modern Workplace?
Modern Workplace is the outcome of a Digital Transformation process. It is embracing
new ways that employees want to work, as well as how they work now. The Modern
Workplace needs to support working anywhere, anytime and on any device.
Modern Workplace Trends
As organizations digitally transform, three core trends need to be not only understood
but adopted. First Collaboration without Barriers, second Always On Mobile access and
third, Geographically Diverse Workforce. These three areas have the most impact on
technology solutions, platforms, and approaches that are needed to support this.
Understanding each will help in choosing the best strategies and solutions that end
users will adopt and use. Supporting these will empower the end users to work better,
have more control and achieve more.
Collaboration without Barriers
In the modern enterprise, end-users require the ability to collaborate not only with each
other but with external vendors and partners without complex processes to adhere. This
ability requires that an organization provide these capabilities. The core barrier to this
type of collaboration is Security and the ability to control not only the flow of data but
also ensure it is controlled and managed correctly. Allowing end-users to share content
often requires complex processes for validating external users that have content shared
with them.
Always on Mobile access
End users are carrying mini-computers essentially with them everywhere they go. No
longer do they want to carry around a corporate assigned laptop or device. End-users
want to choose the device type they want to work from while maintaining a common
working experience that is consistent with using a corporate assigned device. Historically
organizations are behind on the most current device types available they provide, which
causes end-users to utilize either non-approved and personal platforms and devices.
Geographically Diverse Workforce
Most organizations in the past required end-users to be physically located within an
office to work. Offices back then provided the best services available, in most instances
better than anything that is available to an employee’s residence. In today’s digital
world, communication technology is no longer the barrier to working. Most end-users
have faster and more reliable internet connections allowing them to work faster and on
the go. End users no longer want to be bound to an office to work. The ability to work in
the Office, at Home, while traveling, or even in a completely different country or
continent and timezone is a core foundational block of digital transformation.
Common Challenges to a Modern Workplace With the Modern Workplace needing to support working anywhere, anytime and on any
device, the organization may face new challenges. Common issues can be summarized
and grouped into three core areas. First, Security and Access Control, second, Device and
Data Management and third, Compliance. Each area has its challenges and issues, which
means that for an organization to support a digital workplace, needs to be mitigated
and understood.
Security and Access Control
Organizations, for the most part, work independently and do not require any external
access or sharing. Most of the systems and data sit “behind the Firewall” and do not
need to be made external. Authentication is typically done using internal accounts
generally provided by a managed platform within the organization such as Active
Directory. For many years, organizations have not needed to worry about end users
requiring to log in from outside of the protected network perimeter. The digital
workplace would fail if this were still the case or need of today's end users Organisations
now need to create new policies, plans and implement solutions to mitigate the inherent
risk that comes from external access and sharing of data.
End-user Security Controls
Educating end users on Security is a hard task and requires extra effort and training for
nearly all organizations. Providing a solution that allows them to continue working as
well as offer simple, easy and intuitive security controls, is imperative for any
organization. Historically, IT and Security, focus too much on restricting access and
control, when digital transformation advocates for more straightforward and
uncomplicated tools. Providing the right tools that facilitate ease of use and apply the
correct protections is the goal.
Security versus Usability
For many years, Security and Usability have been at odds with each other. Many
organizations adopted the strategy of “more secure means complicated process” and
ignored the need for Security controls to be seamless and user-friendly. In the modern
digital world outside of the workplace, many providers and platforms already provide
significant levels of Security and Control for consumers. However, for some reason
organizations seem to utilize old ways of doing this, as if these ways are the only and
best way of implementing what is needed. Newer technology is now available providing
a more streamlined approach to security and providing a better end user experience.
Device and Data Management
The proliferation of devices, as well as data, is a real challenge to digital transformation
and the modern workplace. On the one hand, organizations deploy devices for control,
but then users want to use the most current tools and applications. Many organizations
by design do not use the most current applications, tools or devices for fear of being
too leading edge and not getting the right support. The notion of older is better, more
trusted and supportable is no longer the case. Utilizing modern platforms and devices,
brings faster performance, better controls, security and of course experience for the end
user.
The 'Bring Your Own Device' quandary
A question that every organization debates time and time again is; Should we allow end
users to use their own devices or should we provide them? For devices such as laptops,
nearly all organizations still offer them. However, for mobile devices such as phones and
tablets, many organizations allow end users to use their devices. It is a great model to
follow, allowing users to work on them, without having to provide the level of support
that company-provided equipment requires. Reducing the workload for supporting
devices is a good thing, however, how do organizations then protect their assets such as
data on a non-managed device? That question frequently discussed. There are
advantages and disadvantages to this. Based on research, allowing the use of personal
devices increases productivity, as it enables a user to truly digitally transform and use
modern workplace concepts of working anywhere, anytime and on any device.
