Encryption for Microsoft 365 Cloud Security<\/a><\/h2>\nMicrosoft 365 for Legal Compliance<\/a><\/h2>\nA New Strategy for Identity Control<\/a><\/h2>\nSecurity Policies in Microsoft 365<\/a><\/h2>\nPhysical Architecture: Security Features<\/a><\/h2>\nBusiness Continuity and Disaster Recovery in Microsoft 365<\/a><\/h2>\nAdditional Business Continuity Tips<\/a><\/h2>\nOperational Support Structure for Digital Asset Protection<\/a><\/h2>\nDigital Asset Protection in Microsoft 365: Final Thoughts<\/a><\/h2>\n
\n<\/a>Why Digital Asset Protection Is Important<\/h2>\nWhile working as a consultant at a global manufacturer in the 1990s, I first heard the phrase, \u201cSecurity is everybody\u2019s business.\u201d This company had, and likely still has, a robust security training program with videos, classes and more.<\/p>\n
I admit that I scoffed at this effort until I first flew somewhere for business. Across the aisle and one row up, a well-dressed man extracted a laptop and shared his company\u2019s financial information with all of us behind him. Then, I understood.<\/p>\n
We\u2019ve come a long way since then, yet I still get questioned today about why I use complex passwords and two-factor authentication for everything. My answer: Some service passwords in Azure require 12 characters, and I will always recommend multifactor authentication.<\/p>\n
With everything in the cloud, security is now more important than ever especially when it comes to protecting your two biggest assets: identity and information.<\/strong><\/p>\nThis blog will focus on both identity and information \u2013 from the tools available to how they work together to achieve a holistic and security-centric approach to your cloud investment in Microsoft 365<\/a> and Azure. I\u2019ll specifically dive into seven areas to keep in mind to thoroughly protect your digital assets.<\/p>\nWhile the focus won\u2019t be on the technical procedures for implementing these tools, rest assured that I\u2019ll direct you to the technical references everywhere possible.<\/p>\n
<\/a>1. Encryption for Microsoft 365 Cloud Security<\/h2>\nVigen\u00e8re. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, we\u2019ll soon be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for years.<\/p>\n
RSA is the cipher used for today\u2019s public key cryptography implementation and is the public key infrastructure<\/a> widely in use. To securely facilitate the transfer of information, a message sender uses a known public key to encode a message, and the recipient uses a private key, known only to them, to decode the message.<\/strong> Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.<\/p>\nYou can use these encryption technologies to protect assets in your Microsoft 365 platform and Azure. Here\u2019s how:<\/p>\n
![\"Data](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2024\/08\/Asset-Protection-Blog-Graphics-01-1024x378.png\")
<\/a><\/p>\nYour Data at Rest (Infrastructure)<\/h3>\n
When it is not being sent, received or used, your organization\u2019s data lives on a server in a datacenter<\/a>.<\/p>\nYour data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism encrypted using Bitlocker<\/a>.<\/p>\nBe sure to gather information in the links above to reference the location of your organization\u2019s data.<\/strong> This is extremely important for topics like the General Data Protection Regulation (GDPR) in the EU and High Availability, which describes a system\u2019s ability to continue operating even when some components of that system fail.<\/p>\nYour Data in Transit (Information)<\/h3>\n
Your data in transit is the most customer-involved decision-making piece of the Microsoft 365 encryption solution. That is why we work so hard to provide updated guidance and support throughout the life of your Microsoft 365 investment.<\/p>\n
Dozens upon dozens of endpoints are available from any device and any location in the world, providing information entrance and exit paths to and from the various services Microsoft 365 and Azure offer.<\/p>\n
Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.<\/strong><\/p>\nAt the application layer (OSI 7)<\/a>, Microsoft provides Transport Layer Security and Secure Sockets Layer (TLS\/SSL) (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver to generate agreed-upon keys to encrypt data being sent \u2013 this is also known as symmetric cryptography.<\/p>\n![\"OSI](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2024\/08\/Asset-Protection-Blog-Graphics-02.png\")
<\/a>Original image: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/windows-network-architecture-and-the-osi-model<\/p><\/div>\n
The sender and recipient must agree on the encryption method based on what is available to them and what is in common between them. As a result, this does not always guarantee the highest level of security, but it does guarantee the highest level of security in common between both parties.<\/p>\n
Here are some of the customer tasks involved with data-encryption information security:<\/p>\n
\n- Avoid accidental and malicious data deletion by configuring:<\/strong>\n
\n- Data Loss Prevention (DLP)<\/a> and Labels in Microsoft Purview \u2013 This is not encryption-related, but important nonetheless.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data exfiltration using:<\/strong>\n
\n- Azure Rights Management Service (RMS)<\/a> \u2013 Applies protection and encryption to messages and data.<\/li>\n
- Information Rights Management (IRM)<\/a> \u2013 Applies protection and classification to messages and SharePoint libraries.<\/li>\n
- Microsoft Purview Information Protection (IP)<\/a> \u2013 Applies classification, encryption, and permissions for use through policies for data and messages.<\/li>\n
- Exchange Online Protection (EOP)<\/a> along with other Exchange settings \u2013 Strengthens your basic messaging stance with rules and malware policies, to name a few.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data contamination using:<\/strong>\n
\n- Microsoft Defender for Office 365<\/a> \u2013 Send messages through an isolated channel to a detonation chamber to thoroughly test any message links and attachments, and remove them where necessary. Also, it is not specifically encryption-related, but it is important nonetheless.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Your Data in Use (Identity)<\/h3>\n
When you and your colleagues collaborate on a document using Microsoft Teams<\/a>, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository opened in Teams, Office Online, or a client, you can encrypt all communications between the client and the data source using Azure VPN Gateway.<\/p>\nIf you have configured and deployed the information encryption options previously mentioned, these will also be in use during the collaborative transport of data.<\/strong><\/p>\nIf, or when, you receive an encrypted email, your identity is verified, and permissions for the message and its attachments are maintained using IP in concert with Azure RMS. This information is only visible with a protected viewer (client or browser) and is otherwise encrypted at all times.<\/p>\n
