熊猫视频

Skip to main content
熊猫视频
Pay Bill
熊猫视频
熊猫视频
Audit and AssuranceConsultingClient Accounting and Advisory 熊猫视频TaxTechnology ServicesWealth Management View all solutions
No matter the organizational need, our experienced and focused team is ready and eager to help. We invite you to put our expertise to work.
Future-proof Your Organization: Strategies for Uncertain Times
Webinar
Future-proof Your Organization: Strategies for Uncertain Times
Succession Planning for High-Growth Businesses: Avoiding Forced Sales and Preserving Legacy
Article
Succession Planning for High-Growth Businesses: Avoiding Forced Sales and Preserving Legacy
Industries
ConstructionDealershipsFinancial ServicesHealthcareManufacturingPrivate Client AdvisoryPrivate EquityPublic Sector View industries we serve
We understand where you鈥檙e coming from. 熊猫视频 professionals provide expertise in a wide range of industries to help you address challenges and seize opportunities.
Resources
ArticlesGuidesPodcastsWebinarsOne Big Beautiful Bill View all resources
Our team is focused on helping clients through consultation and connection. We鈥檙e also dedicated to sharing our knowledge and insights. Feel free to browse our wealth of information.
Future-proof Your Organization: Strategies for Uncertain Times
Webinar
Future-proof Your Organization: Strategies for Uncertain Times
The 25-Year “Retirement”: How PTI and 熊猫视频 Kept a CFO 鈥 and a Founder鈥檚 Vision 鈥 Thriving
Success Story
The 25-Year “Retirement”: How PTI and 熊猫视频 Kept a CFO 鈥 and a Founder鈥檚 Vision 鈥 Thriving
About Us
Who We AreLocationsNewsThe 熊猫视频 TeamEventsThe 熊猫视频 FoundationHLB
Our mission is to bring energy, focus, and integrity to every interaction 鈥 relentlessly pursuing expertise to accelerate our clients鈥 and associates鈥 goals. Take a look at the world of 熊猫视频.
Resources  >  Articles

Essential Information for Securing YOUR Microsoft 365/Azure Cloud

Related 熊猫视频: Cybersecurity 熊猫视频, IT Outsourcing,

April 12, 2023

Contributors:

Have you retired your on-premises servers, storage, and business applications in favor of cloud-based alternatives? Are you considering a move to cloud? Or do you run a hybrid environment, utilizing some company-owned IT equipment combined with some level of cloud adoption?

Many small and medium-sized businesses no longer rely on what was considered traditional, required IT infrastructure just a decade ago. Server rooms filled with gear 鈥 and the periodic capital expenses needed to refresh that gear 鈥 are a thing of the past, and cloud technologies like Microsoft 365 and Microsoft Azure are now considered essential building blocks of modern IT environments.

But what about security?

  • Are you taking precautions to a ensure that your critical business data, email, and applications are secured from threats, both internal and external?
  • Are you protecting yourself from phishing attacks on your users?
  • How about protecting your organization from access by non-authorized parties?

Every cloud-based organization should consider implementing basic technology safeguards to maintain a secure posture in Microsoft鈥檚 ecosystem.

The shared responsibility model

Before digging deeper, it鈥檚 essential to understand the concept of 鈥渟hared responsibility鈥 in Microsoft鈥檚 cloud. The Shared Responsibility Model means that while Microsoft is responsible for securing the physical servers and networking underpinning their cloud operations, you (the customer) are responsible for securing your own users, data, and applications within their cloud. You are in control, and you can make access to your users, email, data, and applications as easy or as restricted as you like. The impetus is on you. Consider these essential steps:

Start with the basics: passwords, MFA, and end-user training

Have you tried to obtain or renew a cyber liability insurance policy recently? There are some security precautions considered so basic that you can鈥檛 even be insured without implementing them, and all businesses need to be doing at least these basics no matter what their IT environments look like. Whether you have server rooms full of gear, cloud operations, a remote workforce, or even if you are a small mom-and-pop shop, these are essential:

  • Complex passwords. You鈥檙e familiar with the idea: passwords of a certain length, with rules around uppercase/lowercase letters, numbers, special characters, and other limitations. If you are only using Microsoft鈥檚 Azure Active Directory for user accounts, then you are covered 鈥 this is enforced by default.
  • Multi-Factor Authentication (MFA). If you can access your cloud-based email with nothing more than a password, then you have work to do. MFA is a tried-and-true technology that has been around for many years, ensuring that a user cannot access their email, cloud applications, or other remote environments without entering both a password AND having a second form of authentication like a smartphone with a token.
  • End-user security training. Training your users to identify phishing emails and teaching them to avoid installing viruses or malware is critical. Lately, almost every breach you see in the news is caused by a phishing attack of some kind 鈥 it鈥檚 much easier to 鈥渉ack鈥 a user than to break into a secure network environment. Regular training and testing (sending simulated phishing emails, for example, to test the vulnerability of your user base) can be the difference between operating normally and spending weeks cleaning up from a ransomware attack on your business.