The critical challenge is the ability to create the security and define the controls that
limit how a personal device not only connects to internal applications but also how data
transfers to and from the device.
Legal and Regulatory Compliance requirements
In many countries and professions, meeting statutory and legal compliance is more
important than the actual technology that is in use. Digital Transformation is about
creating more natural working processes and “opening the door” for collaboration and
better working. Providing these features and still meeting compliance requirements can
be complicated. In many organizations, it is the Compiance and Legal departments that
delay digital transformation. Usually, this is because of the speed of change that is
required, as well the removal of rigid process and approaches that Compliance and
Legal department utilize daily. Often this is because the Compliance and Internal audit
departments are the last ones to know about the digital transformation process. Many
organizations view Compliance and Internal audit departments as a cost center rather
than a strategic business unit, which can also have an impact as well as cause delays in
transformation. There are significant risks to the organization when the digital footprint
increases with connected devices and other emerging technologies. As the organization
transitions to this approach, their risk profile changes, with the potential of increased
vulnerability to cyber attacks. Compliance and Internal audit teams can help in providing
insight into these risks as well as potential mitigations.
Understanding Provider and Customer responsibilities As a cloud provider, we take all precautions and implement all measures possible to
secure the Data Center and its supporting infrastructure. We ensure mitigations and
protections are in place for unauthorized access, security and data breach as well as
natural disasters such as fires and flooding. Each Data Center provides redundancy on all
essential supplies such as power and air conditioning, to minimize the possibility of a
service disruption. We also ensure that our services comply with Critical Protection Laws
such a Data Protection, Payment Card Industry Data Security Standard (PCI DSS), the
Health Portability and Accountability Act (HIPAA), Criminal Justice Information Services
(CJIS), the Sarbanes-Oxley Act, the Federal Information Security Management Act
(FISMA) to name a few. Along with all the security and protection in place, we also
ensure business continuity and data recovery by maintaining resilient Recovery Time
Object (RTO) and Recovery Time Point (RTP) as well as Failover between all data centers.
Depending on the service you choose however from On-premises through to Software-
as-a-Service (SaaS), responsibility moves from us to you.
On-premises infrastructure requires organizations to manage all aspects from the core
infrastructure to being accountable for all content, data and of course security. Moving
to either Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-
as-a-Service (SaaS) removes the responsibility from you as the manager of the
underlying system.
Office 365 is a Software-as-a-Service (SaaS) solution, which ensures that you as the
organization do not have to manage core infrastructure, network or the communication
between all services. However, you still need to control Identity & Access Management,
Client & Endpoint Protection as well as data classifications and management. All these
services are provided within both Office 365 and the broader Microsoft 365 services,
making the management and control easier. With Software-as-a-Service (SaaS), you get
all the services needed provisioned with a well-defined feature set. These customizable
to a certain degree, however protections and restrictions are in place to limit what can
be changed. Most of the Office 365 online services now have more features than their
on-premises counterparts. This allows us to provide you with a consistent experience
across multiple devices, anywhere and anytime.
Core Security Features Microsoft 365 contains various features that provide core security within each provided
tool. These security features are built directly into the overall service making it easy to
offer consistent controls for all applications. Core infrastructure is where it all starts,
from the disks within the servers, networking components, access control to the
encryption used for storing of data.
Baseline Security components
Microsoft 365 ensures your data is yours, and as such does not grant standing access to
both the core infrastructure and data storage locations. Managed service-level controls
and policies enable businesses to allow or deny access as needed. As well as controlling
access to the core services and data, the data centers themselves contain the same level
of security. Access is restricted 24 hours a day to specific job functions. Each data-center
is monitored using motion sensors, video surveillance and security breach alarms.
Physical access controls include perimeter fencing, security-controlled entrances, on-
premises security officers, continuous video surveillance and real-time communications.
To gain access to multiple authentications and security validation are required, including
badges, smart cards, biometric scanners and two-factor authentication, including your
final approval
Identity and Access Management
Controlling access to Microsoft 365 is achieved through the Azure Active Directory.
Organizations can manage users, provide authentication, manage identities and control
access. These identity services can easily integrate with on-premises Active Directories
allowing organizations to manage all identity and access requests efficiently.
Not only is Identity and Access Management important for organizations, but it is also
imperative to have granular controls when allowing support engineers and teams to
resolve issues and problems.
