Microsoft 365 Business: Comprehensive security against advanced cyberthreats

Microsoft 365 Business can help you consolidate some of the point solutions across productivity and security that create risk and complexity for any small business.

Here is a comparison between various third party tools/services and Microsoft 365 Business suite of products:

Third party security tools cost
  • Cloud identity management — Jumpcloud
  • Azure Information Protection for Information Rights Management
  • Barracuda Essentials for email anti virus and DLP
  • Airwatch Express for the endpoint management system for SMB.
Microsoft 365 Business cost

As a trusted Microsoft partner, we can help you subscribe and set up all the advanced security features of Microsoft 365 Business: contact us today!

Business continuity strategy

To enable a proper business continuity strategy, you need to have all the various parts that form a well designed game plan for when things go wrong.

In the cloud-enabled model of application and data availability and resiliency, costs—across the board—are lower for a holistic backup, disaster recovery, and archive plan.

  • High availability: When your applications have a catastrophic failure, run a second instance. Ensuring high availability (99.999% uptime) while the most expensive resiliency plan, is significantly more affordable in the cloud. With hyper-scale cloud, like Microsoft Azure, a spike in demand or traffic isn’t something to worry about. Now the scale you need is a few clicks away. With Azure, you’re able to scale up or down based on demand, in just a few minutes. Cloud also gets rid of the need for multiple or offsite datacenters. Workloads running in Azure are powered by always up Azure global datacenters. Azure is also pay-as-you-go, so you’ll only be charged for what you need. With cloud, high availability is available to everyone. Make sure that you’re always up and avoid the negative impact on your productivity, brand, and profits.
Business continuity strategy
High availability
  • Disaster recovery: When your applications have a catastrophic failure, run them in Azure or a secondary datacenter. Like high availability efforts, traditional disaster recovery (DR) is very expensive. Similarly, a cloud-based model for DR is significantly less expensive and more efficient than the traditional approach. No one can predict the future and even an hour of downtime can spell disaster for a business. Azure democratizes DR efforts and makes them a reality for every business. With Azure, businesses can rid themselves of the cost and overhead associated with the necessary redundant and offsite datacenters that come with traditional DR plans. No more servers to maintain, and no more taking assigning mundane service tasks to your IT talent. Azure’s global datacenters make it easy to house apps and data where it makes the most business sense to you, keeping mission-critical workloads stored in remote and secured. With Azure, you’re always prepared for when disaster strikes, able to get back to business in minutes, not hours or days.
Business continuity strategy
Disaster recovery
  • Backup: When your data is corrupted, deleted or lost, you can restore it. Backups are best thought of like a snapshot. They are a moment in your business’s life that is captured for the sake of continuity. In the event that all of your company’s data is lost, you can simply revert to a backup of the previous day, week, month, etc. depending on how often you back up information. With Azure backup, you can further lower the costs associated with already inexpensive backup. Azure backup is extremely affordable, so even small businesses with fixed IT budgets can afford it. It grants users anytime, anywhere access to their data from neatly any device. Backup data is housed safely offsite, in the event of a natural or human disaster.
Business continuity strategy
Backup

Our Managed Azure Services can help with all of them!

Google Cloud Platform CIS security controls

This security configuration benchmark covers foundational elements of Google Cloud Platform. The security controls detailed here are important security considerations when designing your infrastructure on Google Cloud Platform. Most of the security controls provided with this release of the benchmark (1.0.0) covers security considerations only at individual Project level and not at the organization level.