Users can set the encryption, or it can be done automatically using various criteria set in the IP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs<\/a>, so I\u2019ll leave the details to her.<\/p>\nYour organization\u2019s discussions around each encryption technology mentioned above will depend on what features of Enterprise Mobility + Security (EMS) you\u2019re going to deploy and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.<\/p>\n
One major factor to consider while determining which features are best for your digital asset protection needs is the legal regulations that impact your organization.<\/p>\n
<\/a>2. Microsoft 365 for Legal Compliance<\/h2>\nThe tools you need for security and legal compliance<\/a>, transparency<\/a>, and reporting<\/a> are in the Microsoft Purview compliance portal and various other Microsoft sites specific to these topics. This compliance portal is the hub for legal work and protects your data using specific user roles for different operations in the center.<\/p>\nMicrosoft maintains a high level of transparency, trust and certifications surrounding the services it offers in the cloud, and you can locate any information your legal department requires using the above links.<\/p>\n
Digital asset protection plays a major role in both security and compliance. There was no shortage of security incidents in 2023<\/a>, and all of them had legal implications in some measure.<\/strong><\/p>\nFor example, I was fortunate enough to be able to provide guidance and technical assistance in an incident involving a Microsoft 365 user in a foreign country who was involved in a legal investigation.<\/p>\n
The legal team requested that an email be held, which is as simple as a checkbox and a duration option. However, they were unaware that there were also options for locating and holding data in place in other locations, such as Groups, Teams, SharePoint, and OneDrive.<\/p>\n
For this particular incident, we used an eDiscovery case to perform all the required holds, content searches, and exports. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it, and finally export it for transport.<\/p>\n
I only encountered a few issues at the time, and the main one was the time frame. I didn\u2019t know anything about the case \u2013 and I like to keep it that way \u2013 but we had 72 hours to make usable data available to the legal team in the other country.<\/p>\n
With about 150Gb in the mailbox, it was slow \u2013 Microsoft has made improvements to increase the speed of operations, and it is much faster now \u2013 and had to be split into multiple files.<\/p>\n
One thing we know for sure when trying to find what you need: Narrow down those searches using filters and locations to get exactly what you\u2019re looking for for your case!<\/strong> You will save time, reduce throughput issues like timeouts, create more space, and probably some more time.<\/p>\nSecurity and Compliance Center Capabilities<\/h3>\n
So, what do you need, and what are your capabilities in the Microsoft Purview compliance portal?<\/p>\n
First, you\u2019ll need a Microsoft 365 Enterprise E3 license or a la carte P2 licenses for Exchange and SharePoint to retain user data. Also, if you need enhanced security and management, you\u2019ll need an EMS license to use Microsoft Purview IP, as well as advanced features of MFA, and more.<\/p>\n
Next, use the following tools as needed within your organization:<\/p>\n
\n- Classification labels and DLP policies<\/strong> \u2013 To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.<\/li>\n
- Content Search<\/strong> \u2013 To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.<\/li>\n
- Audit Log<\/strong> \u2013 To search for and locate any administrative activities for an individual or by a particular administrator.<\/li>\n
- eDiscovery<\/strong> \u2013 Serves as a complete management tool for legal cases, including searching, holding, exporting, and reporting on user data. I\u2019ve also used the eDiscovery tool in the past to retain departed employees\u2019 information for a required period of time.<\/li>\n<\/ul>\n
There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.<\/p>\n
It is important to remember that once you put a user\u2019s data location on hold, that data and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I\u2019ve seen some really large operations using a lot of space).<\/p>\n
But in order to do anything with a specific user\u2019s data location or other information, you need to make sure your company has a strategy for identity control<\/a>.<\/strong><\/p>\n<\/a>3. A New Strategy for Identity Control<\/h2>\nPrior to transforming your business to meet today\u2019s needs, you probably created an account for your user in your company\u2019s directory.<\/p>\n
You likely provided that account with permissions to folders and applications on your network \u2013 perhaps individually or in groups. And, you fully understand where your users will be logging in, from what devices, and at what times.<\/p>\n
But with today\u2019s business anywhere mentality, you can no longer protect your digital assets and users\u2019 identities using the old methodologies for on-premises networks. And if your company isn\u2019t ready or cannot be completely in the cloud, then you\u2019ll need a hybrid strategy.<\/p>\n
Steps to Identity Control in a Hybrid Environment<\/h3>\n
Enter Azure role-based access control (RBAC)<\/a>, Microsoft Entra Privileged Identity Management (PIM)<\/a>, Microsoft Entra ID Protection<\/a>, and the Microsoft Graph Security API based on machine learning and AI<\/a>.<\/p>\nWhen you make a move to a hybrid cloud scenario you will need these. You will also want Microsoft Intune for device management, which is the other side of the identity control scenario.<\/p>\n
The hybrid strategy will remain until all your existing software solutions \u2013 HR, payroll, receivables, and more \u2013 are also in the cloud, and you\u2019re prepared to decommission your entire local infrastructure.<\/p>\n
This is also the case whether you\u2019re using Microsoft Entra ID or another third-party directory, single sign-on, or multifactor authorization provider.<\/p>\n
![\"steps](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2024\/08\/Asset-Protection-Blog-Graphics-03-1024x298.png\")
<\/a><\/p>\n1. Determine your cloud identity model<\/a>.<\/h4>\nIf you already have infrastructure available for identity management, check to see if you can federate that with Microsoft 365 and Azure. It\u2019s a simple process, even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management, and resource requests.<\/p>\n
2. Define roles, resources and strategies.<\/h4>\n
Determine what applications will be available in the cloud, what roles you\u2019ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Microsoft Entra ID that you should be aware of prior to a migration.<\/p>\n
Keep in mind that these decisions don\u2019t take place in a vacuum, and you will need to carefully consider this as a sub-project of your overall cloud migration project.<\/p>\n
3. Review additional options.<\/h4>\n
Take a look at the additional options available to you in the Microsoft Entra ID Premium subscriptions, most importantly ID Protection<\/a> and Privileged Identity Management<\/a>:<\/p>\n\n- ID Protection<\/strong> \u2013 risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation.<\/li>\n
