In fact, if there’s one thing you need to protect, it’s your administrators!

Whether it concerns authentication methods, third-party application permissions via APIs (allowing a third-party application to synchronize data with an external storage service, for example) or changing retention policies, an administrative action can significantly affect the data and security of the tenant on a larger scale. If it is necessary to make this point even more explicit, a Global Administrator has the ability to access all data or manage all the settings of Office 365, Windows 10, Azure AD… but also Azure!

What are the native functionalities in the Microsoft platform?

Which rights models within Microsoft 365?

To date, Microsoft 365 has two main levels of rights. These two levels schematically allow the delegation of administrative rights by adapting to different organisational models (small / medium / large, centralised / decentralised):

• Azure AD roles: Administration of Azure AD and Microsoft 365 services;
• RBAC roles: Administration of objects within services.

Level One: Using Azure AD roles to manage services

The person behind the opening of the tenant automatically takes over the role of General Administrator. He can then appoint other administrators to accompany him in his tasks. As far as possible, Global Admin’s rights should not be used in order to limit overexposure of the administration accounts. It is good practice to limit this general role to a maximum of 3-4 accounts. In addition, for almost all actions there is an equivalent service administration role (e.g. SharePoint Administrator, User Administrator, etc.).

These service administration roles are also known as Azure AD roles. Each service can be viewed as an Azure AD application. An administrator would thus be equivalent to the owner of the service in question. At the time of writing this article, Microsoft offers 59 different roles, which provides a good level of segregation of rights in most cases.

However, the default roles provide access to the entire Admin Service for the entire tenant and may in some cases provide access to the underlying data (e.g. for SharePoint Administrator, Exchange Administrator and User Administrator).

Figure 1 – Example of sensitive rights

In the case of advanced maturity, it is possible to go further in the segregation of rights by creating personalised Azure AD roles. In concrete terms, this means deciding what permissions this role has (e.g. “microsoft.directory/applications/create” allows you to create applications in Azure Active Directory).

The downside will be that it will be more complicated to audit the administration and that it will be necessary to monitor the evolution of services to ensure that permissions remain consistent with the needs of administrators.

Second level: Using the RBAC model to manage objects

Certain services such as Exchange Online, Intune, Security and Compliance Centres or Cloud App Security offer specific RBAC rights models.

As its name suggests, Role Based Access Control (RBAC), allows for the implementation of more refined permissions management; with the ability to define roles for defined perimeters (e.g. for certain user groups). For example, it will be possible to create “Helpdesk A” and “Helpdesk B” in Exchange Online to give support rights to two separate teams on a perimeter A and a perimeter B.

How to provision the accounts of administrators?

The first question is how to create an administrator’s identity. Two strategies are possible:

• The creation of an account in the organisation’s identity repository, which will then be synchronised with Azure AD (ex: wavestone.com);
• The creation of the account directly in Azure AD. This account will then be called “cloud-only” (example: wavestone.onmicrosoft.com).

Regardless of the administration role, it is recommended for a SaaS service such as Microsoft 365 that the account be located as close as possible to the administered resource. Here, this amounts to using cloud-only accounts. The objective is twofold: to protect against a possible unavailability or of a compromise of the organisation’s identity repository.

How to assign permissions?

The second question is how to assign the right privileges to the administrative roles created.

In the case of service administration

In order to assign an AAD role, it is possible to use 3 methods (via the portal or the corresponding PowerShell command):

• The Azure portal (portal.azure.com): this is the method that should be favoured, as it allows the association of rights as close as possible to the resources and the use of PIMs, which we will discuss in the rest of the article;
• The Microsoft 365 portal (admin.microsoft.com): it is possible to carry out the assignment of roles directly through the main administration portal. However, this method is not compatible with PIM;
• The use of third party IAM tools: these solutions now have connectors with Office 365 to perform identity and privilege provisioning. These solutions offer less granularity, are not compatible with PIM and are a source of common errors. For example, synchronisation is typically one-way, resulting in the administration account reappearing if it is only deleted in Azure AD.