1 Identity and Access Management
1.1 Ensure that corporate login credentials are used instead of Gmail accounts  
1.2 Ensure that multi-factor authentication is enabled for all non-service accounts  
1.3 Ensure that there are only GCP-managed service account keys for each service account  
1.4 Ensure that ServiceAccount has no Admin privileges. 
1.5 Ensure that IAM users are not assigned Service Account User role at project level  
1.6 Ensure user-managed/external keys for service accounts are rotated every 90 days or less  
1.7 Ensure that Separation of duties is enforced while assigning service account related roles to users  
1.8 Ensure Encryption keys are rotated within a period of 365 days  
1.9 Ensure that Separation of duties is enforced while assigning KMS related roles to users  
1.10 Ensure API keys are not created for a project 
1.11 Ensure API keys are restricted to use by only specified Hosts and Apps 
1.12 Ensure API keys are restricted to only APIs that application needs access 
1.13 Ensure API keys are rotated every 90 days  
2 Logging and Monitoring 
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project  
2.2 Ensure that sinks are configured for all Log entries 
2.3 Ensure that object versioning is enabled on log-buckets  
2.4 Ensure log metric filter and alerts exists for Project Ownership assignments/changes  
2.5 Ensure log metric filter and alerts exists for Audit Configuration Changes  
2.6 Ensure log metric filter and alerts exists for Custom Role changes  
2.7 Ensure log metric filter and alerts exists for VPC Network Firewall rule changes  
2.8 Ensure log metric filter and alerts exists for VPC network route changes 
2.9 Ensure log metric filter and alerts exists for VPC network changes  
2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes  
2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes  
3 Networking 
3.1 Ensure the default network does not exist in a project  
3.2 Ensure legacy networks does not exists for a project  . 96
3.3 Ensure that DNSSEC is enabled for Cloud DNS  
3.4 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC  
3.5 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC 
3.6 Ensure that SSH access is restricted from the internet 
3.7 Ensure that RDP access is restricted from the internet 
3.8 Ensure Private Google Access is enabled for all subnetwork in VPC Network 
3.9 Ensure VPC Flow logs is enabled for every subnet in VPC Network  
4 Virtual Machines 
4.1 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs 
4.2 Ensure “Block Project-wide SSH keys” enabled for VM instances 
4.3 Ensure oslogin is enabled for a Project  
4.4 Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance 
4.5 Ensure that IP forwarding is not enabled on Instances  
4.6 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)  
5 Storage
5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible 
5.2 Ensure that there are no publicly accessible objects in storage buckets  
5.3 Ensure that logging is enabled for Cloud storage buckets  
6 Cloud SQL Database Services 
6.1 Ensure that Cloud SQL database instance requires all incoming connections to use SSL 
6.2 Ensure that Cloud SQL database Instances are not open to the world  
6.3 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. 
6.4 Ensure that MySQL Database Instance does not allows root login from any Host 
7 Kubernetes Engine 
7.1 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters 
7.2 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters 
7.3 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters  
7.4 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters  
7.5 Ensure Kubernetes Clusters are configured with Labels 
7.6 Ensure Kubernetes web UI / Dashboard is disabled 
7.7 Ensure `Automatic node repair` is enabled for Kubernetes Clusters  
7.8 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes 
7.9 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image 
7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters 
7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters  
7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled  
7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled 
7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters 
7.15 Ensure Kubernetes Cluster is created with Private cluster enabled 
7.16 Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets 
7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters  
7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access 

Our managed Google Cloud Platform security services can enable your environment to be fully compliant with this security standard.

NSG and forced tunneling

Azure Network Security- Network Security Groups (NSG) and Forced Tunneling

Network Security Groups (NSG) :

  • Enables network segmentation & DMZ scenarios
  • Access Control Lists & Network traffic rules as security group
  • Security groups associated with Virtual machines, Network Interfaces, or virtual machine subnets (not GW subnet)
  • Rules define a 5-tuple
  • Rules are separated into Inbound and Outbound rules
  • Rules applied in order of priority
  • Network traffic rules updated independent of Virtual machines
  • Controlled access to and from Internet

Network Security Group Models : At the subnet level and at the VM level.

  • Subnet Level NSGs: An NSG rule is applied to a subnet is logically more like a firewall rule that is applied at the switch and affects inbound and outbound traffic on every port in the switch. Any VM connected to the switch port would be affected by the NSG rule applied to the subnet.
  • VM/NIC Level NSGs: Apply NSGs at the VM or NIC of a virtual machine.  This allows greater flexibility in how traffic is filtered.

Forced Tunneling

  • “Force” or redirect customer Internet-bound traffic to an on premises site via default route
  • VPN – done per subnet
  • ExpressRoute – at BGP level
  • Can override with more specific routes via UDR
NSG and forced tunneling
NSG and forced tunneling
Subnet Connected Defense in Depth

Network Security for Azure environments

Network security typically falls into three areas:

  • Secure/manage traffic flow between applications, their tiers, between different environments, and other services
  • Secure/manage traffic flow between users and the application
  • Secure/manage traffic flow between the applications and the Internet

Azure Network security is about building a defense in depth approach.

