Statistics suggest that over 3 million companies are using Microsoft 365 as their office productivity tool. This is almost 30% of the market share. Such a reliance on a vast platform like Microsoft 365 requires appropriate security measures. These can range from conditional access policies, strong access controls, authentication mechanisms, and monitoring capabilities to complete backup and disaster recovery solutions in place.

Microsoft 365 can be used for many purposes, including Microsoft Teams for meetings and calls, Outlook for enterprise-level email, OneDrive for storage, and SharePoint sites for team and project management. With so many different tools, your security posture is important.

Since these tools have a direct impact on your collaboration, productivity, and communication, it is important to keep this data accessible and resilient. Given the fact that data stored on MS365 can be mission-critical, it makes Microsoft 365 environments a great target for attackers, and security gaps must be identified and addressed as fast as possible. Moreover, your data should be secured in adherence to the regulatory compliance requirements

Contents hide
1 The risks concerning your Microsoft 365 data
2 Microsoft’s Shared Responsibility Model
2.1 Are native security features of Microsoft 365 enough?
2.2 Data breaches
3 Microsoft 365 security best practices
3.1 Access controls
3.2 Proper authentication
3.3 Manage user accounts and permissions
3.4 Use SSO securely
3.5 Protect your Microsoft 365 emails
3.6 Network security
3.7 Third-party integrations
3.8 Logs and audits
3.9 Secure your metadata
3.10 Backup and recovery for Microsoft 365 data
4 Microsoft 365 data protection with GitProtect

The risks concerning your Microsoft 365 data 

Your Microsoft 365 data should be protected against a range of risks and vulnerabilities. In 2020, Microsoft accidentally exposed 250 million Microsoft customers’ records. These spanned 14 years and were not even password-protected. This data was accessible to anyone with access to a browser, and records included customer service and support logs that encompassed talks between Microsoft support agents and customers from across the globe.

Thus, the potential security threats your company should look out for include:

  • accidental deletions due to human error, as well as intentional deletions
  • unauthorized access 
  • ransomware and malware
  • platform outages 
  • phishing and credential theft 
  • limited recovery options 
  • compliance with regulations 

Microsoft’s Shared Responsibility Model

Like any cloud provider, Microsoft follows the shared responsibility model, which clearly separates the provider’s and the customer’s roles in data protection. Microsoft ensures the security and availability of the underlying infrastructure, but customers remain fully responsible for their account data in Microsoft 365. That means protecting it, maintaining control, and ensuring uninterrupted access is ultimately on you.

To strengthen your security posture, you should focus on access controls, comprehensive and secure backups with reliable recovery, full data retention, data-level protection, and compliance with relevant regulatory frameworks.

Are native security features of Microsoft 365 enough?

While Microsoft 365 provides some security defaults that help filter emails for phishing and malware to prevent attacks, its native features still leave security gaps. They also provide MFA and the ability to integrate tools with the wider MS365 ecosystem.

The features provided by Microsoft 365 backup can sustain basic restore operations but not day-to-day work or more critical scenarios. The coverage includes SharePoint sites, OneDrive accounts, and Exchange mailboxes. However, file-level restore is only available for Exchange Online (Mail/Contacts/Calendar/Task items). Then, backup granularity comes down to OneDrive accounts, SharePoint sites, and Exchange user accounts. This leaves serious gaps in terms of retention, granularity, and overall security, integrity, and recoverability of your data.

Let’s take a closer look at the features and possibilities provided by Microsoft in terms of native backup and restore to verify their usefulness:

  • Retention is limited to 1 year for OneDrive, SharePoint, and Exchange Online
  • Recovery points for OneDrive & SharePoint are every 10 minutes for the past 14 days, and weekly snapshots for up to 1 year. Exchange – every 10 minutes for up to a year
  • Granularity of backups is as follows: whole accounts – OneDrive, sites – SharePoint, mailboxes – Exchange
  • Users can restore entire accounts/sites/mailboxes to the same or a new location. File/item-level restores are limited and mostly labeled as “coming soon”
  • Restore speed is up to 1–3 TB/hour across around 1,000 objects

Source: Microsoft documentation

Data breaches

As you may know, data breaches are a risk in DevOps – even for huge platforms such as Microsoft 365. The attacks range from thousands of accounts being compromised and using fake OAuth apps to phishing and ransomware. Take a look at some real-world cases to get insight into Microsoft 365 data breaches.