- Privileged Identity Management<\/strong> \u2013 assign just-in-time (JIT) access to provide a user with elevated access during a specified time window and just-enough-access (JEA) to provide least privileged access to resources.<\/li>\n<\/ul>\n
4. Establish conditional access policies.<\/h4>\n
In the Entra ID P1 subscription, you\u2019ll find the opportunity to create conditional access<\/a> policies. If you don\u2019t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 11 infrastructure.<\/p>\nOnce you\u2019ve established who will have access to what, you need to make sure you have security policies in place so that each person knows how to treat your company\u2019s data and keep your organization safe.<\/strong><\/p>\n<\/a>4. Security Policies in Microsoft 365<\/h2>\nLet\u2019s first make a distinction between the types of policies you have to work with when establishing digital asset protection.<\/p>\n
First, there are policies in Microsoft 365 and Azure such as passwords, DLP, labels, Threat management, data governance<\/a>, and mobile device management. These are the policies you can create in your Microsoft 365 and Azure tenants, and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/strong><\/p>\nThere are, however, other policies that you\u2019ll need, and they\u2019re vital to your organization\u2019s operations. These are documented policies that cannot change without your governance board or boards\u2019 approval.<\/p>\n
Identity Policy<\/h3>\n
This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n
\n- Passwords<\/strong> \u2013 It\u2019s likely your company manages your password policies on-premises and not in the cloud, but make sure these are documented and updated. NIST\u2019s guidelines<\/a> can help.<\/li>\n
- Multifactor Authentication<\/strong><\/a> \u2013 Due to NIST\u2019s guidelines, you will want to enforce this for all admins and all mobile or off-network logins.<\/li>\n
- Data Loss Prevention<\/strong> \u2013 Automatically label documents and emails containing social security numbers or credit cards, and prevent them from being shared outside the organization.<\/li>\n
- Mobile Devices<\/strong> \u2013 Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.<\/li>\n
- Administration and Support<\/strong> \u2013 Use roles to determine who will administer what portions of your tenant and when they will have access.<\/li>\n
- Onboarding and Offboarding<\/strong> \u2013 Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.<\/li>\n<\/ul>\n
Information Policy<\/h3>\n
This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n
\n- External Sharing<\/strong> \u2013 Document who can share, what they can share, where they can share from, and how to monitor sharing.<\/li>\n
- Classification and Encryption<\/strong> \u2013 Use IP to allow users to classify, automatically classify, and encrypt information in your tenant.<\/li>\n
- Retention<\/strong> \u2013 Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.<\/li>\n<\/ul>\n
Governance Policy<\/h3>\n
This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n
\n- Exchange<\/strong> \u2013 Document what services your company allows, who can use them, and how to effectively monitor and adjust as needed.<\/li>\n
- Teams<\/strong> \u2013 Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.<\/li>\n
- SharePoint<\/strong> \u2013 Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.<\/li>\n
- OneDrive for Business<\/strong> \u2013 Decide on quotas and sharing strategy.<\/li>\n
- Viva Engage<\/strong> \u2013 Determine how you want to use Yammer, and how sharing and group creation will take place.<\/li>\n
- Power Automate, Power Apps, Power BI, Dynamics, Planner, Sway, Forms, and more<\/strong> \u2013 These are apps that don\u2019t have the traditional Microsoft 365 Admin Center. But don\u2019t let down your guard. They still have access, usage, and sharing policies that you need to govern.<\/li>\n
- Microsoft 365 Groups<\/strong> \u2013 You\u2019ll need a naming strategy and retention policy, ownership and membership policy, and an external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, Power BI, and more.<\/li>\n<\/ul>\n
In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place, and you will need to document and manage them.<\/strong><\/p>\nTo manage and maintain all of this, however, you need to understand how your own physical servers and Microsoft\u2019s physical architecture work together to protect your company\u2019s data.<\/p>\n
<\/a>5. Physical Architecture: Security Features<\/h2>\nMicrosoft\u2019s physical architecture uses the same principles most organizations use to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.<\/p>\n
Some of the physical protection features in use by Microsoft\u2019s data centers are:<\/p>\n
\n- High-security perimeter fences.<\/li>\n
- 24\/7\/365 surveillance.<\/li>\n
- Vehicle checkpoints.<\/li>\n
- World-class access procedures to facilities.\n
\n- Multi-factor, biometric entry points.<\/li>\n
- Full body metal detection.<\/li>\n<\/ul>\n<\/li>\n
- On-site hard drive destruction (shredding).<\/li>\n
- State-of-the-art fire suppression.<\/li>\n
- Secure access to physical components.<\/li>\n
- Geo-located and geo-replicated data.<\/li>\n<\/ul>\n
You are likely using many of the security features and principles listed above where they make sense in your own organizations. That\u2019s good.<\/p>\n
The question is, how will you architect your network for the change? That depends on your final goal.<\/strong><\/p>\n\n- Will you peacefully coexist?<\/li>\n
- Are you going to extend your directory to the cloud?<\/li>\n
- Do you want an isolated tunnel between your location and Office 365?<\/li>\n<\/ul>\n
Option 1: Keep Your Infrastructure<\/h3>\n
This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Microsoft 365 through your firewall(s).<\/p>\n
This uses your current ISP and the public internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft 365 and Dynamics 365 are designed for this type of access.<\/p>\n
Option 2: Use Express Route<\/h3>\n
In certain situations, we recommend ExpressRoute. You still keep your infrastructure in place, but this is a private connection between your infrastructure and Microsoft\u2019s data center through an ExpressRoute carrier, widely available in the U.S.<\/p>\n
This type of connection offers higher security, reliability and speed with lower latencies than internet connections.<\/strong> Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.<\/p>\nOption 3: Implement a Site-to-Site VPN<\/h3>\n
If you\u2019re planning to use an Azure infrastructure workload like a virtual network or you plan to extend or replace your Entra ID entirely, then you have a few options.<\/p>\n
You can use the ExpressRoute<\/a> solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN<\/a>. The gateway can then provide customized access to resources with user-defined routing.<\/p>\nOption 4: Opt for a Third-Party<\/h3>\n
If you\u2019re in between a site-to-site VPN and ExpressRoute, there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.<\/p>\n
This is in no way a comprehensive look at the infrastructure configurations possible.<\/strong> Rather, it\u2019s a broad overview to help you start planning.<\/p>\nThere are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches.<\/p>\n
