Migrating e-mail and productivity apps to the cloud is a no brainer. Continuous updates, access from anywhere, no need to manage the supporting servers and associated hardware…the benefits are clear. As with any IT outsourcing, however, careful planning around security measures is essential. And with your O365 environment exposed to the public internet, security best practices are even more important.
While securing Office 365 is an ongoing effort, there are several top priorities that should be first to be addressed after your migration.
Multi-factor authentication is one of the best ways to add security to user identity and access methods. It is most crucial for administrator accounts, and it is probably not enabled by default. Your Azure Active Directory Global Administrators should have MFA turned on, requiring an additional confirmation via text or call to access their account, which holds the keys to your entire environment.
If you connect your on-premises Active Directory to the cloud via Azure AD Connect, you can enable password sync. The on-premises credentials then overwrite the Azure passwords. Any successful attack (such as phishing or other social engineering vectors) on-prem could then be used to access your entire cloud environment. It is recommended that once you migrate to Azure AD, you perform all administration within the Azure portal and decom your on-prem AD if possible.
Be sure to enable unified audit logging within the security center and also enable mailbox auditing for all users. This creates a trail that documents all user and admin activity within mailboxes, helping you keep tabs on IP addresses, host name, and the client used to access the mailbox. Since 2018, mailbox auditing has been turned on by default, but it is worth checking your settings.
Within the Exchange Admin Center, you can create Mail Flow Rules that warn users against potential phishing attempts and also copy the offending email to your security team. You should consider anti-phishing protection as part of O365 Advanced Threat Protection. But you can also DIY some shielding by adding rules that identify incoming messages from outside the organization, but using names or aliases that belong to your employees. Another example would be emails containing URLs that link to suspicious storage, or when the message body contains a clickable image. You can block specific keywords that are common spam or phishing attacks as well as file extensions.
If you upload and host sensitive information within your O365 environment – think about what all is in your Sharepoint documents – then Rights Management is one way to encrypt and control those documents. It only allows access to privileged users and even cancels access or editing capabilities after a specified time frame. You can still share and collaborate on files outside your organization, but with Rights Management you have more control over how they are shared and how far they can spread.
Office 365 and Azure offer a wide range of information security controls, auditing capabilities, and options to help you keep tabs on your cloud resources and company data. While priorities will shift for each individual organization, the above steps are some of the easiest and most important to take when configuring O365.