First, let’s take a look at how attackers exploited Microsoft 365 with noninteractive sign-ins, which gave them more time to infiltrate any system before the alarms ring. It is stated that attackers used a 130K-device botnet to password-spray Microsoft 365. This was seen across multiple tenants. Some of the risks include account takeover or even MFA evasion. Make sure to always review noninteractive sign-in logs!

Next up, we have a case of attackers impersonating real companies like Adobe or DocuSign, and using fake Microsoft OAuth apps, then leveraging Tycoon/ODx phishing kits to steal M365 credentials or MFA, and proceed to take over accounts. A person could get an email from a compromised account, get sent to a consent page, and then, even if they deny the consent, their credentials will be stolen. What organizations should do includes enforcing admin consent, monitoring all OAuth grants, blocking legacy authorization mechanisms, and training users or employees on phishing attacks.

Microsoft 365 security best practices

To fully secure your Microsoft 365 data, you should adhere to industry best practices. While Microsoft does simplify office tasks, the security of such an ecosystem should not be overlooked. Limiting permissions and ensuring strong authentication help to prevent data breaches, and introducing complete backup along with effective recovery keeps you safe from ransomware, outages, and human errors like accidental deletions. Do not forget to carry out regular risk assessments.

Key things to carry out continuously include regular risk assessments, analyzing security threats, and relevant security settings. Even internal users shall not gain access to unnecessary assets, as this leads to potential threats like data breaches and can put the organization’s security at risk. Pay close attention to what protection settings ensure continuity of your business operations and keep all of the Microsoft Office apps secure.

Access controls 

Securing access to your Microsoft 365 data is the first step in preventing threat actors from breaching your data. Here, we will get into things like the principle of the least privilege and conditional access policies. In terms of access controls, it is important to pay attention to: 

  • role based access control (RBAC): you can assign a specific role to a user that they require to complete their job. This way, no user gets access to data outside of their requirements,
  • principle of the least privilege: by implementing this principle, you set the permissions to the minimal requirements of each of the users – no unnecessary user access is granted,
  • limit the number of admins according to your needs,
  • introduce granular access control,
  • review and revoke unnecessary user access: revoke admin privileges where they are not needed, get rid of permissions for old, unused, or compromised accounts.

Proper authentication 

When you address risks related to Microsoft 365 authentication, you should enable multi-factor authentication (MFA). What multi-factor authentication requires the user to do is identify themselves using different forms in order to access their account.

Make sure that all users have enabled multi-factor authentication, and not just the privileged accounts. Also, using a combination of those methods (email, phone calls, text messages), makes it even harder for an attacker to access your data.

Manage user accounts and permissions

Take advantage of Azure Active Directory – a cloud-based identity and access management service by Microsoft. This helps to centralize user authentication and authorization, and, as a result, simplifies controlling access to your Microsoft 365 ecosystem and your corporate data. Make sure to use the aforementioned multi-factor authentication, implement strong and secure password policies, and review access privileges regularly.

Use SSO securely

Single sign-on or SSO allows users to get access to different apps or services with the same credentials. When leveraging SSO, guarantee that your identity provider is secure, such as Azure Active Directory. Moreover, conditional access policies let you grant access permissions based on specific conditions like the user’s device or their location. Now, as with most things, conditional access policies require regular reviews to ensure security.

Protect your Microsoft 365 emails 

To guarantee your emails are protected, you can make use of Microsoft Defender, which offers Advanced Threat Protection (ATP). This functionality covers things like Safe Link, Safe Attachments, and even anti-phishing mechanisms to prevent your data from being corrupted by cyber threats.

Another built-in feature by Microsoft is Exchange Online Protection (EOP). This is automatically turned on for all MS365 users and helps to protect your corporate data from malware or spam. There are also Data Loss Prevention (DLP) policies to help prevent any sensitive information from being shared through emails. Such sensitive data can be automatically detected and then protected from being sent to the outside world. So, make sure to utilize Microsoft Defender, Exchange Online Protection, and Data Loss Prevention.

Network security 

The security of the network on which your Microsoft 365 ecosystem is being hosted, along with company data, is crucial. Make sure to keep it secure and use things like firewalls, antiviruses, VPNs, and DDoS protection. Also, remember to implement the aforementioned Microsoft Defender.