Note that it is also now possible to assign an Azure AD role to a security group (Cloud only) via a preview feature. This may simplify certain administrative models, such as where the Unified Communications team needs the SharePoint Administrator role and Teams Administrator. However, be careful with the management of this group.

In the case of the administration of objects

For RBAC roles, the definition of roles is done directly in the administration platform of the service concerned. It is then possible to assign the role in question manually or to a security group, in the portal or via an IAM solution.

Figure 2 – Natives functionalities of the solution

How to build and implement your administration model?

What strategy to define your rights model?

The construction of a delegation model must be based on the principle of least privilege. The core of the work is to make an inventory of the cases of Office 365 administration usage and to match your teams with the available rights.

This can be an opportunity to rethink the organisation of teams dealing with the working environment. Two observations are quite significant:

• Mobile terminals and workstations are intended to be managed by unified solutions (UEM) such as Intune, Workspace One or MobileIron, and therefore by the same team.
• Security and compliance tools are increasingly integrated natively in Office 365. It is therefore necessary to break down the wall that existed between the workplace world and the security world, in order to create a team with the same ambition: to create and maintain a controlled and secure platform.

Office 365 has the particularity of bringing together a multitude of different services, such as file or information storage (SharePoint, OneDrive), communication tools (Exchange, Teams) but also security (Defender, Information Protection, etc.). It is therefore essential to group the services into categories and define a correspondence matrix between team and administration roles.

Concretely, we advise you first to use the default Azure AD roles for service administration, and then to define more granular roles with RBAC and custom roles.

It is also interesting to identify the most sensitive roles, such as those allowing access to data or security settings (for example: Global Admin, Exchange Admin, Security Administrator and Application Administration) in order to be able to adapt the security of these roles.

How to delegate administration rights on objects in a multi-entity context ?

Before talking about security in the strict sense of the word, there is another question. Although the configuration of services and security parameters can only be done centrally, local teams need to carry out support actions: creation or modification of an internal or guest account, resetting of authenticators, creation of a Microsoft 365 group or a distribution list, etc.

The service administration roles, the Azure AD roles, do not offer privilege segregation by perimeter; an Exchange Online administrator will therefore be able to handle all mailboxes. It will not be conceivable to give them in complex organisations or in regulated contexts. Several strategies are available, depending on the maturity and complexity of the organisation.

In the case of small structures, it is easiest to use the native functionalities:

• RBAC roles: RBAC Exchange and Intune roles generally provide the right level of granularity to manage objects in native portals;
• Administrative Units: Administrative Units, finally in GA since the end of September, are the equivalent of RBAC for Azure Active Directory. They take the form of containers in which an administrator can create or modify objects, which makes sense for support activities.

In the case of larger structures, good practice is not to manage objects (users, mailboxes, groups, SharePoint sites, etc.) directly in native portals. What is needed is an interface that allows all these objects to be managed, while taking into account the business logic and the target administration model. Below are three examples of interfaces:

• In-house development of a “Custom Automation Engine”: this interface will be decorrelated from the IAM and very often a large powershell / Graph API machine;
• Integration of a connector to the current IAM solution in order to present a complete management of the objects by disregarding their direct hosting;
• Investment in a SaaS Management Platform (SMP): software publishers have specialised in the creation of management tools for Office 365, combining object administration, licence management and security and operational supervision functions. Among these solutions, which are still relatively unknown, are ManageEngine, CoreView and Quadrotech.

Please note: this interface, dedicated to support teams, will be distinct from an interface open to all users allowing them to centrally create guest users, SharePoint sites, Teams, etc. In concrete terms, this second interface could be integrated with ITSM tools, SMP or even be developed based on Power Apps and Graph API.

How to protect access to these accounts ?

10 measures to secure administration accounts

Depending on the security licenses, mainly the EMS bundle, Microsoft provides a number of controls to secure administration accounts.

Most of these could also be obtained via third-party tools.

