This article is a repost of an article I wrote for SkySync. Read it here. I added a 6th tip as a little treat for you.
Begin original post
When it comes to cloud services, people seems to have different ideas around responsibilities than when they were hosting their systems on-premises. Because a cloud service is not hosted by the customer some of the basic rules around security are forgotten by a lot of people. People seem to think that because Microsoft hosts Office 365, everything from a security perspective should be done by Microsoft. Unfortunately, they couldn’t be more wrong. Microsoft will protect your data from malicious people trying to gain access to Microsoft systems, as well as avoid your data from being lost due to a data outage or a problem on the infrastructure side. However, if somebody knows your username and password combination, there is not a lot of things Microsoft can do about it. During the on-premises era, we were aware of the risk and most companies had security policies in place. With Office 365, data has become accessible from all over the world and it is crucial to be aware of that and act on it by implementing additional security measures.
In this blog post I am going to show you how you can improve your security without breaking the bank. In most cases if you have a full license of Office 365, these next 5 tips will be available for you to implement on your system. If you are only paying for a subset of the services like Exchange Online, your options will be limited.
Enable multi-factor authentication. Most people are just not good with username and passwords.
They will use the same password for everything. If we force them to change their password every 90 days, it will trigger a behavior where passwords are written down on notes or post-its, kind of defeating the purpose of a password. Within Office 365 it is possible to activate multi-factor authentication. This is included in your authentication service (Azure Active Directory). People need to define their preference of multi-factor authentication options, they can choose between using the multi-factor authentication app, receiving a phone call or text message. Since your authentication process has been upgraded to ‘something you know’ (username and password combination) and something you have (your phone), the risk of a malicious authentication getting through is slim. At the same time, it allows your organization to be potentially a little bit more relaxed with their password policy, since the whole security of the platform is not built on merely username and password. If you like to know how to set up multi-factor authentication in your office 365, check out this documentation.
Email: Enable Client Rules Forwarding Block. When you use Office 365, you want to prevent your data from leaving the organization by a mistake or an accident. Most people will refer to Data Loss Prevention (DLP) for this methodology. However, for DLP you need an additional license or an upgrade of your existing license. People have lots of email addresses, some are for personal use, some are for professional use. Sometimes we see that people set up client rules forwarding or redirecting all their mail to their personal address so they have one centralized mailbox. Of course, this is not the way to use your professional mailbox. This increases the data from leaving the company and the chances of creating data breaches and leaks. This forwarding block is best achieved using a transport rule in Exchange Online.
IF The Sender is located ‘Inside the organization’ AND IF The Recipient is located ‘Outside the organization’ AND IF The message type is ‘Auto-Forward’ THEN Reject the message with the explanation ‘External Email Forwarding via Client Rules is not permitted’.
Mobile: Enable mobile device management services. We can’t ignore it anymore, phones have become the extension of our workplace. And to make it worse from a security perspective, lots of company data is on that phone. Emails, contacts, files, it all can be found on most of our phones. But do we trust end-users to set up their phones as securely as possible? Do we feel that the basic setup is enough? If you allow your end-users to connect their mobile device do you have a security policy in place? For desktops, laptops we tend to have a set of rules delivered through group policies or a similar process but organizations tend to overlook the same need for security when it comes to mobile phones. Mobile Device Management (MDM) is natively enabled in Office 365. To set up MDM you can go through the documentation here. With MDM you can define all number of level of additional security and it gives you the ability to wipe a device remotely when needed. Why would you wipe a phone? Phones get stolen, lost or decommissioned all the time, last thing you want is your corporate data to be left on the phone ready to be read by people who shouldn’t be reading it.
Documents: Configure expiration time for external sharing links. In a world where collaboration is the new norm and where people try to make sure that content is used in the most efficient way possible it shouldn’t come as a surprise that more and more organizations use Office 365 to do external sharing with partners. There are many benefits to external sharing over email. You are in control of the content, when a new version is delivered, the external party just must reopen the document. You control the permissions to it, etc. However, when we share information we tend not to question ourselves how long external links should be active. Is this sharing a one-time thing or is it a long-term collaboration? When we share our information with named accounts, that is one thing, but it becomes a security problem when we send out information where no sign-in is required. Since these questions should be answered on an organizational level as well as on an individual level, we want to make sure there is at least an expiration time for anonymous links defined on an admin level. Unfortunately, there is no user interface for this setting (yet). For now, you need to define this through PowerShell. You can use this script to set the expiration date to 30 days.
$tenantName = “yourTenantName”
$expirationinDays = 30
Connect-SPOService -Url “https://$($tenantName)-admin.sharepoint.com”
set-spotenant -RequireAnonymousLinksExpireInDays $expirationinDays
When you share documents anonymously, this setting will be the default. Of course, people will have the ability to override this date but at least by default a predefined number will be set if not.
Sync only to domain joined computers. One of the most used features of SharePoint Online and OneDrive for Business is the sync functionality. It allows you to have your content available offline and most people like it because it reminds them of the usage of a file server. However, when you allow synchronization of content to computers that are not managed by you, you can potentially be in for some serious data loss or breach. We know that the security of home computers is in most cases not enough to store corporate data. In Office 365 you can set that synchronization can only happen for domain joined computers. People can still use Office 365 but they are just not allowed to sync the data to that computer. The setting for synchronization is found under OneDrive Admin (https://admin.onedrive.com) > Sync.
These are all easy things to do to make your Office 365 more secure. Keyword: YOU. Securing your Office 365 is not just a responsibility of Microsoft. It should be a joined effort. Microsoft is responsible for the things you cannot control like uptime, high availability, etc. But your responsibility is equally as important as Microsoft’s.
As a little treat, I will throw in a 6th one. Customize your login page. If you want to avoid being the victim of phishing this will help. Phishing attacks will lead you to a fake login page where they will ask for a username and password, hoping that the end-user will not see the difference between the real login page and the fake page. With Azure Active Directory you can change the login page for Office 365 so it contains your logo, a tag line and some basic company information. Phishing attackers in most cases won’t go through the trouble to build a custom login page. If you end-user see that the login page is not your custom designed login page, they will know it a fake one. Since AAD Company branding is a part of the Office 365 license, this is available for you for free. Read the documentation here.