18 Apr 2019 by Becci Velzian
Hej Stockholm Microsoft Ignite the Tour!
Quadrotech is looking forward to coming to meet you in Sweden for Microsoft Ignite the Tour on April 24-25, 2019.
One of the most popular Microsoft-related search terms on Google and Bing is: ‘How to enhance the security of Office 365’. Generally, the assumption is this is a question of technology, and most companies will look for Office 365 security tools.
However, if you’re serious about improving the security of your IT infrastructure, the key thing to focus on is having strict policies and procedures in place, and ensuring they’re implemented rather than ignored.
Security best practices must be central to your company culture, or else you’ll be vulnerable to attack.
Take the Equifax data breach, for example; the multinational corporation had rigid policies in place, especially for those with access to sensitive data, but they were largely ignored by staff and management.
The expectation that drawing up a document guarantees security is worse than useless, as it shows a complete disregard for best practice – a bit like buying a bicycle helmet but neglecting to wear it.
Let’s consider how a casino operates.
At each level, the croupier, the cashier, and vault security can only access their section, so when a lucky customer wins the $1 million prize, the croupier goes to the cash desk, who makes a request to the vault security, who brings the winner through each stage to a secure area to collect their winnings.
At no point can the croupier or the clerk access the vault directly, and likewise at no point can the guard access the cash office or the main floor.
We should be taking the same precautions with our data.
Now imagine a bad case scenario where the casino has $1M at each high-stakes table, and armed robbers walk in, cause a commotion, and walk out with millions before the police get there.
Why was it so easy?
Well, because the valuables were easily accessible; great for customer experience if you happen to be a lucky winner – collect your cash there and then – awful in terms of risk.
Putting this into perspective:
These guidelines should apply across the board, including senior management, who often have full access where it’s not necessary, possibly because it’s seen as a kind of status symbol.
PoLP means asking yourself this: Does a first-line service desk engineer need Global Administrator (GA) access to all your systems to carry out their day-to-day duties? Or better yet, does the CEO need to be a GA?
Chances are, probably not.
This level of access should only be given to a select few engineers who need it for their specific job role, and to have that level of access, companies would be well within their rights to request enhanced background checks against work history and criminal records.
Privilege creep happens when a staff member changes job role but retains all previous privileges.
Take a finance admin who requires access to payroll to do her job. She does it so well, she gets promoted to supervisor. No longer does she need access to payroll, because her team takes care of that – she’s simply there to manage them.
Often the privileges are kept, and this poses risk to the organization.
Senior management must give direction on this and it should come from a C-level position, so there’s no ambiguity or argument from staff who may think these privileges are a ‘nice to have’.
The technology exists within Office 365 to be very secure, but it’s in its usage and the procedures surrounding this that should be addressed from the top, and not sit with your IT helpdesk.
Management should take the security of information seriously at board level and have the principles trickle down to the rest of the organization as part of the overall security strategy.
A good way to think of this is in terms of the C-I-A triad: Confidentiality, Integrity, and Availability (not the men in black).
This is one of the core principles of information security, and like our casino example, sets out a way of thinking when we come to apply security to data. The closer you move towards one of the corners, the more you lose the others.
To illustrate this in practice, we could say that a Facebook account doesn’t require any level of integrity to be functional, but to be worthwhile it needs to be accessible to most people.
There is security technology in place but mostly Facebook’s purpose is to connect with other users and make that info available.
LinkedIn has a requirement for the info to be more up-to-date to function properly and needs to be highly accessible.
Now take medical records: these need to be kept up-to-date with any allergies or medication and they need to be accessible to authorized users like paramedics and your doctor.
Banking details have less of a need to be up-to-date than medical records but require the highest level of confidentiality with only a select few authorized users even able to see the information.
Businesses can use this as a guide to set standards on policy and training for staff:
|Role||Access required||Screening required||Ongoing checks|
|Global Admin||All Systems||Criminal records, checkable work history, references and accreditations, Skills||Quarterly Assessments|
|Finance Admin||Finance & payroll||Criminal records, checkable work history, references and accreditations||Quarterly Assessments|
|HR Admin||Personnel files||Criminal records, checkable work history, references||Quarterly Assessments|
|Management||CRM Personnel||Criminal records, checkable work history, references||Annual Assessments|
|All other staff||Non-critical||Criminal records, References||None|
Ongoing assessment of staff is key when they’re accessing a critical system or information, as is the need for training and maintaining that training.
It’s good practice to do this, as should the worst happen – be it a rogue employee or full-on breach by a threat actor – when the audit takes place, one simple question will be asked: “Did the company do everything reasonable to prevent this?”
Even if the company is relatively small with a turnover of $1M, is it reasonable to ask them to spend $1M on vetting, security training and external security monitoring for all staff when it only handles a small amount of personal customer data? Probably not.
But would it be reasonable to have vetting and screening in place for new starters and spend time training all employees on how to spot phishing attacks and have appropriate safeguards in place as part of best practice? Absolutely!
It’s a balance based on perceived impact in a breach, and should form part of any company’s risk posture.
In relation to segregation of roles and privileges, take a GA that should not be using their GA account for general emailing; they should have two accounts, one with User access and one for admin functions.
The reason for this is emails and addresses can be inferred by threat actors, and if I look at John’s LinkedIn profile, I now know that he’s an admin at this company, so I can now start to target that email address and that account.
Should I compromise his user account, there isn’t much I can get to if it’s set up correctly. I could start phishing internally using this, but if staff are trained properly not to give up information then this account can be locked down and the risk mitigated.
The admin account should be used for admin actions only. As an outsider, I would be hard pressed to guess his username and as no emails are being sent externally from this address, I find it hard to target it.
You could go even further and have the accounts attached to separate machines; the User account is on John’s laptop, the Admin account attached to a desktop machine. The reason for it not being a laptop is desktops are more cumbersome to physically leave on a train or have stolen. This way the accounts and physical machines are separate based on their duties.
This could be monitored using Office 365 auditing software, as you would expect to see a high number of emails in and out of John’s user account and no admin actions taking place.
On the other side, the inverse is true; few to no external emails from the admin account, but a great many admin functions.
The above example should be applied to your IT Admin corporate policy, with wording along the lines of:
Global Admins must have two accounts (and machines) and only use the admin account for admin functions and no external emails are to be sent from the admin account. Failure to comply with this policy will come under our Computer security use policy for administrative users.
If you really want to know how to enhance the security of Office 365, you should ask a Certified Information Systems Security Professional (CISSP) and hire them to your board of directors as Chief Information Security Officer (CISO).
However, they’re extremely rare and will cost you a small fortune, as there’s a global skills shortage in IT security. But they will sort the problem out, as they’re guaranteed to have a different mindset and skill set from other IT roles, taking a holistic view on the way information flows, is stored and is accessed across the organization.
Direction needs to come from the top; it’s no good leaving this to an IT department who will tackle the problem in a piecemeal fashion, fixing things breach-by-breach.
You may not have the budget for a CISSP CISO, but there’s no excuse for not enforcing firm IT policies and procedures.
If you’re keen to learn more about our Office 365 tools and how they can improve the security of your Office 365 infrastructure, sign-up for our 14-day trial of Radar Reporting.
No credit card information is required; simply enter your GA credentials, connect your Office 365 tenant, and access over 100 customizable reports to shed light on user behavior. You’ll also receive automated alerts upon the detection of suspicious activity.