Logging and Auditing
Microsoft 365 includes several logging, auditing, and reporting features. Organizations
can use the audit information, and reports to more effectivity manage security, risks, as
well as the end-user experience. The Office 365 Security & Compliance center provides a
single place for not only protection controls but also for auditing and reporting. In
addition to the events and log data visible to organizations, an internal log data
collection system is available to Office 365 engineers. This log data is retrieved from
Office 365 and stored within a large service called Cosmos. Each service and application
generate log entries that are then uploaded and aggregated together to allow deep
inspection of usage as well helping to identify issues and security risks.
Log data that contains any organization specifics is obfuscated, removing tenant
information, end-user identifiable details, ensuring you have control over the data. We
restrict the management of audit functionality to s limited subset of service team
members that are responsible for audit functionality. These team members cannot
modify or delete data from Cosmos. There is no ability to alter or remove data from the
Cosmos platform. All team member usage is logged and audited to ensure all actions
are controlled and monitored.
Threat Intelligence
Office 365 Threat Intelligence is a core component of all applications and services. A
combination of signals, application events, user and admin activities, as well as security-
related incidents, are aggregated together to provide security intelligence to your
organization. The information combined with data from the extensive repository of
threats, techniques and attack behavior which is then used to provide real-time
cybersecurity information. Using the provided intelligence; organizations can better
detect patterns that correspond to real-world data and security breaches. This
information is supervised and managed by our Cyber Defense Operations Center, which
contains the best experts in cyber defense worldwide. This information is what feeds in
real time these products and services.
Native solutions are built directly into each service providing coordinated protection
and remediation. Identification of potential threats can help you as an organization stop
harm to the business by ensuring both cloud, and hybrid workloads are secure.
Encryption controls
We use multiple encryption technologies no matter the protocol, storage or access.
Transport Layer Security (TLS) is used to encrypt all communications over the network.
Internet Protocol Security (IPSec), provides authentication, integrity, and confidentiality
for all data t the IP packet level, as it transfers across the network. Advanced Encryption
Standard (AES), is the selected standard for all symmetric key encryption. BitLocker
encryption that utilizes AES is used within core infrastructure to encrypt all drives and
volumes on Windows Servers and Client machines. BitLocker also encrypts Shielded
Virtual Machines, to ensure that administrators cannot access information inside the
computers. Azure Storage Service Encryption, encrypts data at rest when it is storing
content within Azure Blob Storage. Azure Disk Encryption ensures that Windows and
Linux infrastructure as a service (IaaS) virtual machines disks by using BitLocker and DM-
Crypt for Linux providing volume encryption. Transparent Data Encryption encrypts data
at rest when stored within Azure SQL databases. To encrypt specific pieces of data such
as keys or information used by applications, Azure Key Vault stores them using a cloud-
based hardware security module. Encrypting the information renders it unreadable to
unauthorized persons, even if they break through the firewalls, infiltrate the network, get
physical access to devices, or bypass the permissions on local machines.
Securing your Business in the Modern Workplace The modern workplace now requires tools, services, and components that provide the
best in breed security. Four key areas need consideration within the modern workplace.
Protection for all devices and networks
Protecting and controlling sensitive information
Controlling data and content access
Organizational management controls
Understanding the provided services within Office 365 and the supporting Azure
components will help you as an organization ensure each category has the right
protection.
Protection for all devices and networks
Modern devices such as a phone, tablet or a laptop, are more powerful than they have
ever been. These devices are now common among all employees and users. No longer
are users limited to regular working hours, and set physical locations. As such ensuring
access is correct, content is secure, and threats are limited, is now a fundamental step to
protect each device and service.
How can we control when mobile devices can connect to Office 365 services?
Office 365 provides two mobile device management capabilities. The first is Mobile
Device Management for Office 365 (MDM), and the second is Microsoft Intune. Mobile
Device Management for Office 365 offers simple yet powerful protections for any device
that connects to services within Office 365, such as Exchange Online, OneDrive for
Business and SharePoint Online. These policies modify and restrict devices, ensuring
they meet the criteria you decide as an organization. Password and passcode
protections assure that devices are secure before connecting to a service. Along with
standard device protections, encryption can be enforced ensuring that all content is
protected and controlled by the organization. The policies fall into the following
categories for all device types:
Security
Encryption
Jail broken
Managed email profile
By defining a policy for mobile devices, all service access is checked and blocked as
required. When Mobile Device Management for Office 365 is coupled with service
protections found within OneDrive for Business and SharePoint Online, connections can
be controlled by network address as well as restricted to organization managed devices.
Microsoft Intune, adds further capabilities to mobile device management. As a fully
fledged MDM, every aspect of the mobile device can potentially be modified to ensure
that a managed device is controlled and secure. With unmanaged or personal devices,
enhanced policies plus conditional access controls can assure devices only connect to
Office 365 services when they are granted the right access and meet the requirements
of your security controls.
Learn more at: https://docs.microsoft.com/en-us/intune
What controls can we use to restrict mobile devices from connecting outside of
approved locations?