Basic measures to secure the administration account

1. A dedicated administrator account

An administrator must have an account dedicated to administration, different from the office automation account. It should be cloud-only where possible (e.g. wavestone.onmicrosoft.com).

2. Multi-Factor Authentication

Multi-factor authentication is no longer an option today, and even less so for administrators.

This measure is available for everyone, for all licences:

• Via MFA for Office 365 (also called MFA with per-person inheritance) which forces a challenge at every connection;
• Via Security Defaults which forces an additional factor to be registered for all users and imposes the MFA for administrators at each login;

It is also important to ensure that legacy authentication protocols that do not support MFA are disabled. These would allow single sign-on to be bypassed.

It will also make sense to limit the types of additional factors available; what is the point of securing administration accounts if the second factor is the administrator’s Gmail address.

Highly recommended security measures

3. Unlicensed Office 365 account

Without a licence, it will not be possible for an administrator to access the different services and data of the platform, or to have a mailbox.

Please note that some services, such as Power Apps or Power BI, require a licence to access the administration portal. In practice, it can be interesting to create a security group that allocates the necessary licences for administrators.

4. Conditional Access (with Azure AD P1)

Conditional access allows you to evaluate the context when accessing an Office 365 service and to authorise access accordingly. For example, access can be blocked depending on the type of workstation used (whether managed by the company or not), the network on which the user is connected, the application in question or the user’s administrative role.

In a Zero Trust logic, there should be no differentiation between the internal and external network, especially for administrators, but rather focus on the status of the workstation and the risk of connection.

5. Password Protection (with Azure AD P1)

Azure AD Password Protection provides controls over passwords. It will thus be possible to prohibit the use of a current password or a derivative (with a list predefined by Microsoft or maintained by the organisation).

A good practice is to apply this protection to all Cloud-only administration accounts as a minimum.

6. Azure AD Identity Protection (with Azure AD P2)

Azure AD Identity Protection adds a notion of risk in the evaluation of user access and behaviour. Concretely, it will be advisable to define the following policies;

• Risky users: Force password change for an administrator likely to be compromised (with a Medium or High risk);
• Risky sign-in: Forcing an MFA challenge during risky access (e.g. anonymous or unusual IP).

7. Azure AD Privileged Identity Management (with Azure AD P2):

Azure AD Privileged Identity Management is a service to control the assignment and use of administrative roles:

• Allocate just-in-time rights by giving an eligible role instead of a permanent one;
• Submit role activation to third party validation;
• Set up an end date for an administrative role;
• Force recertifications of administrators.

It will be relevant to distinguish the so-called sensitive roles from the others during implementation.

The monitoring of eligible administrators allows, as a bonus, to become aware of the real use of administration rights and therefore to clean up the list of administrators more easily.

It should be noted that the PIM functionalities have recently been extended to the different groups, which makes it possible to set up “Just-in-time” for more exotic cases such as RMS / AIP Super-Users.

To go even further

8. Supervision of administrator actions to detect abnormal behaviour

Once all these security measures are in place, all that remains is for you to implement supervision to detect non-compliance with the previous rules and abnormal behaviour.

And for this, nothing better than to refer to our article on the subject to understand the available logs.

9. Setting up a Privileged Access Workstation

Administration is by definition a critical action. It must be carried out within a perimeter of trust. The provision of PAW, or administration post, will enable us to achieve this objective.

The configuration of the administration station should be simple (no local administration rights, restricted Internet browsing, blocked USB ports, pre-installed PowerShell modules, etc.). But restricting the connection of an Office 365 administrator from this workstation may cause more problems. There are several possibilities for this:

• In a modern context, a simple answer is to rely on Microsoft tools: define an administration workstation profile in Intune and assign it to the administrators. With a conditional access rule, it is possible to require a compliant workstation when connecting.
• In a more traditional model, it is possible to set up an authentication silo with administrators and associated workstations. In this way, we would have a model similar to the third-party model well known to AD teams.
• Other approaches are also possible, even if more complex: association of a certificate and a reverse proxy or even a bastion.