Third-party integrations 

Before adding any extensions and integrating any third-party tools to your Microsoft 365 ecosystem, make sure to verify the compatibility of systems and whether your backups will cover it. Carefully analyze each third-party tool or extension that you intend to use, as these can bring in security gaps that can be easily overlooked. Make sure to check out reviews, who it was created by, and if it is compliant with industry standards such as SOC 2 Type II.

Logs and audits 

With vast environments like Microsoft 365, there are different tools and services to keep track of. Now, given the complexity of MS365, you will need comprehensive monitoring capabilities to have clear insight into the processes across your organization.

Make sure to track processes through logging actions and introducing regular audit logs. These audit logs not only help you monitor your Microsoft 365 data but also allow you to locate potential vulnerabilities and address them. To take security further, you should host regular security awareness training for your employees.

Secure your metadata 

While the general security of your basic Microsoft 365 data is key, we need to dive deeper. Namely, the associated metadata. Make sure that your security practices encompass all relevant and sensitive data from your DevOps stack and that your backup strategies provide support for relevant metadata.

On top of that, ensure that your environment undergoes regular and thorough checks and scans to further facilitate DevSecOps. This way, no secrets are stored within the ecosystems, all processes are tracked, and your operations remain transparent, secure, and organized.

Backup and recovery for Microsoft 365 data 

As we have mentioned, native capabilities of Microsoft 365 for backup and DR are not sufficient for things like outages, ransomware, or accidental deletions of critical data. Therefore, specifying your third-party backup solution according to your needs is crucial, as it is your safety net.

Moreover, as outlined by the shared responsibility model and compliance requirements, it is actually your duty to implement complete backups of your Microsoft 365 data. Make sure that your backup vendor covers the following:

  • flexible storage options, including Azure Blob and any S3 compatible storage instances like Wasabi or Backblaze, along with local and NAS storage for hybrid and on-prem organizations (make sure you can use your own and that the provider allows you to use theirs),
  • full data coverage of all relevant Microsoft 365 tools and services, ranging from OneDrive and Outlook to Teams and SharePoint,
  • backup automation with the possibility of scheduling backup processes,
  • unlimited retention, which is great for compliance, archiving, and point-in-time restores, 
  • 3-2-1 backup rule (3 copies of data, on 2 different storage instances, with one of them being stored off-site),
  • effective replication,
  • compliance with industry regulations such as ISO 27001 or SOC2 type II, 
  • ransomware-proof solutions, 
  • in-flight and at-rest data encryption with the ability to use your own encryption key pair,
  • flexible and effective restore and recovery capabilities, including point-in-time restore, granular restore, full data recovery, and cross-over recovery.

As you know, your backup is as strong as the restore capabilities it brings. Therefore, it is important to thoroughly consider what solution you opt for.

Microsoft 365 data protection with GitProtect

Since Microsoft 365 houses different kinds of data from SharePoint and OneDrive to Microsoft Teams and Outlook, you should be responsible for how you secure your data. While there are some native, built-in capabilities provided by Microsoft, they are not enough.

Even with strong access controls and multi-factor authentication, your data is still at risk of getting hit with ransomware, being lost due to platform outages, or accidental deletions. Implementing and configuring data loss prevention mechanisms is key. Now, under the shared responsibility model, it is your duty to protect your data, devices, and accounts while ensuring availability and recoverability.

GitProtect fills the gaps left by Microsoft’s built-in features and improves your security posture. You get security features like full data coverage, unlimited retention, advanced encryption, and immutable backups, along with flexible restore capabilities. This way, you get a complete safety net in the form of secure backups and reliable disaster recovery strategies. These are the global industry standards. So, this is a step towards compliance with industry regulations that can further improve threat protection, business continuity, and customer and stakeholder satisfaction.

[Early Access] Get early access to GitProtect for Microsoft 365 🚀

Miłosz Jesis, Technical Content Writer at GitProtect.io
Milosz is Technical Content Writer at GitProtect, demonstrating fluency in both Polish and English, and a passion for language and technology. Currently pursuing a degree in Philosophy at UWE Bristol, he excels in creating engaging technical content that bridges the gap between users and the emerging technologies. Milosz leverages his writing skills and technical knowledge to author articles and blog posts, with a focus on DevOps, cyber-security, and potential cyber-threats, among other crucial IT topics. Additionally, valuable translations provided by Milosz further enhance GitProtect's communication and global outreach.

Comments are closed.

You may also like