Mobile Device Management for Office 365, provides simplistic IP based controlling for
ensuring devices are connecting from approved network subnets. As an organization,
you provide the IP ranges and subnets that are allowed to connect to Office 365
services. When the device attempts to connect for the first time, the device policy is
applied, along with the approved IP ranges. When the device subsequently connects,
the IP address is checked and is either blocked or allowed.
Microsoft Intune policies go one step further, by allowing you to define controls that
can allow or block based on any location, trusted locations or from a preselected list of
locations that you specify. These trusted locations reside within the core conditional
access controls found within the Azure Active Directory. Currently, these locations can
by IP address or Country and Region. However, restricting access is not just limited to
the device itself. Any connection can be controlled by these policies, allowing granular
rules to restrict client application access, or even force a multi-factor authentication
before allowing access. Finally, compliance policies can be used to ensure that a device
can only connect if on a corporate network. Usually, this type of policy is for company-
issued devices.
Learn more at: https://docs.microsoft.com/en-us/intune/conditional-access
What can be done to encrypt company data on mobile devices?
Both Mobile Device Management for Office 365 and Microsoft Intune provide policies
that can enforce encryption. Each supported device type maintains this differently;
however, it is the content that is encrypted not the entire device, unless utilizing policies
to implement full device encryption, such as with a Windows 10 device. Both systems
utilize a sandboxing capability where these policies protect any data retrieved and used
within applications. Encryption itself wraps information and content in a layer of
protective code that prevents unauthorized people from accessing it.
How can we protect personal devices that connect to Office 365 services?
Mobile Device Management for Office 365 provides policies for devices that connect.
These can be applied to a personal device in the same way as a managed corporate
device. Each device registers with Azure Active Directory, and if using Microsoft Intune,
they are classified as either personal or managed devices. There are a few of ways to
address device management for personal devices. Firstly, you can manage all aspects of
a device by utilizing Microsoft Intune. Users will need to enroll their devices, using
certificates to communicate with Microsoft Intune. As an IT administrator, you can
deploy applications onto devices, restrict access to a specific operating system, and
block all personal devices. If a device is misplaced, lost or stolen, you are then able to
remove all company data from the device. Secondly, you can manage applications on
devices using a process called Mobile application management (MAM). End users will
then be able use their personal devices to access organizational resources. When users
open an app that connects to Office 365 services policies are then automatically applied.
IT Administrators can combine both Mobile Device Management (MDM) and Mobile
Application Management (MAM) for the best approach.
Learn more at: https://docs.microsoft.com/en-us/intune/reports-ref-mobile-app-
management
How can we ensure company data isn't copied between applications on a mobile
device?
A real risk using all types of mobile devices is the ability for end users to bypass security
controls, by copying data between applications. You can control how your end users
share and save data without risking intentional or accidental data leaks. Intune provides
app protection policies, allowing you to secure company data on user-owned devices.
These devices do not need enrolling in Intune. App protection policies set up within
Intune also work on devices managed with a non-Microsoft device management
solutions. Any personal data on the user-owned devices is not touched; the IT
department manages only company data. Protection policies for Office mobile apps on
user-owned devices running either Windows, iOS, or Android allow for protection of
company data. These policies let you set controls such as an app-based PIN, company
data encryption, restrict cut, copy, paste, and save-as features between company
managed and unmanaged applications. You also have the ability to remotely wipe
company data without requiring users to enroll their devices.
Protecting and controlling sensitive information
How can I ensure that emails do not contain confidential information?
How can I ensure that emails do not contain confidential information?
To help end users comply with organizational email policies, Exchange mail flow rules
can determine how email containing specific words or patterns is routed either inside or
outside the organization. Exchange Online also offers mail flow rules that extend the
standard abilities, allowing examination of email attachments as a part of the overall
messaging security and compliance platform. Inspecting attachments will enable you to
take action on the messages based on the content or characteristics of the attachments.
Mail flow rules provide many capabilities for controlling the flow of content through the
organization. Some capabilities are:
1. Adding a disclaimer to any message that contain attachments, based on pattern
matches you specify.
2. Inspection of content within attachments looking for keywords you specify, then
forcing a redirect to a moderator for checking.
3. Block message from being sent that contains an attachment that can't be
inspected by the protections.
4. Notify the sender or choose to prevent the message from being delivered, based
on attachments that exceed a certain size.
5. Check whether Office document properties of an attachment match the values
that you specify within the policy.
6. Notify users when they send a message that has matched a mail flow rule
7. Block all messages containing attachments
Mail flow rules can contain rules for not only traditional message classifications but also
rules for sensitive information found within messages.