10. Keep up to date with good practices and news

It cannot be repeated often enough that Office 365 is a Cloud platform and is constantly evolving. Keeping up to date will continue to increase its level of security over time.

Figure 3 – The security of accounts, measures that can be counted on the fingers of one hand

Focus on glass breaking accounts

A good practice in the administration of the Microsoft platform is the setting up of administrator accounts that allow control over the platform to be regained in the event of an incident.  These are called glass-breaking accounts. These accounts should allow full control over the Office 365 tenant and are therefore assigned the role of Global Administrator.

These accounts must be secure; however, we must not forget their specificity which consists in using them in the event of an incident. Thus, the security imposed on these accounts must remain compatible with the urgent nature of their use.  These accounts must therefore comply with the following recommendations:

• To be cloud-only accounts
• No MFA configured (or at least a third party MFA)
• Storage of the password in a safe which only identified members of the security team or Office 365 can access
• Setting up alerts to check that these accounts are not used outside of an incident procedure requiring the use of glass breakage.

It is also recommended not to use a specific naming convention for these accounts, they should not catch the eye of a possible attacker!

Conclusion

Security on Office 365 is based on technical measures to protect administrator accounts, as well as the implementation of a target administration model, which includes clear governance and processes, tools to implement this delegation of rights, and mechanisms to maintain it over time.

But whatever protection measures are implemented, security rests first and foremost with the administrators of the solution. Awareness raising and controls for administrators will be essential.

Administrators must bear in mind that their accounts give access to extremely sensitive information and actions: they are therefore the preferred target of hackers!

As O365 is constantly evolving, each new feature introduced by Microsoft may also bring with it its share of security problems that need to be studied and taken into account. Take the opportunity to update your documentation: O365 risk analysis, service configuration, delegation model…always without forgetting to allow your administrators to train!

Cet article How to manage administration in Microsoft 365? est apparu en premier sur RiskInsight.

Several topics must be addressed when securing Office 365  including the need to be able to track actions to detect illicit behaviour or trace the cause of an incident.

In France, however, many companies have difficulty consolidating logs and defining supervision use cases. Mastering logging must be at the heart of this approach.

Supervision of administrative actions is a necessity

For this logging decryption, let’s take the case of the platform administrators.

As with other SaaS solutions (Google Cloud Platform, Salesforce, etc.), the breach of data integrity or confidentiality following an error or malicious action by a company administrator is one of the major risks identified by our customers.

By definition, Office 365 administrators have high privileges:

• Configuration of the various services – or workloads – and APIs;
• Managing permissions on OneDrive and user mailboxes;
• Management of the life cycle of collaboration spaces.

It is easy to imagine the disastrous consequences that could result from the malicious or uncontrolled use of these privileges. Indeed, settings such as SharePoint Online external sharing, API permissions or email configuration could become significant data leakage vectors.

On-premise IT best-practices (lifecycle, least privilege principle, rights segmentation, strong authentication, just-in-time access, etc.) must also be applied in the Cloud. The Cloud must be mastered and controlled.

However, the implementation of good practices, although necessary, is not enough. Indeed, they do not guarantee that  administrators won’t carry out actions that compromise the level of security. One can therefore naturally wonder how it would be possible to audit the actions carried out and raise alerts if necessary.

What are the means provided by Microsoft? How can we prevent a malicious person from covering his tracks (which would make an attack more difficult to detect and reconstruct)?

To illustrate the different possibilities, we will follow the four examples below:

Figure 1 – Examples of configuration changes that may affect safety

What logs are available?

For historical and technical reasons, Office 365 inherently has several log sources: Unified Audit Logs, Exchange Logs and Azure Logs. These sources are complementary and must be analysed together in order to have an exhaustive view of the administrative actions performed.

Unified Audit Logs: unified logging of the different services

The most commonly cited and used source of logs is the “Unified Audit Logs”. These logs centralise the traces of users and administrators for all the platform’s services: SharePoint Online, Azure AD, Exchange Online, Teams, Power Platforms. Microsoft is progressively integrating the different sources and continues to add new logs.