![\"Steps](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2024\/08\/Asset-Protection-Blog-Graphics-05-1024x378.png\")
<\/a><\/h3>\n<\/a>6. Business Continuity and Disaster Recovery in Microsoft 365<\/h2>\nOnce you\u2019re fully set up in your hybrid or cloud environment, you need to implement a few additional policies and procedures, the most important of which is a business continuity and disaster recovery plan.<\/p>\n
But what is your organization ultimately responsible for versus Microsoft\u2019s role as your provider? You have plenty of options to make sure your data is protected in a worst-case scenario.<\/strong><\/p>\nMicrosoft\u2019s Responsibilities<\/h3>\n![\"Checklist](\"https:\/\/centricconsulting.com\/wp-content\/uploads\/2024\/08\/Asset-Protection-Blog-Graphics-04.png\")
<\/a><\/h3>\nMicrosoft remains committed to transparency<\/a> when it comes to service health monitoring and outage notifications and updates. They have also implemented a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.<\/p>\nThe company ensures that customer data is available whenever it is needed through the following features:<\/p>\n
\n- Data storage and redundancy:<\/strong> Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.<\/li>\n
- Data monitoring:<\/strong> Microsoft 365 services maintain high levels of performance by:\n
\n- Monitoring databases:<\/strong>\n
\n- Blocked processes.<\/li>\n
- Packet loss.<\/li>\n
- Queued processes.<\/li>\n
- Query latency.<\/li>\n<\/ul>\n<\/li>\n
- Completing preventative maintenance:<\/strong> Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Administration Responsibilities<\/h3>\n
It\u2019s up to us as the customer, however, to ensure we are aware of the level of service<\/a> we can expect and monitor the availability of our own tenants. Here are some basics for Microsoft 365:<\/p>\nExchange:<\/h4>\n\n- By default, the recoverable item store is set to keep deleted items for only 14 days.<\/li>\n
- You can increase this 14-day value, but it can only be set to a maximum of 30 days.<\/li>\n
- All Microsoft 365 licensing plans have a soft limit of 20GB of recoverable items storage per user, at which point users will receive a warning, and a hard limit of 30GB, at which point the system will delete the oldest emails first. However, individuals can configure their mailboxes with different quotas.<\/li>\n
- The litigation hold version of the recoverable items store has no size or version limits.<\/li>\n<\/ul>\n
SharePoint and OneDrive:<\/h4>\n\n- Deleted items remain in the Recycle Bin for 93 days unless the recycle bin storage exceeds its quota.<\/li>\n
- SharePoint Online data is backed up every 12 hours.<\/li>\n
- Backups are kept for an additional 14 days.<\/li>\n
- One-hour recovery point objective (RPO): Microsoft maintains a copy of your SharePoint Online data, ensuring it is less than or equal to one hour old.<\/li>\n
- Six-hour recovery time objective (RTO): If a disaster knocks out or disrupts a hosting data center, Microsoft tries to ensure that organizations can resume service within six hours after the disruption.<\/li>\n<\/ul>\n
Users have a tremendous amount of control over the deletion and restoration of their own personal documents.<\/strong> Administrators have at least 30 days to retrieve data from their tenant as data is first soft deleted.<\/p>\nDid a user account get deleted accidentally? No problem: Recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now, so no problem there, either.<\/p>\n
OneDrive users have a point-in-time restore utility built-in, so be sure users are aware of the feature.<\/p>\n
Data Retention in Office 365<\/h3>\n
Don\u2019t forget about retention policies<\/a> for data across Microsoft 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:<\/strong><\/p>\n\n- Retaining content so it can\u2019t be permanently deleted before the end of the retention period.<\/li>\n
- Deleting content permanently at the end of the retention period.<\/li>\n<\/ul>\n
With a retention policy, you can:<\/strong><\/p>\n\n- Decide proactively whether to retain content, delete content, or both \u2013 retain and then delete the content.<\/li>\n
- Apply a single policy to the entire organization or only specific locations or users.<\/li>\n
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.<\/li>\n<\/ul>\n
<\/a>Additional Business Continuity Tips<\/h3>\nBeyond maintaining business continuity on your own using Microsoft 365’s procedures, there are a couple of other things you can do to keep your data safe:<\/p>\n
Use Outside Help<\/h4>\n
If you\u2019re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:<\/p>\n
\n- See if a hybrid or scripted solution would work.<\/li>\n
- Use a third-party SaaS solution to fill this gap.<\/li>\n<\/ul>\n
Explore Azure Cloud Security Options:<\/h4>\n
There are a few additional options from Azure Cloud<\/a> security to help you maintain your data integrity:<\/p>\n\n- Failover your on-premises environment to Azure if you can\u2019t move it all yet.<\/li>\n
- Use Azure\u2019s site recovery.<\/li>\n
- Use an Azure partner for disaster recovery.<\/li>\n<\/ul>\n
You won\u2019t find 20-plus-year-old strategies anymore for a continuity and disaster recovery scenario. Today, it\u2019s more convenient, cost-effective, and simpler to find continuity and disaster recovery as a service.<\/strong><\/p>\nBeyond disaster recovery, there are a few other operations you need to have in place to support digital asset protection in Microsoft 365.<\/p>\n
<\/a>7. Operational Support Structure for Digital Asset Protection<\/h2>\nIf you\u2019re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities<\/a>. We typically recommend your support team is .2 percent of the organization’s supported community, so two support people for every 1,000 users.<\/strong><\/p>\nWhen we work with clients to plan, rollout or remediate Microsoft 365<\/a>, we look at the entire IT structure, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.<\/p>\nYour first-level help desk will be key in taking some of the repetitive tasks away from your admins, and an updated knowledge base will provide a reference to help them.<\/p>\n
If you are the help desk and the global admin, keep a knowledge base for yourself in a SharePoint list for easy reference.<\/p>\n
Service Availability Monitoring<\/h3>\n
It\u2019s up to us to ensure we are aware of the level of service we can expect and that we monitor the availability of our own tenants.<\/p>\n
If a service falls below the SLA documented by Microsoft, you will need proof of that outage. Keep an eye on the service health dashboard in the admin center.<\/p>\n
You can find service incidents in your Microsoft 365 Admin Portal, and those come in two varieties:<\/strong><\/p>\n\n- Planned maintenance events:<\/strong> Planned maintenance is regular service updates from Microsoft done to infrastructure and software applications. Notifications about planned maintenance events let customers know about service work that might affect their service from Microsoft. Customers are notified no later than five days before all planned maintenance through the message center in the admin portal. Microsoft typically plans maintenance for times when service usage is at its lowest based on regional time zones.<\/li>\n
