Get proactive about security with the Secure Configuration Framework for Microsoft Office 365

Written by Eric Chapin, Senior Security Architect at Ekco

Earlier this month, Ireland’s National Cyber Security Centre (NCSC) launched the Secure Configuration Framework for Microsoft Office 365, which Ekco authored in collaboration with Microsoft and the NCSC. These guidelines help organisations meet cyber security baseline standards and secure their Microsoft Office 365 environments to reduce business risk. It’s relevant for both small companies that may not have access to dedicated cyber security expertise, as well as larger companies that use in-house talent or managed service providers.

Know where you’re going, define how to get there

Most companies today use Microsoft 365 Cloud in their day-to-day operations and operate at one of four control levels – Foundational, Standard, Advanced, or Optimised. The Secure Configuration Framework for Microsoft Office 365 can be used wherever you are in your Microsoft Office 365 journey. It’s a great security benchmarking tool to assess your company against and set the basis for improvements you want to make.

Deciding on what security controls you’d like to implement should start from the very top of your organisation. It’s critical to understand from a business leadership perspective what your company’s risk appetite is. An organisation that wants to safeguard 80% of its data is going to have a very different set of security standards to one that has minimal personally identifiable information (PII) it needs to protect. If technical teams know what your risk appetite is going in, it helps strategise and build out the details, such as how you want employees to open SharePoint Online, for example. In addition, it accelerates your adoption as teams have a clear and common direction when making design decisions. It’s also important to set a cloud strategy that includes security guidance, as borderless environments like Microsoft Office 365 can require very different controls from traditional on-premise systems. The framework can be a useful tool in getting C-level leadership buy-in into why you would take certain measures to meet their definition of a secure organisation.

In addition to the Secure Configuration Framework for Microsoft Office 365, Microsoft also has a good bank of documentation on how to drive your platforms and adopt things faster, including accelerators that Microsoft has put out such as the Microsoft Cyber Security Reference Architecture, CISO Workshop, and Zero Trust Rapid Modernisation Plan. These are not only useful in helping map your Microsoft 365 journey to certain controls or objectives, but they are also great resources to pull out images and language to support presentations to stakeholders. This reduces the amount of time spent creating presentations or artefacts to justify security initiatives.

Once you’ve defined your cloud security strategy in relation to your company’s risk appetite, you know what objectives you want to achieve and are able to draw that line in the sand around the Secure Configuration Framework for Microsoft Office 365. Ensure this strategy is well documented, and all your IT business teams know the strategy so that they are empowered to make quick decisions about finer details that can help your business move onto the control level it wants to attain.

Do you need to level up?

Once you have outlined your cloud security strategy, a good place to start is ensuring you are using your existing Microsoft licencing level to its fullest. You may already have access to the features you need to improve your security, but perhaps haven’t been able to prioritise keeping up with changes to your Microsoft tech stack.

Investing time in working through the framework document and activating certain features will enhance your organisation’s security on various levels and is far more efficient in the long term. You will essentially be working on creating one secure front door that all of your estate can sit behind, and every app you bring in subsequently to Azure Active Directory authentication or Cloud App Gateways will be subject to the controls you set up for this front door.  You’ll therefore save time by not having to close hundreds of different doors to your data and you’ll reduce the likelihood of being left vulnerable by forgotten, unlocked doors.

Documenting your cloud security strategy will also make it evident whether you need to move to a higher tier of Microsoft licencing. There may be tools you need to use to implement your security strategy, but you don’t have access to these features with your current licencing tier.  The Secure Configuration Framework for Microsoft Office 365 clearly sets out the licencing level required to attain each tier of security.  It’s an excellent way to communicate to your company’s leadership what tools you need to invest in to achieve the organisation’s security goals.

Keeping up with changes

Lastly, it’s important that your strategy includes a schedule for regular reviews of your Microsoft environment, as new features are always being added, updated or even deprecated. Your organisation’s security requirements may also shift. The most successful organisations are those that sign up for proactive updates from the Microsoft Roadmap and schedule “evergreen” projects in their yearly IT programme to provide space for continuous improvement or other changes in Microsoft technology that may not fit into a business-facing initiative. It’s advisable to conduct these reviews at least twice a year, and we at Ekco, in collaboration with Microsoft and the NCSC, will be publishing regular updates to the Secure Configuration Framework for Microsoft Office 365. The first update is scheduled for later this year.

You can download the Secure Configuration Framework for Microsoft Office 365 and also watch some of the panel discussions and presentations of the event.

Need assistance in developing or implementing your cloud security strategy? Read more about our  security services  or get in touch.