To come back to our concrete examples, the interesting logs are:

• SharePoint Online External Sharing Policy Change: SharingPolicyChanged
• Assigning rights to a One Drive: SiteCollectionAdminAdded
• Assigning rights to a mailbox: AddMailboxPermission
• Changing an Administration Role: AddMembertoRole

These logs are accessible and exportable via the Compliance and Security Centers, the Office 365 Management and PowerShell APIs (via the Search-UnifiedAuditLog cmdlet). Note that logging must be enabled via the Compliance Center or PowerShell to be able to log and search.

It is possible to directly configure alerts related to the occurrence of certain logs in the Security and Compliance Centers.

Exchange Logs: logging of the messaging infrastructure

The second interesting source of logs is the “Exchange Logs“. These logs provide information about usage and administrative actions performed on the Exchange Online service as well as on personal or shared mailboxes. Two types of logs can be distinguished:

• Administrator Audit Logs: Service or mailbox administration logs (e.g. changing a user’s permissions, changing the retention time of a mailbox log etc.).
• Mailbox Audit Logs: Logs of use of a mailbox by the main user, a delegated user or a service administrator (e.g.: accessing the mailbox, sending an email in place of the main user, moving an item into a folder, permanent deletion, etc.).

To come back to our concrete examples, the logs that will interest us here are:

• Assigning rights to a mailbox: AddMailboxPermission
• Access to a folder or a mailbox: FolderBind (not enabled by default):
• Access to a mail: MailItemAccessed (only for users with an E5 license)

To go further with Administrator Audit Logs

Administrator Audit Logs are generated for any Exchange administration action that can be linked to a PowerShell cmdlet other than Get, Search or Test. These logs are linked to the Unified Logs and can be used in the Exchange Administration Center, Security and Compliance Centers, Office 365 Management and PowerShell APIs.

To go further with Mailbox Audit Logs

Mailbox Audit Logs are the only category of logs to be configurable (perimeter and granularity). These logs allow tracing of the actions performed by an owner, a delegate (user with permissions) and an admin (access via eDiscovery tools).

Since January 2019, the logging of Mailbox Audit Logs is enabled by default for all Office 365 tenants. To date, if logging is enabled by default, all mailboxes are audited (even if the “-AuditDisabled” parameter is set to “True”). The only way not to log the actions of a mailbox is to implement a by-pass rule with “Set-MailboxAuditBypassAssociation”.

However, it should be noted that some actions are not audited by default, such as the access of a delegate or an admin to a user’s mailbox. It is therefore essential to analyse the logs to be activated, during the initial configuration of the service.

Depending on the license level and configuration, these logs can be linked to the Unified Logs and be used in the Exchange Administration Center, the Office 365 Management and PowerShell APIs or the Security and Compliance Centers.

Azure Logs and Reports: Azure Active Directory Logging

The last, but not least important source of logs are the “Azure AD logs”. These logs provide complete traces of the Office 365 identity brick and the associated administration actions. Several categories of logs and reports are available:

• Azure Audit Logs: Logs for the administration of the identification brick or modification of items (e.g. assigning the “SharePoint Administrator” role, creating a security user or group, authorising an API, configuring guest users, etc.).
• Azure Sign-in Logs: Logs for connecting to an Office 365 service (or to applications / APIs based on Azure AD) with information regarding the connection chain (e.g. protocol, IP address, terminal, etc.).
• Risky Sign-in: Connection reports with indicators related to suspicious connections.

These logs and reports are accessible and exportable via the Azure portal, the Graph or Azure Management and PowerShell APIs. Some of the logs directly related to Office 365 are also found in the Unified Audit Logs.

To come back to our concrete examples, the interesting logs are:

• Modification of an administration role: AddMembertoRole

Figure 2 – Summary of Office 365 Logs Features

In summary, the Unified Audit Logs provide a consolidated view of the different services of Office 365, but some information may be missing. It will be necessary to ensure that the required logs are present, and then to investigate further into the logs and reports of Exchange or Azure.