- Unplanned downtime:<\/strong> Unplanned service incidents happen when one of the services in the Microsoft 365 suite is unexpectedly down or unavailable.<\/li>\n<\/ul>\n
Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required, and expected outages. Microsoft Defender<\/a> has default alert policies configured to send admins email messages in a variety of circumstances, such as:<\/strong><\/p>\n\n- A mail flow rule has been created.<\/li>\n
- Malware is detected.<\/li>\n
- An unusual volume of email has been detected.<\/li>\n
- Unusual external user activities have been detected.<\/li>\n
- And more.<\/li>\n<\/ul>\n
The Secure Score dashboard<\/a> is a good place to start for a visual look at anomalies and for tips on what to update next. Beyond Secure Score, you can also use the following to monitor service availability:<\/p>\n\n- Microsoft 365 Admin App.<\/li>\n
- Add-in for Microsoft 365 for System Center.<\/li>\n
- The service communication API.<\/li>\n
- Third-party provider of monitoring solutions.<\/li>\n<\/ul>\n
Enhancing Monitoring and Supportability<\/h3>\n
If you are interested in enhancing out-of-the-box security monitoring, check out Microsoft Defender for Cloud Apps. This gives you further insight into activity, app use, alerts, and log reviews, among other tasks. It allows you to create policies, from templates or from scratch, that give you deeper insight into shadow IT, allowing you to better control where you store sensitive information.<\/strong><\/p>\nAnother security enhancement is Microsoft Entra ID Protection. Entra ID Protection is a collection of algorithms that determine if a user sign-in is risky or not. If you\u2019re already using conditional access, you can set up the tool to deny access if Azure determines the sign-in to be of a risky nature. This will take some testing, but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (for example, you can\u2019t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).<\/p>\n
These monitoring and operations tasks usually take a few months to settle into your organization’s work pace, so be attentive and flexible early on.<\/strong> You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell<\/a> or other third-party add-ins.<\/p>\nAlmost anything you can do with the UI, you can customize and do it through PowerShell. If the built-in reports don\u2019t offer the data to meet the needs of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Microsoft 365.<\/p>\n
<\/a>Digital Asset Protection in Microsoft 365: Final Thoughts<\/h2>\n
A New Strategy for Identity Control<\/a><\/h2>\nSecurity Policies in Microsoft 365<\/a><\/h2>\nPhysical Architecture: Security Features<\/a><\/h2>\nBusiness Continuity and Disaster Recovery in Microsoft 365<\/a><\/h2>\nAdditional Business Continuity Tips<\/a><\/h2>\nOperational Support Structure for Digital Asset Protection<\/a><\/h2>\nDigital Asset Protection in Microsoft 365: Final Thoughts<\/a><\/h2>\n
\n<\/a>Why Digital Asset Protection Is Important<\/h2>\nWhile working as a consultant at a global manufacturer in the 1990s, I first heard the phrase, \u201cSecurity is everybody\u2019s business.\u201d This company had, and likely still has, a robust security training program with videos, classes and more.<\/p>\n
I admit that I scoffed at this effort until I first flew somewhere for business. Across the aisle and one row up, a well-dressed man extracted a laptop and shared his company\u2019s financial information with all of us behind him. Then, I understood.<\/p>\n
We\u2019ve come a long way since then, yet I still get questioned today about why I use complex passwords and two-factor authentication for everything. My answer: Some service passwords in Azure require 12 characters, and I will always recommend multifactor authentication.<\/p>\n
With everything in the cloud, security is now more important than ever especially when it comes to protecting your two biggest assets: identity and information.<\/strong><\/p>\nThis blog will focus on both identity and information \u2013 from the tools available to how they work together to achieve a holistic and security-centric approach to your cloud investment in Microsoft 365<\/a> and Azure. I\u2019ll specifically dive into seven areas to keep in mind to thoroughly protect your digital assets.<\/p>\nWhile the focus won\u2019t be on the technical procedures for implementing these tools, rest assured that I\u2019ll direct you to the technical references everywhere possible.<\/p>\n
<\/a>1. Encryption for Microsoft 365 Cloud Security<\/h2>\nVigen\u00e8re. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, we\u2019ll soon be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for years.<\/p>\n
RSA is the cipher used for today\u2019s public key cryptography implementation and is the public key infrastructure<\/a> widely in use. To securely facilitate the transfer of information, a message sender uses a known public key to encode a message, and the recipient uses a private key, known only to them, to decode the message.<\/strong> Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.<\/p>\nYou can use these encryption technologies to protect assets in your Microsoft 365 platform and Azure. Here\u2019s how:<\/p>\n
<\/a><\/p>\nYour Data at Rest (Infrastructure)<\/h3>\n
When it is not being sent, received or used, your organization\u2019s data lives on a server in a datacenter<\/a>.<\/p>\nYour data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism encrypted using Bitlocker<\/a>.<\/p>\nBe sure to gather information in the links above to reference the location of your organization\u2019s data.<\/strong> This is extremely important for topics like the General Data Protection Regulation (GDPR) in the EU and High Availability, which describes a system\u2019s ability to continue operating even when some components of that system fail.<\/p>\nYour Data in Transit (Information)<\/h3>\n
Your data in transit is the most customer-involved decision-making piece of the Microsoft 365 encryption solution. That is why we work so hard to provide updated guidance and support throughout the life of your Microsoft 365 investment.<\/p>\n
Dozens upon dozens of endpoints are available from any device and any location in the world, providing information entrance and exit paths to and from the various services Microsoft 365 and Azure offer.<\/p>\n
Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.<\/strong><\/p>\nAt the application layer (OSI 7)<\/a>, Microsoft provides Transport Layer Security and Secure Sockets Layer (TLS\/SSL) (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver to generate agreed-upon keys to encrypt data being sent \u2013 this is also known as symmetric cryptography.<\/p>\n<\/a>Original image: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/windows-network-architecture-and-the-osi-model<\/p><\/div>\n
The sender and recipient must agree on the encryption method based on what is available to them and what is in common between them. As a result, this does not always guarantee the highest level of security, but it does guarantee the highest level of security in common between both parties.<\/p>\n
Here are some of the customer tasks involved with data-encryption information security:<\/p>\n
\n- Avoid accidental and malicious data deletion by configuring:<\/strong>\n