Know your Microsoft Secure Score

Did you know Microsoft has a recommendation tool built into 365 to help you secure your environment? The Microsoft 365 Defender toolkit is located at and is a hub for securing and monitoring your 365 environment. After accessing the site, click to expand the 鈥淢icrosoft Secure Score鈥 panel to see how you stack up against other organizations like yours and what recommendations Microsoft has to help increase your score and make you more secure.

Your Secure Score and recommendations are updated regularly and may change as Microsoft鈥檚 and the industry鈥檚 best practices are refined and expanded. Not only will Microsoft give you an easy checklist of security practices to follow, but they also provide additional information and instructions to actually implement the changes. Some recommendations are simple, and some will require a more involved project by your IT department or an outside technology provider.

Establish your conditional access policies

Once you have the basics covered, it鈥檚 time to take the next step. Microsoft鈥檚 Conditional Access Policies allow you to control access to your cloud-based resources based on specific conditions such as user location (block connections from Russia, for example), device health (require certain Windows updates), and general risk level based on other factors of your choosing. More examples of what you can do:

  • Require an MFA prompt for any user attempting to access resources from outside your company鈥檚 network, while allowing machines in the office to connect without that precaution.
  • Block access to sensitive data and applications from devices that do not meet your organization’s security standards, like outdated or unpatched devices or those without antivirus software.
  • Limit access to certain applications or data based on the user’s risk level, location, operating system, behavior, or other factors.

A user鈥檚 risk level is an indicator 鈥渓ow, medium, high鈥 that Microsoft assigns based on the probability that the user鈥檚 account has been compromised. You can then use this information to further restrict access.

Understand Privileged Identity Management (PIM)

One feature many security-conscious organizations overlook is the PIM capability Microsoft provides with some of their advanced licenses. Privileged Identity Management enables you to manage, control, and monitor access to resources in your Microsoft cloud environment in order to minimize the number of people with access to your secure information and resources. Sprawling administrative rights are a real problem in many environments, and PIM is the tool to control it.

Have you needed to give access temporarily to a contractor, vendor, or short-term employee? Or to a user who needs administrative access to a tool occasionally, but shouldn鈥檛 have access all the time? Often, privileged access is granted in order to get a job done, but then that access is never revoked. If a user is compromised, the attacker has full access to everything the user does, including administrative rights and privileges.

In security terms, PIM is a way to implement the principle of 鈥渓east privilege鈥 鈥 making sure users have the rights they need to do their jobs, and ONLY those rights. What can PIM do in your organization?

  • Assign temporary (expiring), just-in-time administrative access to users when needed, reducing the number of users with permanent access.
  • Ask users to explain their request for role elevation so you can understand why they are requesting particular roles/rights.
  • Require approval to activate privileged roles, with a built-in workflow and approvals that are logged and can be audited.
  • Send notifications for suspicious activities so you can take immediate action when a potential security threat is detected.
  • Conduct access reviews to ensure users still need their assigned roles and revoke unnecessary privileges, helping to maintain least privilege access.

Next steps

These are only the first steps on your cloud security journey, and they only scratch the surface of what Microsoft can do to secure your organization’s IT environment. It is critical to monitor not only Microsoft鈥檚 Secure Score recommendations going forward, but also industry best practices and new Microsoft 365 and Azure security features and functionality as they are introduced. Security tools and recommendations are constantly changing, and it is critical to stay informed on both new technologies and new threats.

If you are concerned about your own security posture, consider having a risk assessment performed by 熊猫视频鈥檚 security professionals to get an idea where your organization stands and where you can improve. 熊猫视频 Technology 熊猫视频 can assist in implementing all of the tools and technology described above and more 鈥 we have the expertise to guide you on the path to a more secure IT environment. With the right tools and advice, you can significantly improve your organization鈥檚 security posture.

 

You may also like:
Guide
Get CyberReady
Article
Empowered Chats: Critical infrastructure and cybersecurity reporting
Article
Empowered Chats: Cyber Insurance – why they’re telling you it can’t be renewed