Microsoft 365 Business Premium: Features

Securing each & every layer of productivity seamlessly!

Identity Security

Microsoft 365 Business Premium: Features

  • AAD Features like MFA
  • Self Service Password Reset
  • Conditional Access

Device Security

Microsoft 365 Business Premium: Features

  • Microsoft Defender AV
  • Full Centralized Management of Mobile and Laptops with Intune
  • Remote wipe of data of lost & stolen devices
  • BitLocker Encryption
  • Enforce Strong Pin requirements along with WiFi, VPN profiles

Application Security

Microsoft 365 Business Premium: Features

  • Restrict copy/paste/save corp data to personal apps
  • Accessing sensitive apps securely (Windows Virtual Desktop)

Email Security

Microsoft 365 Business Premium: Features

  • Advanced Threat Protection for protection against malware and zero day attacks
  • Data Loss Prevention to monitor sensitive data from being transmitted
  • Email restrictions like “Do Not Forward” or “Encrypt Email”

Document Security

Microsoft 365 Business Premium: Features

  • Azure Information Protection protects, classifies Documents for secure sharing
  • Revoke access to Documents
  • Track Sensitive documents

Microsoft 365 Business will help you to compete more efficiently, sell more services and retain customers because it brings all of the technology that small business need at a single per-user/per-month price point.

Microsoft 365 Business brings together the security and innovation of Windows 10 with the power and familiarity of Office 365 and streamlined management and maintenance capabilities built specifically for small and mid-sized businesses. Microsoft 365 Business is designed to help keep company data secure while ensuring employees are their most productive, in the office or on the go.

With productivity apps such as Word and Excel, cloud storage, email and calendaring, and an exceptional chat-based workspace to bring teams together, your customers will be able to achieve more as they create and collaborate with people inside and outside their company in ways that they never dreamed possible.

Microsoft 365 Business standardizes your customer’s devices on Windows 10, the most secure Windows ever. Building upon this strong foundation, Microsoft 365 Business adds cloud-based management and servicing which helps ensure that customer devices are properly configured to take advantage of the security innovations in Windows 10 and significantly reduces the businesses risk profile.

Microsoft 365 Business also includes mobile application data and device management, even on personal devices. With this functionality, when an employee leaves the organization, or loses their device, for example, you are going to be able to protect your customers’ company data, while reassuring the employee that her pictures and text messages remain private on her personal device.

Since Microsoft 365 Business is cloud-delivered and enabled, you can count on automatic updates to keep your customers’ apps and devices current with the latest and greatest security protection and features from Microsoft. Your customers will get to host their data on the same cloud that hosts data from over 85% of Fortune 500 companies.

This is all made more efficient for you through the Admin Console. The admin console not only simplifies things on your end, but gives you self-service tools that can create lower delivery costs and increased consulting and managed services margins. This frees up time on your end to invest in new capabilities that expand your business into new market areas.

Microsoft 365 Business Premium: Checklist for securing remote work

Because Small and Medium Businesses have different security needs and attitudes, the checklist includes suggested recommendations for two common scenarios.

  • The normal scenario is designed for a typical business that wants to enable secure remote work and balance ease of use with security.
  • The high risk scenario is more appropriate for a business that wants to maximize security protections and has higher concern for risk (for example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also willing to put more effort into maintaining security and control of the work from home environment.

Both sets of defaults are intended to provide a starting point for a serious discussion around the security and compliance options available, rather than prescriptive guidance. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities.

