As a managed cloud security company we often get asked as to why “my environment” is not secure by default, as designed by Microsoft. This question is even more relevant in the context of Microsoft/Office 365 environment: majority of small and medium businesses that use Office 365 probably do not have a dedicated security department that is well versed in Cloud Security. To answer the question above let’s take a look at the following example.
Here is what the Secure Score looks like using all the default settings as provided by Microsoft ( your own results might vary, as you might have different options/features enabled in your own subscription). This sample subscription is using the E3 Office 365 plan.
Let’s take this example one step further: we’ve audited the same subscription using the CIS Microsoft 365 Foundations Benchmark version 1.2.0 framework. We tried to be practical, therefore we used only the E3 Level 1 profile from this framework. Items in this profile apply to customer deployments of Microsoft M365 with an E3 license and intend to:
- be practical and prudent
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
What we’ve discovered was a bit sobering:
- In total, 44 of the security controls audited had a “Fail” mark
- Only 8 security controls had a “Pass” mark
- Account / Authentication section : 7 Failed , 4 Passed
- Application Permissions section: 2 Failed , 0 Passed
- Data Management section: 4 Failed , 0 Passed
- Email Security / Exchange Online section: 9 Failed , 2 Passed
- Auditing section: 10 Failed , 2 Passed
- Storage section: 3 Failed , 0 Passed
- Mobile Device Management section: 9 Failed , 0 Passed
Obviously by now you started to form a well informed opinion about the quality of the default security settings of Microsoft/Office 365.
I don’t think anyone can answer very clearly our initial question, maybe someone from Microsoft can, but we can show unequivocally that even without having an in-depth review of the business requirements as they relate to the security of the data in the cloud, there is plenty of opportunity to improve the security of ANY Microsoft/Office 365 security environment.
I would strongly advise all the businesses using Office 365 to perform an in-depth review of their security settings to make sure their business data is secure in the cloud. Remember that even in this Software-as-Service platform that Microsoft/Office 365 offers, the security of the data falls upon YOU as a responsibility and not on Microsoft. You are being given a multitude of security controls that can be enabled and configured, but in the end you need to analyze them and make sure they meet your particular business requirements.