Learn more: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-
flow-rules/mail-flow-rules
Can I find and block sensitive information within my organization?
Data Loss Prevention (DLP) features in Office 365 provide the ability to identify, monitor,
and automatically protect sensitive information across Office 365 services. Data Loss
Prevention (DLP) policies can help in identifying sensitive data across multiple locations,
such as SharePoint Online, OneDrive for Business, and Exchange Online. You can choose
to protect all SharePoint sites or OneDrive accounts, specific sites, accounts, or all
mailboxes. Using the rules allows you to prevent accidental sharing of information as
well as monitor and protect data in the modern desktop versions of Excel, PowerPoint,
and Word. A Data Loss Prevention policy can contain a few basic things:
1. Content Locations - Exchange Online, SharePoint Online, and OneDrive for
Business sites.
2. Conditions - These are necessary because they determine the types of
information you are looking for, as well as the context, such as whether the
document is available to users outside the organization. Conditions are then used
to assign different actions to the various risk levels. Enforcement of these rules
only happens if checking the content matches them. For example, look for only
documents that contain Credit Card which internal users are sharing with people
outside your organization.
3. Actions - Identified content that matches the conditions will perform this
automatic action. For example, block access to a found document, then notify
both the user and compliance officer using email notifications. These actions can
also restrict access to the content by blocking the use of the document, as well
visibly changing the icon of the file, and providing a special policy tip for example
within a SharePoint document library.
You can also use a rule to meet specific protection requirements, by applying policies
together that fit the needs of the organization.
For content that does not reside within Office 365 services, Advanced Information
Protection (AIP) can be utilized both within the Office Suite and within the company
network. The Advanced Information Protection (AIP) scanner crawls files stored locally
such as Windows File servers & NAS devices, as well as and On-premises SharePoint
Servers. Advanced Information Protection policies can be utilized to identify the content
stored within the network and then automatically apply classifications and labels.
Learn more at: https://docs.microsoft.com/en-us/office365/securitycompliance/data-
loss-prevention-policies
How can I ensure that personally identifiable information never leaves the
organization?
The unified Data Loss Prevention (DLP) platform within Office 365 allows you to create
and manage policy rules for multiple workloads such as Exchange Online, SharePoint
Online and OneDrive for Business within a single management center. Doing this
reduces the time required to set up and maintain security and compliance within your
organization. As well as a central place to create Data Loss Prevention (DLP) policies,
reports are also available for active monitoring of policy violations. Using these policies,
you can control the flow of data that leaves your organization. Blocking email, sharing of
data from with the services, then combining this with Rights Management (RMS) and
Advanced Information Protection (AIP) policies ensure the best protection and control
of your data.
Can I automatically apply classification and security policies to content during
authoring?
A practical and straightforward approach to content control and protection is to
implement features that can identify sensitive or personal data during content creation.
The Azure Information Protection (AIP) client allows automatic identifying of this during
the creation process. An Office add-in can be installed providing a new protection bar
for automatic classification, as well as implementing a manual way for users to select
classification labels to assign to the current content.
The AIP Client also integrates directly into the Windows File Explorer, allowing users to
apply classification labels and protection directly to existing files. For protected content,
a viewer is also available to view the newly secured content if the native application
does not support this type of protection.
Learn more at: https://docs.microsoft.com/en-us/azure/information-protection/
Can I time limit sensitive material shared externally?
Sharing content externally, whether sensitive or not, still requires control and protection.
Whether the content is within SharePoint Online or Onedrive For Business, the
experience is the same. It is also true within the Office suite, a single approach to
sharing content internally or externally. The sharing experience not only allows you to
specify who the content is for, and whether they can edit it, but it also provides an
expiration date when the content will no longer be accessible. You do not need to
remind yourself to remove permissions, as it will automatically block access when the
period passes.
Azure Information Protection (AIP) policies also provide data control through expiration
policies. These allow you to define revocation of access after specific dates, no matter
where the content resides.
Controlling data and content access
Can I disable external sharing of all content?
Office 365 is designed to allow external sharing; however, controls are available in
multiple places giving you easy accessibility to the settings.
Admin Portal
The Admin Portal contains general settings that let you as an organization determine if
you external users are allowed in the organization.
Office 365 Groups
Office 365 groups also provide the option of enabling group members outside the
organization access the content, as well as granting group owners the ability to add
people outside the organization to the groups.
SharePoint Online
SharePoint Online provides settings for the following categories:
Sharing outside the organization
You can control how users share content to people outside of the organization,
choosing from various options. Firstly, not allow sharing outside, second, allow sharing
only with external users that already exist in your organization. Third, let your users
invite and share with any authenticated external user. Fourth, enable sharing to
authenticated external users, but only use anonymous links for access, using various
settings such as expiration and permissions.