The usual type of services that need to be protected from the network perspective, can be categorized into those types:

  • IaaS services connected to subnets
  • PaaS services connected to subnets
  • Public facing PaaS services with security lockdown
  • Public facing PaaS services with TLS access restrictions
PaaS Services with TLS
PaaS Services with TLS
PaaS Services with Lockdown DiD
PaaS Services with Lockdown DiD
Subnet Connected Defense in Depth
Subnet Connected Defense in Depth

Improve your Azure enhanced Secure Score

The enhanced Azure Secure Score is attack surface focused and brings three benefits:

  • Security Controls – Security recommendations are grouped into logical sets that better reflect your vulnerable attack surfaces.
  • Overall score better reflects the overall posture – Your score will only improve when you remediate all of the recommendations for a single resource within a control. That means that your score only improves when the security of a resource improves.
  • Security status of individual attack surfaces is more visible – By showing the score per Security Control, the Secure Score page becomes the place where you can get a granular view of how well your organization is securing each individual attack surface.
Azure enhanced Secure Score
Azure enhanced Secure Score

In order to remediate most of the security controls and improve your Azure Security score, you could very easily use our Managed Azure Services: by enabling compliance with the CIS standard, for example, it is guaranteed that your Azure Security score will increase dramatically.

You must remember as well that our managed security services can Disable/Customize the security policies as they apply to your particular environment, so when the Secure Score is calculated you wont get penalized for the security controls that don’t apply to your particular requirements.

Azure Security Center and Azure Policies – perfect companions

In the past, cybersecurity and privacy were often low on the list of priorities for nonprofits. But, as cyberthreats have increased so have the risks of ignoring those threats. Breaches, compromised data, and cyberattacks can put vulnerable beneficiaries at risk, disrupt nonprofit operations and
services, expose your organization to liability, and tarnish the reputation you have so painstakingly built.

To combat those threats, small businesses need to:

  • Identify, assess, and mitigate security risks.
  • Stay up-to-date with security best practices and the overall  threat landscape.
  • Correctly respond to compliance obligations in a timely fashion.

Azure Security Center and Azure Policies are tools that can help protect your data and cloud infrastructure while maintaining a high level of productivity.

Many small businesses don’t have the resources or the in-house skills to perform those tasks, but you can use the extensive technical skills of NovaQuantum to secure your Azure environment today!

Our skilled team of professionals have extensive security and compliance expertise that can help organizations like yours determine your level of risk, keep your security current, and meet compliance requirements. A great way to begin is with an assessment of your current technology and your level of security measured against a well know security standard like CIS. We’ll also let you know about new options available with the latest Microsoft technologies. Contact us Today!

Azure Security Center and Azure Policies are tools that can help protect your data and cloud infrastructure while maintaining a high level of productivity
your trusted security partner

Your trusted security partner to drive ongoing security posture improvement

  • We help organizations assess their security posture by providing them with wide visibility of their Azure environment
  • We provides security administrators with the guidance, controls and processes to drive improvement by focusing the high value/low risk security controls. We can automate the remediation of those controls, if required.
  • We enable security teams to benchmark progress and demonstrate progress to leadership by having regular reports
Your trusted security partner
Your trusted security partner
Azure Security Model

Azure security posture assessments and improvements

Cyber hygiene is hard to maintain due to :

  • users
  • processes
  • tools
  • technology
  • depth of security controls
  • breadth of tools
  • 1000s of security controls
  • ~100 security apps and tools

Here is what manual Security Posture Management looks like in a typical modern business that uses online Microsoft services:

Manual Security Posture Management
Manual Security Posture Management

…and here is what the Azure Security Model looks like for any business that makes use of the Azure and Office 365 platforms.

Azure security posture-Azure Security Model
Azure Security Model

As you can see, the security aspect of ANY Azure environment are very complicated: NovaQuantum, providing managed Azure Security services, is your trusted security partner to drive ongoing posture improvement and help YOU navigate all those complex security details!

Windows and SQL 2008 are end of life- act NOW!

Windows Server 2008 and SQL Server 2008 have reached end of support

Without security updates and bulletins released by Microsoft, your businesses could be exposed to security attacks or compliance risks.

July 9, 2019 : End of extended support for SQL Server 2008/2008 R2

January 14, 2020 : End of extended support for Windows Server 2008