Recommend settings – normal scenarioRecommended settings – high risk scenario
Set up tenant
Decide between hybrid & cloud-only identityHybrid, Azure AD ConnectHybrid, Azure AD Connect
Azure AD Connect – sign-in methodPassword Hash SyncPassword Hash Sync
Azure AD Connect – single sign-onEnabledEnabled
Azure AD Connect – On-premises attribute for Azure AD usernameuserPrincipalNameuserPrincipalName
Azure AD Connect – Password writebackEnabledEnabled
Decide on email migration strategyHybrid AgentHybrid Agent
Configure DNS domainsSituationalSituational
Configure identity protection
Plan for administrative accessRequiredRequired
Configure dedicated admin accountsRecommendedRecommended
Multi-factor authentication (MFA) for adminsSecurity defaultsRequired, Conditional Access
Multi-factor authentication (MFA) for usersSecurity defaultsRequired, Conditional Access
Self-service password reset (SSPR)Enabled-AllEnabled-All
Combined security information registrationEnabled-AllEnabled-All
Configure email protection
Enable Common Attachment Types filterRecommendedRequired
Enable transport rule for attachments with Office macro extensionWarnBlock
Enable transport rule to block auto-forwarded emailRecommendedRequired
Enable Sender Policy Framework (SPF) to help prevent spoofingRequiredRequired
Enable DomainKeys Identified Mail (DKIM) to help prevent spoofingOptionalSigned, all domains
Enable DMARC policy to validate emailEnabled, p=quarantineEnabled, p=reject
Enable Office 365 ATP PoliciesRecommended policiesRequired, with spear phish
Configure information governance
Set up Data Loss Prevention (DLP)Recommended, using default policyEnabled for sensitive data types (GLBA, HIPAA, etc.)
Enable email encryptionOffice 365 Message EncryptionSensitivity Labels
Enable retention policiesNoneEnabled
Enable sensitivity labelsOptionalEnabled, Default or custom labels
Configure Teams security
Teams governance (to allow users to create Teams on their own)DefaultsRestrict groups settings
Guest access (to allow external users to fully participate in teams & channels)EnabledEnabled
External chat (to allow external users to initiate chat)Allowed, default policyRestricted
3rd party cloud storageDefaultsOff
Meeting policy and settingsDefaultsBlock anonymous
Messaging policyDefaultsDefaults
OneDrive for Business sharingAnyoneRequire login
Migrate files to Teams & OneDrive for Business (to enable recovery)RequiredRequired
Manage devices
Onboard existing Active Directory joined PCsHybrid Azure AD JoinHybrid Azure AD Join
Provision new/refreshed company PCsAzure AD join
Autopilot recommended
Azure AD join Autopilot recommended
Configure app protection policies for company owned PCsEnabled, encrypt data onlyEncrypt + block relocation
Block/Allow access from employee owned mobile devicesAllowed, default app protection policyBlock client app access, block web downloads
Block/Allow access from employee owned PCsBlock client app access, block web downloadsBlock client app access, block web downloads
Enable device configuration profilesBasic config profileEndpoint security profiles
Enable device compliance policiesOptionalEnforced, Conditional Access
Secure remote access
Access to on-premises data & apps (existing VPN)Split-tunnel VPNSplit-tunnel-VPN
Access to 3rd party cloud appsAzure AD Single sign-on (SSO)Azure AD Single sign-on (SSO)
Access to on-prem webappsAzure AD App proxyAzure AD App proxy
Access to desktop appsWindows Virtual Desktop (WVD)Windows Virtual Desktop (WVD)
Enable your business to run from anywhere, with peace of mind.

GCP Security best practice: Access to networks and network services

This Google Cloud Platform security best practice is part of the Identity and Access Management security domain.

Personnel, contractors and 3rd party personnel shall only be provided with access to the network and network services that they have been specifically authorized to use.

Cloud IAM lets you control who can access your projects. You can grant and scope permissions to specific GCP resources in your projects. Cloud IAM roles can be granted to a specific Google user account, service account, or group, or to everyone in a domain. You can also set Cloud IAM roles at the organizational level, folder level, or project level to allow projects and resources to inherit the Cloud IAM permissions.

Data and asset owners shall review users’ (personnel, contractors and 3rd party personnel) access rights at regular intervals. Review cycles shall be scheduled either Monthly, Quarterly and Yearly, depending on use and criticality.

Forseti IAM Explain can help with the auditing IAM permissions and custom tools can integrate using our IAM APIs to do audits. You can further enforce domain restricted sharing using domain restricted sharing org policy.

GCP Security best practice: Security and BC/DR

This Google Cloud Platform security best practice is part of the Business Continuity & Disaster Recovery security domain.

The local and remote site recovery of the security infrastructure and functionality is a required component of business continuity and disaster recovery planning and documentation.

If customer’s production environment is on-premises or on another cloud provider, Google Cloud Platform can be useful as a target for backups and archives. Using Carrier Interconnect, Direct Peering, and/or Compute Engine VPN, you can easily adapt the disaster recovery strategies to your own situation.

Means of standardization across virtual infrastructure for systems, supported OS types and patch levels logically segregated by tiers shall be implemented. An exception review process will be instituted to justify and allow any non-standard virtual deployments.

A Business Impact Analysis shall be developed to address cloud components and operations and their overall criticality and recovery requirements in maintaining business function.

Audit of all third party hosted systems to ensure that those assets are included in CMDB shall be conducted.

GCP Security best practice: Network Security Management

This Google Cloud Platform security best practice is part of the Network & Infrastructure Security security domain.

The capability shall configure its IT systems to:

  • monitor and control communications at the external boundary and at key internal boundaries within the system;
  • have limited number of access points to allow for more comprehensive monitoring of inbound and outbound communications and network traffic; and
  • connect to external networks or IT systems only through managed interfaces consisting of boundary protection devices

The capability shall implement a dedicated and isolated computing environment for sensitive systems. For shared networks, especially those extending across Client’s boundaries, the capability of users to connect to the network shall be restricted, in line with the Client’s access control policy and requirements of the business applications.