Who can share outside of the organization
Choosing who can share externally can be controlled further by selecting specific
security groups and determining whether they can share and if they are to use
anonymous links for access.
Link types and permissions
You can choose the kind of link that is created by default when users get links. You can
select from direct, internal only or anonymous links, which will ensure that when a user
shares content, the chosen type of link is set by default, though a user can modify it. The
same is true for the default permission, which can view or edit.
Additional external sharing settings
The ability to limit specific email domains can help control the flow of data. Combined
with domain restrictions, you can choose whether to block external users from sharing
files within SharePoint that they don't own, but have access to view. External users can
also be forced to use the original email that a sharing request was sent to, to ensure
that it is the intended recipient accessing your system. The final protection is to require
recipients to prove account ownership when they view or edit shared items; this helps in
ensuring the end user accessing the data is who they say they are.
OneDrive for Business
OneDrive for Business offers multiple options for controlling external sharing. First,
document/file links can be controlled to allow sharing with anyone, internal users only,
or allow direct sharing with specificed recipients. Link expiration in days can also be
enabled, as well setting the file and folder permissions, such as View, Edit and Upload.
Secondly, external sharing can be controlled further and enable either Anyone, New and
existing external users, Existing external users and Only people within the organization.
Restrictions can then be applied also to allow or block by the domain their account
resides. Lastly, external users can be forced to accept any invitations with the original
invited email, not just an email they may use.
Learn more at: https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview
How do I ensure the intended recipient only opens the content sent to them?
Office 365 provides tools that can ensure that the intended recipient only opens the
email you send. It can be achieved using mail policies that apply while authoring, Mail
encryption, and DomainKey Identified Mail (DKIM). First, Office 365 provides Information
Rights Management (IRM) that can apply a policy to an email directly within Outlook.
Encryption and usage restrictions provide online and offline protection for email
messages and attachments. You as an Administrator can set up transport rules or
Outlook protection rules to automatically apply policies to selected messages. Users can
also manually apply templates in Outlook or the Outlook Web App.
Office 365 Message Encryption (OME) is built on top of the Azure Rights Management
(Azure RMS) components, that can let you send encrypted email to people inside or
outside your organization. As an administrator, you can set up transport rules with
conditions for encryption. When a users email matches a rule, encryption is applied
automatically. Recipients can view encrypted messages, by either signing in with a
Microsoft account, getting a one-time passcode, or signing in with a work or school
account associated with Office 365. Recipients can also send encrypted replies without
the need of an Office 365 subscription.
DomainKey Identified Mail (DKIM) adds a digital signature to email messages within the
message header. As part of the DKIM cofiguration, you authorize your email domain to
sign, its name to email messages using cryptographic authentication. Other email
systems receiving the email from your domain then use this digital signature to
determine if the incoming email is legitimate.
How can I auto-classify data as saves into SharePoint or OneDrive for Business?
A common task required for end users storing content within OneDrive for Business or
SharePoint is tagging. Applying tags to content allows for fast retrieval and classification
of content. Classifying content is particularly important as it will enable security controls
that can control either the retention or the sensitivity of the content. Office 365 Labels
provides the ability to:
• Enforce protection settings such as encryption and watermarks within labeled
content
• Protect content consumed within Office apps across different platforms and
devices
• Prevent sensitive content from leaving the organization on devices running
Windows
• Extend sensitivity labels to allow third-party apps and services to use them
• Classify content without applying any protection settings
Within the office 365 Security & Compliance Center, you can create sensitivity labels.
You can configure sensitivity labels and policies across Azure Information Protection and
Office 365 within the Security & Compliance Center. Azure Information Protection,
Office 365 services, and Office apps consume sensitivity labels when required.
A sensitivity label applied to a document or email is the same as using a normal
taxonomy tag. Sensitivity labels, however, are customizable, stored in clear text and
persistent to the content. You can utilize categories for different levels of sensitive
content in your organization, such as Personal, Public, General, Confidential, and Highly
Confidential. Security controls can be applied to labeled content enforcing either
encryption, using a watermark or preventing data loss when combined with Intune.
Office 365 Labels provides a mechanism to auto-apply labels to content. Auto-
classification is controlled either by defining retention labels or utilizing Azure
Information Protection (AIP) policies and labels.
Learn more at: https://docs.microsoft.com/en-
us/office365/securitycompliance/sensitivity-labels
Can I be notified of potential user malicious behavior such as mass file downloads?
Understanding how your end users access and manage content within the organization
is essential for any organizations security posture. Cloud App Security is a
comprehensive platform and solution that helps your organization as you take
advantage of cloud applications, as well as keeps you in control through improved
visibility into activity. Not only does it monitor end-user behaviors, but also lets you
control shadow-IT, such as unsanctioned applications and access.
