In a recent survey of IT managers and directors in enterprises with more than 1,000 employees, 39.5% of respondents said that service providers take full responsibility for protecting applications and data in the public cloud. Another 33.8% said that customers are fully responsible for public cloud security.
Just 26.7% of respondents gave the correct answer — that the cloud operates under a shared responsibility model in which the service provider secures the infrastructure and the customer protects the applications and data.
Microsoft Office 365 is no exception to this rule. The infrastructure supporting the Office 365 platform is highly secure, but customers must take steps to protect sensitive information and high-value corporate assets. Organizations need an effective strategy for controlling access to data and preventing data leaks while empowering users to take full advantage of the rich collaboration features of Office 365.
The first step is to recognize that not all of the data stored in Office 365 needs the same level of protection. Organizations should evaluate their Office 365 data and classify it based upon sensitivity. Three levels are usually sufficient for establishing data protection policies:
- Level 1 standards apply to most data, which generally will require only the default level of protection afforded by Office 365. Data is encrypted at rest and in transit and can only be accessed by authenticated users. Some organizations will need higher levels of protection, such as multi-factor authentication, to meet their minimum standard.
- Level 2 standards apply to sensitive data. Organizations may use Office 365 Data Loss Prevention (DLP) or Azure Information Protection to enforce policies related to the identification, monitoring and protection of sensitive information. For example, rules can be set that restrict access to or sharing of sensitive content.
- Level 3 standards are designed to protect an organization’s most valuable information assets. This might require the Advanced Data Governance features of Office 365 and more stringent access controls and credentials management using Azure AD Identity Protection.
Once the policies are established, organizations should identify and classify Level 2 and Level 3 assets and more precisely define the technologies and processes that will be used to automatically apply the appropriate security controls. Organizations should also establish minimum security standards for user authentication and the devices accessing Office 365.
The Office 365 Secure Score can help organizations determine if they have the right security settings and practices to protect their data. Any organizations that has a subscription to Office 365 Enterprise, Microsoft 365 Business or Office 365 Business Premium can take advantage of this feature by visiting https://securescore.office.com or using the Secure Score widget in the Security & Compliance Center. (Only administrators can access Secure Score.)
Secure Score compares an organization’s Office 365 settings and activities to minimum standards and assigns points based upon configuring security features or performing certain tasks. The score is automatically updated every day, allowing administrators to see the impact their actions have on their organization’s Secure Score.
More importantly, Secure Score gives administrators recommendations as to steps they can take to improve their organization’s score. The recommendations include details on the cost to implement, the impact on users and the types of threats the action will protect against.
Of course, there’s no substitute for a detailed assessment by Microsoft experts. That’s why AdaptivEdge has developed a two-day, three-step approach that exceeds the Gold Standard set by Microsoft. And now we’re offering this engagement free to qualifying organizations. Click here to submit your request.
Written and composed by Principal, Steve Soper