What is the retention period for the various Office 365 logs?

Once the proper logs have been identified, the challenge of retention arises. How can you be sure that the logs are well preserved without being altered, for as long as is required by the company’s security policy and various regulations, such as the anti-terrorist law or the GDPR?

By construction, and contrary to Exchange and SharePoint on-premise solutions, all the logs mentioned above are unalterable – that is to say, they cannot be modified or deleted by the company administrators. Furthermore, the default retention periods defined by default cannot be modified (i.e. 90 days for Office 365 and 7 logs or 30 days for Azure logs with standard licenses). With one exception, an Exchange administrator has the ability to delete the logs from mailboxes by changing the associated retention time.

If we go back to our examples, we could imagine a malicious administrator giving himself rights to access a mailbox, then look at the mails and erase the access logs by setting a zero-retention time. In this case, only the privilege elevation made in the Administrator Audit Logs would be retained.

In order to comply with security or regulatory requirements, it may also be necessary to ensure that the logs of the various departments are kept for more than 7, 30 or 90 days.

3 steps to implement relevant logging within Office 365

1. Definition and activation of the necessary logs: Unified Audit Logs may not be sufficient (monitoring of the Office 365 and Azure AD APIs, logging of administrator access to mailboxes, etc.);
2. Configuration of an automatic export of the identified logs to an external storage or an independent SIEM (via PowerShell or the API Management);
3. Monitoring the status of the tenant: implementing a dashboard of the tenant’s settings configuring alerts related to a change in log configuration (via the Security or Compliance Center, the Office 365 Management or PowerShell APIs), such as disabling Unified logs or a change in the retention of mailbox logs.

Figure 3 – Good Practices for Office 365 Logging

After carrying out these three actions, the company will have the necessary information to audit the tenant’s use and administration actions. However, this does not yet address the larger need for supervision of administrators. It may be useful to set up alerts (via the Security or Compliance Center or specialised third-party tools).

1. (To go further) Implementation of basic supervision: definition of general security detection scenarios, identification of the logs concerned, activation of the associated alert in the Security or Compliance Centers;
2. (To go even further) Setting up advanced supervision: identification of scenarios related to a business context, implementation, definition of the associated governance, continuous improvement.

What tools should be used to analyze the logs? Which detection scenarios should be prioritised? What governance should be put in place to define, implement and monitor alerts? These are all questions that need to be addressed in the implementation of the collaboration platform supervision.

It will also be necessary to take into account the regular changes made by Microsoft on these services, as well as on the structure of logs and APIs, especially since the preview and general availability functionalities coexist.

Cet article Logging of Office 365: a Case Study with Administrators est apparu en premier sur RiskInsight.

This reflection should cover the main risks of data leakage and access to data by administrators, Microsoft and third parties or applications.

A new governance model imposed by Microsoft

Office 365 is a SaaS communication and collaboration solution. As such, the platform is constantly evolving, unlike the historical “on-premise” solutions: new features or settings appear and are modified, while others disappear (e.g. retirement of Skype for Business planned for 2021, July 31^st and the end of legacy authentication support for Exchange Online planned for 2020). This continuous delivery pace is imposed by Microsoft, without control. Hence, a completely new governance model is required.

Changes integration can no longer be done in project mode. It must follow an established process. In this model, the workplace and security teams must work hand in hand and must be represented in all project and architecture committees, starting from the very beginning of the platform use cases design. These teams will also have a common responsibility to ensure the platform efficiency and regulatory compliance.

The security team sees its perimeter evolving: it no longer has control over security tools and can, or even must, play a business enabler role to support the migration to the cloud by proposing new uses (e.g. opening a controlled external file exchange service). An appropriate organization must be put in place. We could even consider having a Security Officer dedicated to the platform very close to the business, with the role of advising projects, ensuring the platform configuration and monitoring security alerts.

