Sponsored What a transformation we’ve seen at Microsoft in the past five or so years. The king of corporate software has become a major cloud provider with Office 365. According to the most recent estimates, one in five corporate employees now use Office 365, making it one of the most widely used cloud services across the globe.
Its success seems to demonstrate that any initial concerns that corporations once had about cloud security as a whole have vanished, at least when it comes to cloud-based email and productivity, and there’s a widespread acceptance the technology offers a reliable way to deliver services.
A recent report from the US government’s Cybersecurity and Infrastructure Security Agency (CISA), however, has highlighted that there are still concerns over some aspects of cloud, and that not everything is secure as it should be. Office 365, aka O365, got a name check in the report. “Organizations and their third-party partners need to be aware of the risks involved in transitioning to O365 and other cloud services,” said the agency.
Many employees are just not ready to repel attacks – they’re careless about opening attachments, they don’t use strong passwords, and they don’t install regular software updates – all of which provide a way in for cyber criminals. Staff are even targeted by fraudsters who track users’ interests and communicate with them accordingly to socially engineer workers into opening booby-trapped files or inadvertently transferring funds to criminals.
Once Office 365 accounts are compromised, criminals will have access to important corporate information. This can be a goldmine for determined hackers, who can use any harvested login credentials in a variety of systems in the knowledge that many people reuse the same passwords over and over.
That makes it important to monitor your Office 365 estate and the devices and the users accessing it, to identify signs of attack, and then put in place relevant protection based on that information.
Microsoft provides tools to manage policies in Office 365 though these can be limited. It is not easy to orchestrate, automate, and manage the policies and procedures needed to secure a corporate Office 365 estate that has lots of users, devices, applications, and points of integration. Indeed, the nature of Office 365 has led to some uncertainty.
Paul Robichaux, chief technology officer of Office 365 migration and management software vendor Quadrotech, says: “People think just because they are buying an entire service from the giant that is Microsoft – a service which can be extensive in what it offers and does – that it includes everything needed to manage it effectively. This simply isn’t true.”
There are a number of policies you can implement and manage to audit and secure user activity. One is multi-factor authentication (MFA), though CISA warns MFA is often not enabled by default. Azure Active Directory global administrators, in an Office 365 environment, have the highest level of access, and yet MFA is not automatically enabled for these powerful accounts, thereby creating a security weakness within the system. There is a default conditional access policy available to automatically enroll admins with MFA, though a global administrator must explicitly enable this policy.
"When it comes to multi-factor authentication, Microsoft actually make it a pretty simple process, with options for various uses," says Robichaux. "Of course, you don’t have to use it – but if you actively choose not to, you’re opening yourself up to a huge number of risks."
On the subject of granting access privileges, you need to determine which global administrator accounts are actually required, how exactly they are protected, and – even – whether you could employ role-based access control so people don’t need to be global admins. In short: consider whether the people who have all-reaching admin accounts actually need them, and reduce access to reduce risk. Fewer privileges held by users means fewer privileges for intruders to commandeer.
This is not an issue exclusive to cloud deployment – you’ll often find Active Directory in on-premises scenarios with tens of domain administrator accounts attached. There are very few instances when an Active Directory with dozens of domain admins is actually the approach that’s needed. Take it back to basics: do all of those people need that level of access? "They’ve got a huge amount of control," adds Robichaux.
Businesses should also be cognizant of the social engineering involved in email attacks, and encourage their staff to use password managers or change passwords regularly. Companies should also set clear guidelines as to how phishing attempts should be reported: employees should know what to look for, and where to report any attacks. When it comes to Office 365, cyber-criminals attempt attacks in two phases: a phishing email to gain access to a corporate system, and then an email, masquerading as a message sent from the employee whose inbox was compromised, that asks for money to be diverted to an account owned by the crooks, or for a fake invoice to be paid to fraudsters, or for some personal account details or, some other action that inadvertently leads to a financial loss.
Despite CISA’s warning about security holes, the agency is mindful that Microsoft has met many of the challenges head on. It does, however, encourage organisations to ensure that MFA is turned on by default, to employ unified audit logging and mailbox auditing, and to ensure Azure AD password synchronization is configured correctly.
On the subject of password synchronization, the agency noted: "It is possible to create an AD [Active Directory] identity that matches an administrator in Azure AD and create an account on-premises with the same username. One of the authentication options for Azure AD is 'Password Sync.' If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs."
Though, the cyber-security agency noted: "Microsoft has disabled the capability to match certain administrator accounts as of October 2018. However, organizations may have performed administrator account matching prior to Microsoft disabling this function, thereby synching identities that may be have been compromised prior to migration.
"Additionally, regular user accounts are not protected by this capability being disabled."
It’s foolhardy to think cyber criminals can be defeated. Every technology brings a new attack vector, every change opens up a new challenge, and employees are always going to be a weak point. When it comes to Office 365, such are the stakes, and so numerous the points of weakness that protection can only come from deploying effective security policies. The foundation of such policies has to be monitoring – observing users' activities – using the right tools.
Sponsored by Quadrotech