If your company uses the ever-reliable Microsoft 365, your services are probably running smoothly, your email is flowing and you are collaborating with others using OneDrive and SharePoint. You may also feel that your tenant is setup perfectly, since you’ve had minimal issues for years.
While you trust Microsoft to keep your environment safe, you may have been encouraged to schedule an internal review of your Microsoft 365 environment (using either the Center for Internet Security (CIS) benchmarks or with Microsoft’s Secure Score matrix). For those of you that are not familiar, Microsoft Secure Score reflects your tenant’s security posture and is based on an accumulated point system wherein each “Improvement Action” is worth several points. CIS Microsoft 365 Benchmarks also reflect your tenant’s security posture, but are based on a “pass/fail” Boolean system developed by business leaders and IT professionals across multiple industries.
Here’s an example of your security scores (which at first may seem much lower than expected):
CIS Microsoft 365 Benchmarks: 45.6%
Microsoft Secure Score: 20.0%
Why such poor scores? This is where it gets interesting. In my experience, there are typically three reasons that come into play:
- Retiring services and old protocols
- New security improvements
- New features
Allow me to review these categories using examples I’ve encountered over the years, and then I’ll provide some solutions to raise your security scores.
Low Score Reason One: Retiring services and old protocols
Retired services and old protocols can often become a security risk for companies because the new services & protocols are not automatically (or easily) put in place to replace the gaps the retired ones leave behind. As a best practice, your company should monitor the Microsoft 365 Message Center for messages with the retirement tag. These messages provide insight and guidance on how to mitigate associated risks.
For perspective, in CIS’ latest iteration (v1.3), Microsoft 365 is evaluated against 86 different benchmarks. Of those 86 benchmarks, 25 are directed at settings that were previously the default in your tenant. Additionally, Microsoft’s Secure Score has 5 “Improvement Actions” (worth 23 points) for default settings; as a result, you might have several retired settings, and you are now a “security concern”.
One example: in 2019, Microsoft announced it would retire Basic Authentication protocols in Microsoft 365. During the same year, CIS released their Microsoft 365 Benchmarks, which recommended adopting modern authentication to compensate for the retirement of Basic Authentication protocols. This is a perfect example of a default setting (Legacy Authentication) aging out its related service.
Low Score Reason Two: Security improvements
Security improvements address vulnerabilities in your services whether they are the product of retiring services or not. But most new security improvements are not turned on by default. They also often require updates to your existing settings or additional considerations related to how you manage your services.
A perfect example of this is MFA: it has been available for user authentication in Microsoft 365 since February 2014.
Low Score Reason Three: New features
There are currently 1,086 feature updates marked as “active” in the Microsoft 365 Roadmap. Of those updates, 629 launched in the 12 months alone. Typically, updates provide new tools and services that improve efficiency, security or governance. Note, however, that these features cannot be rolled out in a vacuum; instead, these updates should be individually considered to ensure they fit into your company’s IT roadmap, and that appropriate monitoring and governance practices are applied. With that said, Microsoft’s default behavior for most new features is to immediately enable them. I believe the objective is to promote use of these new features, but this can greatly impact your company’s data governance practices.
For example, if you setup your tenant more than two years ago, the Egnyte feature has likely been enabled since as a sharing storage location in Microsoft Teams, which means that your users have been able to share their data to unmanaged third-party storage locations without your knowledge.
While these new features can be very useful in certain environments, they should only be rolled out after proper due diligence has been conducted by experienced IT professionals.
How to improve your scores
The good news is that Microsoft Secure Score and CIS Benchmarks provide recommendations on how to improve your security standing, and they have identified methods for understanding the impact some features have in your tenant.
Both services clearly outline the security issues you should address, and provide high-level guidance on how to remediate them. In my experience, most remediation actions require additional planning to reduce impact on the end-user experience or to prevent a loss of feature functionality. This additional planning is well worth it to keep your Microsoft environment secure.
Here are some recommended next steps on reviewing your settings:
- For admins: check your tenants Microsoft Secure Score and review messages in your Microsoft 365 Message Center
- Complete a deep dive into current security standings with CIS Benchmarks for Microsoft 365
- Review Microsoft 365 posts on Twitter or check Microsoft 365 Roadmap to stay up to date on Microsoft 365 releases, features and the retirement of services, protocols and applications
An extra incentive to review your settings
Aside from security concerns, it’s also possible that you are paying for outdated infrastructure and/or Exchange Online. Many times, I see companies that have an SMTP Gateway service in place. This Gateway service is typically left-behind technology from when a company has migrated from on-premises Exchange to Office 365. I even see companies that have shifted from a hybrid environment to a full-cloud deployment with the Gateway. With the features provided by Exchange Online and Microsoft Defender for Office 365, some of the services provided by the SMTP Gateway are redundant, and often require turning off some of Exchange’s basic online protections. Ultimately, the company pays for outdated infrastructure that hinders an effective, secure cloud deployment.
Conclusion
There are many reasons to consistently review your Cloud Service settings. This doesn’t just apply to Microsoft 365 tenant settings. Consider your individual email settings: maybe you still have that auto-forward to your old work email address, or maybe you are still delegating your inbox to an operations assistant that has since transferred departments. When was the last time you checked?