Another topic to be addressed is the delegated administration.  Even though it is not a rare situation, it is not possible to have nearly 20 General Administrators for an O365 tenant. Indeed, a Global Admin has control over Office 365 services, but also Intune, Azure, AAD, etc. A delegated administration solution must be considered for user accounts and objects, through the implementation of an interface or a connector based on PowerShell or Graph API. This process should allow the company to manage all objects while considering business logic. To define this new governance model, the following security pillars must be articulated:

• Identity management ;
• Mastery of services and uses ;
• Control of compliance to company policies.

Identity management at the core of the model

In a solution designed to enable internal or external collaboration, with an ATAWAD use (Any Time, Any Where, Any Device), identity management (and therefore authentication) is the core of platform management.  As with any project, the definition phase of who can access what, when and where is fundamental.

On Office 365, there are three types of users, each with different privilege levels: administrators, internal users and guests (external users invited to collaborate on a file or within an O365 Group or SharePoint site).

For each of these account types, implementing the defined security measures will be challenging. In addition to the unavoidable multi-factor authentication (highlighted by the data leak that affected Deloitte in 2017), there are also other essential issues, such as administrator access control (personalized or predefined roles, permanent or occasional access, etc.) and guest users lifecycle management (nothing being clearly defined by default). The cost of Azure AD Premium licenses or a third-party tool will be a major element of the discussion.

Also note that Office 365 allows external applications to communicate with its APIs. The external application can then act on behalf of a user with its own rights or of an administrator with higher privileges. These applications can come from different application stores (such as AppSource or AAD) or be developed locally. The management of permissions granted to these applications must be highly considered by companies. Indeed, through APIs, it is very easy to imagine a massive data leak in case of a user dupe (e.g. an application requiring unnecessary permissions, such as email access).

An essential but neglected control of services and uses

Once access to Office 365 is under control, the next topic is to manage its use. It is not uncommon to observe that some services, not prioritized during migration to the Cloud (Power BI, Teams, Flow, API access, etc.) are left accessible with their default configuration. The two reasons are generally a focus on adoption and a lack of time devoted to these non-priority services. In addition to setting up the service, it is also essential to define precise rules around uses to clarify who can do what and when (e.g. managing SharePoint authorizations, creating Groups). The best solution consists in implementing technical measures (general settings or configuration via PowerShell) congruent with the defined policy.

However, the lack of security of these services leaves the door open to potential data leaks: automatic transfer to the outside, exposure on the Internet or loss of the data control. As written above, governance must take security into account when designing future uses. Services must be analyzed and tested on small populations. Indeed, it will always be easier to open a feature than to restrict an already widespread use. In that case, it will be necessary to carry out an impact analysis, to tinker with a workaround solution and to raise users’ awareness widely. However, these actions may require significant investment and could be avoided.

The management of the service should not end with user adoption. Security and Workplace teams will be responsible for following Office 365 evolution (Evergreen program, setting up a watch, monitoring Microsoft blogs, etc.) in order to assess new opportunities and threats.

The control of the compliance with company policies

The implementation of the company security policies is the last pillar and includes the implementation of security tools: information protection, anti-malware, supervision and alerting.

Concerning Office 365 security, we can differentiate 3 levels of maturity. The resources put in place will depend on the expertise available (resources being limited on the market) and the budget (depending in particular on the strategy of the Microsoft licensing management company):

• Level 1 – Control of identities, services and use of the Security and Compliance Center: the company implements native Security Center and Compliance Center security solutions (including Office DLP, Exchange Online Protection, eDiscovery) accessible with basic licenses;
• Level 2 – Development of “in-house tools”: the company creates a set of simple scripts or dashboards, using Graph API, Security Graph API and PowerShell, to implement controls and security measures adapted to its context (e.g. life cycle management of guest users);
• Level 3 – Use of advanced security tools: the company implements additional solutions to strengthen the level of security: tools to fight data leaks, analyze malware on emails, review rights, detect abnormal behavior or even harden the use of the platform according to the context.