\n- Data Loss Prevention (DLP)<\/a> and Labels in Microsoft Purview \u2013 This is not encryption-related, but important nonetheless.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data exfiltration using:<\/strong>\n
\n- Azure Rights Management Service (RMS)<\/a> \u2013 Applies protection and encryption to messages and data.<\/li>\n
- Information Rights Management (IRM)<\/a> \u2013 Applies protection and classification to messages and SharePoint libraries.<\/li>\n
- Microsoft Purview Information Protection (IP)<\/a> \u2013 Applies classification, encryption, and permissions for use through policies for data and messages.<\/li>\n
- Exchange Online Protection (EOP)<\/a> along with other Exchange settings \u2013 Strengthens your basic messaging stance with rules and malware policies, to name a few.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data contamination using:<\/strong>\n
\n- Microsoft Defender for Office 365<\/a> \u2013 Send messages through an isolated channel to a detonation chamber to thoroughly test any message links and attachments, and remove them where necessary. Also, it is not specifically encryption-related, but it is important nonetheless.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Your Data in Use (Identity)<\/h3>\n
When you and your colleagues collaborate on a document using Microsoft Teams<\/a>, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository opened in Teams, Office Online, or a client, you can encrypt all communications between the client and the data source using Azure VPN Gateway.<\/p>\nIf you have configured and deployed the information encryption options previously mentioned, these will also be in use during the collaborative transport of data.<\/strong><\/p>\nIf, or when, you receive an encrypted email, your identity is verified, and permissions for the message and its attachments are maintained using IP in concert with Azure RMS. This information is only visible with a protected viewer (client or browser) and is otherwise encrypted at all times.<\/p>\n
Users can set the encryption, or it can be done automatically using various criteria set in the IP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs<\/a>, so I\u2019ll leave the details to her.<\/p>\nYour organization\u2019s discussions around each encryption technology mentioned above will depend on what features of Enterprise Mobility + Security (EMS) you\u2019re going to deploy and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.<\/p>\n
One major factor to consider while determining which features are best for your digital asset protection needs is the legal regulations that impact your organization.<\/p>\n
<\/a>2. Microsoft 365 for Legal Compliance<\/h2>\nThe tools you need for security and legal compliance<\/a>, transparency<\/a>, and reporting<\/a> are in the Microsoft Purview compliance portal and various other Microsoft sites specific to these topics. This compliance portal is the hub for legal work and protects your data using specific user roles for different operations in the center.<\/p>\nMicrosoft maintains a high level of transparency, trust and certifications surrounding the services it offers in the cloud, and you can locate any information your legal department requires using the above links.<\/p>\n
Digital asset protection plays a major role in both security and compliance. There was no shortage of security incidents in 2023<\/a>, and all of them had legal implications in some measure.<\/strong><\/p>\nFor example, I was fortunate enough to be able to provide guidance and technical assistance in an incident involving a Microsoft 365 user in a foreign country who was involved in a legal investigation.<\/p>\n
The legal team requested that an email be held, which is as simple as a checkbox and a duration option. However, they were unaware that there were also options for locating and holding data in place in other locations, such as Groups, Teams, SharePoint, and OneDrive.<\/p>\n
For this particular incident, we used an eDiscovery case to perform all the required holds, content searches, and exports. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it, and finally export it for transport.<\/p>\n
I only encountered a few issues at the time, and the main one was the time frame. I didn\u2019t know anything about the case \u2013 and I like to keep it that way \u2013 but we had 72 hours to make usable data available to the legal team in the other country.<\/p>\n
With about 150Gb in the mailbox, it was slow \u2013 Microsoft has made improvements to increase the speed of operations, and it is much faster now \u2013 and had to be split into multiple files.<\/p>\n
One thing we know for sure when trying to find what you need: Narrow down those searches using filters and locations to get exactly what you\u2019re looking for for your case!<\/strong> You will save time, reduce throughput issues like timeouts, create more space, and probably some more time.<\/p>\nSecurity and Compliance Center Capabilities<\/h3>\n
So, what do you need, and what are your capabilities in the Microsoft Purview compliance portal?<\/p>\n
First, you\u2019ll need a Microsoft 365 Enterprise E3 license or a la carte P2 licenses for Exchange and SharePoint to retain user data. Also, if you need enhanced security and management, you\u2019ll need an EMS license to use Microsoft Purview IP, as well as advanced features of MFA, and more.<\/p>\n
Next, use the following tools as needed within your organization:<\/p>\n
\n- Classification labels and DLP policies<\/strong> \u2013 To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.<\/li>\n
- Content Search<\/strong> \u2013 To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.<\/li>\n
- Audit Log<\/strong> \u2013 To search for and locate any administrative activities for an individual or by a particular administrator.<\/li>\n
- eDiscovery<\/strong> \u2013 Serves as a complete management tool for legal cases, including searching, holding, exporting, and reporting on user data. I\u2019ve also used the eDiscovery tool in the past to retain departed employees\u2019 information for a required period of time.<\/li>\n<\/ul>\n
There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.<\/p>\n
It is important to remember that once you put a user\u2019s data location on hold, that data and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I\u2019ve seen some really large operations using a lot of space).<\/p>\n
But in order to do anything with a specific user\u2019s data location or other information, you need to make sure your company has a strategy for identity control<\/a>.<\/strong><\/p>\n<\/a>3. A New Strategy for Identity Control<\/h2>\nPrior to transforming your business to meet today\u2019s needs, you probably created an account for your user in your company\u2019s directory.<\/p>\n
You likely provided that account with permissions to folders and applications on your network \u2013 perhaps individually or in groups. And, you fully understand where your users will be logging in, from what devices, and at what times.<\/p>\n
But with today\u2019s business anywhere mentality, you can no longer protect your digital assets and users\u2019 identities using the old methodologies for on-premises networks. And if your company isn\u2019t ready or cannot be completely in the cloud, then you\u2019ll need a hybrid strategy.<\/p>\n