Customer should apply the right firewall rules to the right VMs in an environment is a way to provide least privilege access (network access).

One cannot mix and match service accounts and network tags in any firewall rule definition. This restriction impacts ingress firewall rules in the following way: If you use a service account for the source filter or the target, then neither the target nor the source filter can be a network tag.
GCP uses a connection tracking table to support stateful firewall filtering. The maximum number of connections in the table depends on the instance type:

Firewall rules are applied to your VPC network on which your GCE instances reside. Firewall rules apply to both inbound (ingress) and outbound (egress) traffic. They can also be applied between instances in your network. Firewall rules can be set to allow or deny traffic based on protocol, ports, and IP addresses. Firewall rules have the following settings:

  • One should keep your firewall rules in line with the model of least privilege. To allow traffic through, the user needs to create firewall rules to explicitly allow traffic necessary for your applications to communicate.
  • Assign the Compute Security Admin role to your security or networking team so that they can configure and modify the firewall rules on your network.

GCP Security best practice: Incident Reporting

This Google Cloud Platform security best practice is part of the Incident Response Management security domain.

Incident-related data shall be collected and report metrics shall be reported.

All incidents for root cause to generate recommendations for improvement for consideration by Client shall be analysed.

Procedures shall exist to track and document information system security incidents and related solutions in accordance with incident management work instructions.

Customer-initiated incident response include a Gold or Platinum contract that entitles the customer to 24/7 support with under-an-hour SLA and phone support. If customer staff is in multiple time zones, it is beneficial to give details about when each should be contacted.
Customers should monitor the relevant email address (the project owner email address) regularly so that you know as soon as your project is warned.

GCP Security best practice: Scalable Architecture for Logging and Monitoring

This Google Cloud Platform security best practice is part of the Logging and Monitoring security domain.

The solution shall support scaling of the ingest, index, and search layer based on data ingest and usage profiles. The scalability model shall be refined enough to add capacity in hours.

1 – GCP has some native search/filter capabilities in Stackdriver – per project. Stackdriver Logging is a fully managed service in GCP that can ingest application and system log data from VMs, and analyze log data in real time.
Customers can collect data via Stackdriver agents that can scale as needed:

  • Admin console logs – Admin console audit logs, user audit logs, Separate API and UI logs
  • GCP console audit logs – Admin activity logs
    (always enabled); Data access logs (disabled by default)
  • VMs running Stackdriver agent – common third-party applications, system software
  • Network logs – VPC Flow logs, Cloud CDN logs

2 – You can export to BigQuery for additional analysis

3- Or PubSub and use connectors that integrate with elastic search

GCP Security best practice: Integration with Risk Management

This Google Cloud Platform security best practice is part of the Vulnerability and Threat Management security domain.

Vulnerabilities for their impact on identified risks shall be analyzed. Technical vulnerabilities shall be aligned with / inform risks in the risk register and the effectiveness of controls. Customer to integrate with their risk management solution.

Regularly scheduled penetration testing of it’s perimeter and public-facing environment shall be conducted.

As customers plan to evaluate the security of their GCP infrastructure with penetration testing, they are not required to contact Google to begin testing.
Customers will have to abide by the Cloud Platform Acceptable Use Policy and the Terms of Service and ensure that tests only affect their projects (and not other customers’ applications). If a vulnerability is found, Customers can report it via the Vulnerability Reward Program.

GCP Security best practice: Data Protection and Monitoring Handling Procedures

This Google Cloud Platform security best practice is part of the Data Protection security domain.

Procedures for labeling, handling, and protecting the confidentiality and integrity of personal information, test data, production data, and data involved in online transactions to prevent contract dispute and compromise of data shall be established. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.

Areas where potential information leakage can occur shall be identified, and appropriate controls to mitigate it shall be implemented.

Customers can use Cloud DLP API to better understand and manage sensitive data. It provides fast, scalable classification and redaction for sensitive data elements, like credit card numbers, names, social security numbers, US and selected international identifier numbers, phone numbers, and GCP credentials. VPC service controls and org note policies can be used too.

GCP Security best practice: Data Ownership & Inventory

This Google Cloud Platform security best practice is part of the Data Protection security domain.

Appropriate ownership to data and establish procedures to classify, monitor, and update data in accordance with its classification policies. Policies and procedures shall be in place to inventory, document, and maintain data flows to ascertain any regulatory, statutory impact, and to address any other business risks associated with the data.

This is a customer responsibility. The Cloud Data Loss Prevention (DLP) API can help scan PII (credit card numbers, names, social security numbers, US and selected international identifier numbers, phone numbers, and GCP credentials) data and classify sensitive data within text content.