Mastering Office 365 services, their uses and native security features is essential, and must precede any consideration of adding an additional security tool, which would not cover existing vulnerabilities and would only add complexity.

Sample of controls included in the Wavestone Office 365 Audit Methodology

Conclusion

Office 365 is an interesting case of opening business applications on the Internet through the Cloud. This evolution requires adapting the company historical security model, towards the airport model following the Cloud adoption.

However, Office 365 security must not omit the security of the on-premise bricks necessary for the platform operation, as it is generally the case for the authentication that is carried out by ADFS.

Cet article A secure Office 365, a rare gem? est apparu en premier sur RiskInsight.

Ce sont les chiffres qui le disent : selon une récente étude InsightNow portant sur le système bancaire, les entreprises les plus investies sur la sphère digitale sont également celles qui fidélisent le plus leur base client.

Mais ces résultats ne sont pas à proprement parler surprenants. L’intérêt des canaux digitaux pour l’entreprise dans la communication, la relation client, et même la co-construction d’offre s’est imposé comme une évidence ces dernières années.

Cela est plutôt révélateur de la nécessité de construire une stratégie digitale cohérente. L’objectif est de répondre à la question « Quelle est la valeur ajoutée du digital dans ma stratégie marketing ? »

Ainsi, plus cette stratégie sera en phase avec la stratégie marketing globale, plus elle sera efficace. En ce sens, il est toujours utile de rappeler qu’il est difficile de penser le digital complétement à part de la stratégie globale.

D’ailleurs les exemples de réussite de stratégie digitale complétement intégrée ne manquent pas : B&You, Sosh, iDTGV, …                      

En réalité, très rares sont les grandes structures qui ne prennent pas la parole sur les canaux digitaux. Un fil Twitter, une page Facebook, une FAQ interactive, un blog… Souvent de nombreuses briques sont déjà présentes coté client.

Malheureusement, il arrive parfois que tout cela soit mis en ligne avant même que les bases d’une stratégie digitale ne soient posées. En effet, en interne ces prises de parole peuvent être le fruit d’expérimentations, parfois par des entités internes de l’entreprise très différentes (communication, marketing, relation client, DSI, …). En vision client ces différences sont bien sûr invisibles et il est alors incompréhensible que le message ne soit pas unifié.

Les risques d’image et de fidélisation sont réels. Un message traité de manière différente sur un fil Twitter ou sur le canal téléphone peut provoquer une très mauvaise publicité, voire un départ du client. En outre, sans objectif, ces initiatives peuvent se révéler couteuses et non porteuses de valeur.

Courage ! Passons du test au dispositif efficace !

Pour faire simple, de nombreuses entreprises passent aujourd’hui de l’étape « il faut qu’on soit sur Facebook ! » à « que faire de ma visibilité acquise sur Facebook ? ».

Mais comment prendre le problème ?

Il est d’abord nécessaire de  faire un état des lieux précis de la vision client des tous ces dispositifs afin de rationaliser les prises de paroles et repositionner l’existant pour qu’il soit au service de la stratégie globale

Quelques règles génériques de bonnes pratiques permettent de transformer l’essai :

• Centraliser le pilotage des canaux digitaux ;
• Repositionner les dispositifs pour qu’ils servent un ou plusieurs des enjeux de la stratégie marketing globale ;
• Mettre en place de vrais indicateurs avec objectifs comme pour les canaux physiques ;
• Mesurer l’apport réel de chaque canal à l’entreprise (vente, contacts commerciaux, image, …).

Enfin, gardez en tête qu’un dispositif digital est propre à chaque industrie et chaque entreprise.  Inutile donc de tenter de calquer une stratégie sur un concurrent !

Le temps montrera très certainement que les entreprises les plus innovantes, ayant traité ces enjeux digitaux avant leurs concurrents, auront gagné une vraie avance concurrentielle.

Cet article Comment construire une stratégie digitale efficace ? est apparu en premier sur RiskInsight.