Steps to Identity Control in a Hybrid Environment<\/h3>\n
Enter Azure role-based access control (RBAC)<\/a>, Microsoft Entra Privileged Identity Management (PIM)<\/a>, Microsoft Entra ID Protection<\/a>, and the Microsoft Graph Security API based on machine learning and AI<\/a>.<\/p>\nWhen you make a move to a hybrid cloud scenario you will need these. You will also want Microsoft Intune for device management, which is the other side of the identity control scenario.<\/p>\n
The hybrid strategy will remain until all your existing software solutions \u2013 HR, payroll, receivables, and more \u2013 are also in the cloud, and you\u2019re prepared to decommission your entire local infrastructure.<\/p>\n
This is also the case whether you\u2019re using Microsoft Entra ID or another third-party directory, single sign-on, or multifactor authorization provider.<\/p>\n
<\/a><\/p>\n1. Determine your cloud identity model<\/a>.<\/h4>\nIf you already have infrastructure available for identity management, check to see if you can federate that with Microsoft 365 and Azure. It\u2019s a simple process, even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management, and resource requests.<\/p>\n
2. Define roles, resources and strategies.<\/h4>\n
Determine what applications will be available in the cloud, what roles you\u2019ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Microsoft Entra ID that you should be aware of prior to a migration.<\/p>\n
Keep in mind that these decisions don\u2019t take place in a vacuum, and you will need to carefully consider this as a sub-project of your overall cloud migration project.<\/p>\n
3. Review additional options.<\/h4>\n
Take a look at the additional options available to you in the Microsoft Entra ID Premium subscriptions, most importantly ID Protection<\/a> and Privileged Identity Management<\/a>:<\/p>\n\n- ID Protection<\/strong> \u2013 risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation.<\/li>\n
- Privileged Identity Management<\/strong> \u2013 assign just-in-time (JIT) access to provide a user with elevated access during a specified time window and just-enough-access (JEA) to provide least privileged access to resources.<\/li>\n<\/ul>\n
4. Establish conditional access policies.<\/h4>\n
In the Entra ID P1 subscription, you\u2019ll find the opportunity to create conditional access<\/a> policies. If you don\u2019t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 11 infrastructure.<\/p>\nOnce you\u2019ve established who will have access to what, you need to make sure you have security policies in place so that each person knows how to treat your company\u2019s data and keep your organization safe.<\/strong><\/p>\n<\/a>4. Security Policies in Microsoft 365<\/h2>\nLet\u2019s first make a distinction between the types of policies you have to work with when establishing digital asset protection.<\/p>\n
First, there are policies in Microsoft 365 and Azure such as passwords, DLP, labels, Threat management, data governance<\/a>, and mobile device management. These are the policies you can create in your Microsoft 365 and Azure tenants, and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/strong><\/p>\nThere are, however, other policies that you\u2019ll need, and they\u2019re vital to your organization\u2019s operations. These are documented policies that cannot change without your governance board or boards\u2019 approval.<\/p>\n
Identity Policy<\/h3>\n
This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n
\n- Passwords<\/strong> \u2013 It\u2019s likely your company manages your password policies on-premises and not in the cloud, but make sure these are documented and updated. NIST\u2019s guidelines<\/a> can help.<\/li>\n
- Multifactor Authentication<\/strong><\/a> \u2013 Due to NIST\u2019s guidelines, you will want to enforce this for all admins and all mobile or off-network logins.<\/li>\n
- Data Loss Prevention<\/strong> \u2013 Automatically label documents and emails containing social security numbers or credit cards, and prevent them from being shared outside the organization.<\/li>\n
- Mobile Devices<\/strong> \u2013 Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.<\/li>\n
- Administration and Support<\/strong> \u2013 Use roles to determine who will administer what portions of your tenant and when they will have access.<\/li>\n
- Onboarding and Offboarding<\/strong> \u2013 Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.<\/li>\n<\/ul>\n
Information Policy<\/h3>\n
This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n
\n- External Sharing<\/strong> \u2013 Document who can share, what they can share, where they can share from, and how to monitor sharing.<\/li>\n
- Classification and Encryption<\/strong> \u2013 Use IP to allow users to classify, automatically classify, and encrypt information in your tenant.<\/li>\n
- Retention<\/strong> \u2013 Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.<\/li>\n<\/ul>\n
Governance Policy<\/h3>\n
This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n
\n- Exchange<\/strong> \u2013 Document what services your company allows, who can use them, and how to effectively monitor and adjust as needed.<\/li>\n
- Teams<\/strong> \u2013 Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.<\/li>\n
- SharePoint<\/strong> \u2013 Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.<\/li>\n
- OneDrive for Business<\/strong> \u2013 Decide on quotas and sharing strategy.<\/li>\n
- Viva Engage<\/strong> \u2013 Determine how you want to use Yammer, and how sharing and group creation will take place.<\/li>\n
- Power Automate, Power Apps, Power BI, Dynamics, Planner, Sway, Forms, and more<\/strong> \u2013 These are apps that don\u2019t have the traditional Microsoft 365 Admin Center. But don\u2019t let down your guard. They still have access, usage, and sharing policies that you need to govern.<\/li>\n
- Microsoft 365 Groups<\/strong> \u2013 You\u2019ll need a naming strategy and retention policy, ownership and membership policy, and an external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, Power BI, and more.<\/li>\n<\/ul>\n
In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place, and you will need to document and manage them.<\/strong><\/p>\nTo manage and maintain all of this, however, you need to understand how your own physical servers and Microsoft\u2019s physical architecture work together to protect your company\u2019s data.<\/p>\n
<\/a>5. Physical Architecture: Security Features<\/h2>\nMicrosoft\u2019s physical architecture uses the same principles most organizations use to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.<\/p>\n
Some of the physical protection features in use by Microsoft\u2019s data centers are:<\/p>\n
\n- High-security perimeter fences.<\/li>\n
- 24\/7\/365 surveillance.<\/li>\n
- Vehicle checkpoints.<\/li>\n
- World-class access procedures to facilities.\n
\n- Multi-factor, biometric entry points.<\/li>\n
- Full body metal detection.<\/li>\n<\/ul>\n<\/li>\n
- On-site hard drive destruction (shredding).<\/li>\n
- State-of-the-art fire suppression.<\/li>\n
- Secure access to physical components.<\/li>\n
- Geo-located and geo-replicated data.<\/li>\n<\/ul>\n
You are likely using many of the security features and principles listed above where they make sense in your own organizations. That\u2019s good.<\/p>\n