Cloud App Security performs the following three activities:
• Cloud Discovery: Discover all cloud activity within your organization, including
Shadow IT reporting and controls, as well as risk assessment.
• Data Protection: Monitor and control your business data through visibility,
enforcement of DLP policies, alerts, and investigation.
• Threat Protection: Detect anomalous use and security incidents. Using behavioral
analytics and advanced investigation tools to mitigate risk.
Using multiple policies, you can gain visibility into interactions of your users when
accessing data within Office 365 applications. Creating specific policies and alerts allows
notification of any unusual behavior — for example, impossible logon, mass file
downloads or permissions changes.
Learn more at: https://docs.microsoft.com/en-us/cloud-app-security/
Can I apply a content security policy to a document no matter where it resides?
When working with content either stored within local file shares, SharePoint On-
premises, When working with content either stored within local file shares, SharePoint
On-premises, SharePoint Online or OneDrive for Business having the ability to apply
security policies and have them persist is more critical. Office 365 provides two services
that allow policies to continue no matter where the content moves. Information Rights
Management (IRM) and Advanced Information Protection (AIP), specifically provide this
ability ensuring the protection of your business content. Both services offer public
security endpoints that will check the content before opening. For example, applying a
content security policy to a word document stored locally, then copied to SharePoint
Online or OneDrive for Business will retain the policy applied.
Organizational management controls
How can I ensure my end user accounts are safe and secure from attacks?
With the increase of credential-based attacks, having the ability to protect your end-
user accounts is now a top priority. In most Office 365 scenarios, organizations are
synchronizing Active Directory On-premises accounts directly into Azure Active
Directory (the directory used by Office 365). While using the accounts for on-premises
services, any policies created locally in the domain get enforced. However, when the
accounts synchronize into Azure Active Directory they no longer apply when used to
authenticate to cloud services. Luckily, the Azure Active Directory provides functions to
control and protect the accounts. The first recommended protection to be applied to all
accounts is enablement of multi-factor authentication. Azure Multi-factor Authentication
service, provides access either using a mobile application, phone call or text to a device.
Organizations can also go one step further and provide password-less login using the
Authenticator mobile application.
The second recommended protection requires the premium licensing for Azure Active
Directory which provides features such as:
• Account Lockout
• Password Policy Enforcement
• Conditional Access Policies
• Privileged Identity Management
• Real-time reporting
Realistically the most straightforward and effective account protection recommended is
to enable multi-factor authentication on all accounts.
Can I view all user and admin activities for all Office 365 services?
When using on-premises services and solutions, the ability to troubleshoot and
investigate potential issues or security problems is more straightforward as you have
direct access to the systems. Moving to cloud services often removes direct access to
logs and event information. Office 365, however, provides a full search and investigation
features that allow searching for content as well as all admin and user activities.
The Office 365 audit log contains events from most Office 365 services within your
organization. You can perform searches for user and admin activity in these services:
• Azure Active Directory
• Exchange
• SharePoint
• OneDrive
• Microsoft Teams
• eDiscovery
• Power BI
• Yammer
• Sway
• Microsoft Stream
For each activity logged, many details are available from the user who performed the
action to the type of event and the function performed. Audit log search provides deep
inspection so you can always find what you need for an investigation, review or even for
a legal case.
Learn more at: https://docs.microsoft.com/en-us/azure/active-directory/reports-
monitoring/concept-audit-logs
How can I control support engineers gaining access to my content?
Customer Key for Office 365 and Azure, allows you to control your organization's
encryption keys. Once implemented you can then configure Office 365 to use them to
encrypt your data at rest in all Microsoft's data centers. Data at rest includes data from
Exchange Online, Skype for Business stored in mailboxes and files in SharePoint Online
or OneDrive for Business.
Customer Key enhances your ability to meet the demands of compliance requirements
within your organization when working with a cloud service provider. You are then able
to exercise control and revoke your organization's keys, should you decide to exit the
service. By revoking the keys, the data is unreadable to the service.
Customer Key provides the ability for you to control the encryption of the data;
however, a separate component is required to control support engineers access.
Customer Lockbox is available as part of the Enterprise E5 licensing for Office 365. In it's
purest form Customer Lockbox is a feature that’s available in Office 365 to ensure that
there is zero interaction by support engineers to your content unless explicitly granted.
You as the customer now have to provide explicit approval of access to their content by
a Microsoft employee for service operations.
Is there a way to test by end users to ensure they do not open phishing emails?
One of the most common security attack vectors that malicious actors used today is
phishing emails. These emails often look exactly like a real and original email does,
making it hard for end users to distinguish a phishing email. Office 365 provides attack
simulation services, for organizations to safely test end users. Currently, there are three
kinds of attack simulations available:
Display name spear-phishing attack
This attack focuses on spear phishing, a more targeted attack that targets specific users
or groups within an organization. Typically, a customized attack which uses a trusted
email display name. For example, making it look like it came from an executive within
your organization. The attack focuses on manipulating who the message comes from, by
changing the display name and source address. When spear-phishing attacks are
successful, cybercriminals can gain access to users credentials.
Password-spray attack
A typical attack is called the password spray attack. Usually, a bad actor has already
successfully acquired a list of valid users from the tenant. It is a widely used attack, as it
is a cheap attack to run, and much harder to detect than standard brute force
approaches. This attack concentrates on letting you test a common password against a
large target base of users.
Brute-force password attack
Brute-force password attacks are common against any organization. The attack centers
on testing a set of passwords against a single user's account.
Using Office 365 Threat Intelligence and attack simulation, an administrator can
determine the users targeted by cyber threats, and provide a quick and easy way to test
their security awareness.
Learn more at: https://docs.microsoft.com/en-us/office365/securitycompliance/attack-
simulator
In the event of an account breach, can I automatically secure the account?
Recovering from a Security or Account breach often takes time, leaving the organization
open to subsequent attacks. Office 365 combined with core Azure Active Directory
services, provides tools that can automatically interrogate incoming authentication
requests. Azure Active Directory when using premium licensing allows you as an
administrator to evaluate the risk level of an account, and enforce for example password
resets if the threat level is medium or low. Cloud App Security not only provides policies
and notifications but also offers automatic remediation through some basic governance
controls. Governance actions can execute for specific applications that have access to
Office 365, or user accounts that meet perform operations deemed as malicious can
execute.
Suggested Approach and Recommendations
With Office 365 and Azure providing so many services and features, knowing where to
start can seem complicated. The best method is to implement critical items first then
start with testing supporting functions as needed. Include business users in the testing
to ensure that adoption is successful.
The areas of focus for all organizations should be as follows:
Account Protection
As accounts are the way to access all systems within Office 365, ensure password
policies, multi-factor authentication, and conditional access policies are enabled and
working. These three simple protections will mitigate many of the account type attacks
of today.
Communication Protections
Email is still today one of the most common ways that businesses communicate. Though
we have instant message type tools, email is predominantly the primary. Documents for
the company get sent via email, instead of utilizing secured platforms such as
SharePoint Online or OneDrive for Business. To ensure that sensitive data is controlled
and blocked, a combination of mail flow rules and data loss prevention is required.
These rules will identify the sensitive content, notify the end user, and others as well as
blocking the content from leaving the organization. When combined with Information
Rights Management and Azure Information Protection, content that is allowed can be
protected ensuring it delivers to the intended recipient.
Stored Data Protections
Even while content is within applications such as SharePoint Online, OneDrive for
Business or even on-premises applications, protecting and securing it is even more
critical. Applying Office 365 labels to control the movement and flow of data internally,
tagging for sensitivity and retention can ensure content movement is limited. When
combined with Information Rights Management and Azure Information Protection,
content can be restricted, classified and have watermarks applied to it. Using these types
of protections will ensure that business content is secure and safe even from end users.
Many end users are looking for ways to enhance their interactions with cloud services,
and also the most straightforward and easy way of performing a business action.
Sometimes this means that due to your organization not providing the tools they need;
end users will start utilizing non-sanctioned applications to get their work done. Using
Cloud App Security policies, alerts and controls will ensure that no 3rd party application
is the reason for a data or security breach.
Summary The nature of work continues to evolve as does the technology that powers it. The path from the
industrial revolution, starting with the invention of the steam engine and the rise of industrial
manufacturing, successive waves of technological innovation have provided new capabilities,
tools, and power to make work more efficient and productive. These have always been times of
great disruption as old ways of operating became obsolete and new models of work emerged.
Businesses today need productivity services that help users get more done from virtually
anywhere while maintaining security in the face of ever-evolving threats. Office 365 supports
both needs at once with a highly secure, cloud-based productivity platform. Information
regarding Office 365 security, privacy, compliance, transparency, and service continuity can be
found in the Office 365 Trust Center and the Service Trust Portal. The Office 365 platform
incorporates security at every level, from application development to physical datacenters to
end-user access. Today, fewer and fewer organizations can maintain an equivalent level of
security on-premises at a reasonable cost.
Importantly, Office 365 applications include both built-in security features that simplify the
process of protecting data and the flexibility for administrators to configure, manage, and
integrate security in ways that make sense for their unique business needs. When businesses
choose Office 365, they get a partner that truly understands business security needs and is
trusted by companies of all sizes across nearly every industry and geography.