The question is, how will you architect your network for the change? That depends on your final goal.<\/strong><\/p>\n\n- Will you peacefully coexist?<\/li>\n
- Are you going to extend your directory to the cloud?<\/li>\n
- Do you want an isolated tunnel between your location and Office 365?<\/li>\n<\/ul>\n
Option 1: Keep Your Infrastructure<\/h3>\n
This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Microsoft 365 through your firewall(s).<\/p>\n
This uses your current ISP and the public internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft 365 and Dynamics 365 are designed for this type of access.<\/p>\n
Option 2: Use Express Route<\/h3>\n
In certain situations, we recommend ExpressRoute. You still keep your infrastructure in place, but this is a private connection between your infrastructure and Microsoft\u2019s data center through an ExpressRoute carrier, widely available in the U.S.<\/p>\n
This type of connection offers higher security, reliability and speed with lower latencies than internet connections.<\/strong> Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.<\/p>\nOption 3: Implement a Site-to-Site VPN<\/h3>\n
If you\u2019re planning to use an Azure infrastructure workload like a virtual network or you plan to extend or replace your Entra ID entirely, then you have a few options.<\/p>\n
You can use the ExpressRoute<\/a> solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN<\/a>. The gateway can then provide customized access to resources with user-defined routing.<\/p>\nOption 4: Opt for a Third-Party<\/h3>\n
If you\u2019re in between a site-to-site VPN and ExpressRoute, there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.<\/p>\n
This is in no way a comprehensive look at the infrastructure configurations possible.<\/strong> Rather, it\u2019s a broad overview to help you start planning.<\/p>\nThere are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches.<\/p>\n
<\/a><\/h3>\n<\/a>6. Business Continuity and Disaster Recovery in Microsoft 365<\/h2>\nOnce you\u2019re fully set up in your hybrid or cloud environment, you need to implement a few additional policies and procedures, the most important of which is a business continuity and disaster recovery plan.<\/p>\n
But what is your organization ultimately responsible for versus Microsoft\u2019s role as your provider? You have plenty of options to make sure your data is protected in a worst-case scenario.<\/strong><\/p>\nMicrosoft\u2019s Responsibilities<\/h3>\n<\/a><\/h3>\nMicrosoft remains committed to transparency<\/a> when it comes to service health monitoring and outage notifications and updates. They have also implemented a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.<\/p>\nThe company ensures that customer data is available whenever it is needed through the following features:<\/p>\n
\n- Data storage and redundancy:<\/strong> Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.<\/li>\n
- Data monitoring:<\/strong> Microsoft 365 services maintain high levels of performance by:\n
\n- Monitoring databases:<\/strong>\n
\n- Blocked processes.<\/li>\n
- Packet loss.<\/li>\n
- Queued processes.<\/li>\n
- Query latency.<\/li>\n<\/ul>\n<\/li>\n
- Completing preventative maintenance:<\/strong> Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Administration Responsibilities<\/h3>\n
It\u2019s up to us as the customer, however, to ensure we are aware of the level of service<\/a> we can expect and monitor the availability of our own tenants. Here are some basics for Microsoft 365:<\/p>\nExchange:<\/h4>\n\n- By default, the recoverable item store is set to keep deleted items for only 14 days.<\/li>\n
- You can increase this 14-day value, but it can only be set to a maximum of 30 days.<\/li>\n
- All Microsoft 365 licensing plans have a soft limit of 20GB of recoverable items storage per user, at which point users will receive a warning, and a hard limit of 30GB, at which point the system will delete the oldest emails first. However, individuals can configure their mailboxes with different quotas.<\/li>\n
- The litigation hold version of the recoverable items store has no size or version limits.<\/li>\n<\/ul>\n
SharePoint and OneDrive:<\/h4>\n\n- Deleted items remain in the Recycle Bin for 93 days unless the recycle bin storage exceeds its quota.<\/li>\n
- SharePoint Online data is backed up every 12 hours.<\/li>\n
- Backups are kept for an additional 14 days.<\/li>\n
- One-hour recovery point objective (RPO): Microsoft maintains a copy of your SharePoint Online data, ensuring it is less than or equal to one hour old.<\/li>\n
- Six-hour recovery time objective (RTO): If a disaster knocks out or disrupts a hosting data center, Microsoft tries to ensure that organizations can resume service within six hours after the disruption.<\/li>\n<\/ul>\n
Users have a tremendous amount of control over the deletion and restoration of their own personal documents.<\/strong> Administrators have at least 30 days to retrieve data from their tenant as data is first soft deleted.<\/p>\nDid a user account get deleted accidentally? No problem: Recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now, so no problem there, either.<\/p>\n
OneDrive users have a point-in-time restore utility built-in, so be sure users are aware of the feature.<\/p>\n
Data Retention in Office 365<\/h3>\n
Don\u2019t forget about retention policies<\/a> for data across Microsoft 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:<\/strong><\/p>\n\n- Retaining content so it can\u2019t be permanently deleted before the end of the retention period.<\/li>\n
- Deleting content permanently at the end of the retention period.<\/li>\n<\/ul>\n
With a retention policy, you can:<\/strong><\/p>\n\n- Decide proactively whether to retain content, delete content, or both \u2013 retain and then delete the content.<\/li>\n
- Apply a single policy to the entire organization or only specific locations or users.<\/li>\n
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.<\/li>\n<\/ul>\n
<\/a>Additional Business Continuity Tips<\/h3>\nBeyond maintaining business continuity on your own using Microsoft 365’s procedures, there are a couple of other things you can do to keep your data safe:<\/p>\n
Use Outside Help<\/h4>\n
If you\u2019re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:<\/p>\n
\n- See if a hybrid or scripted solution would work.<\/li>\n
- Use a third-party SaaS solution to fill this gap.<\/li>\n<\/ul>\n
Explore Azure Cloud Security Options:<\/h4>\n
There are a few additional options from Azure Cloud<\/a> security to help you maintain your data integrity:<\/p>\n\n- Failover your on-premises environment to Azure if you can\u2019t move it all yet.<\/li>\n
- Use Azure\u2019s site recovery.<\/li>\n
- Use an Azure partner for disaster recovery.<\/li>\n<\/ul>\n
You won\u2019t find 20-plus-year-old strategies anymore for a continuity and disaster recovery scenario. Today, it\u2019s more convenient, cost-effective, and simpler to find continuity and disaster recovery as a service.<\/strong><\/p>\nBeyond disaster recovery, there are a few other operations you need to have in place to support digital asset protection in Microsoft 365.<\/p>\n
<\/a>7. Operational Support Structure for Digital Asset Protection<\/h2>\nIf you\u2019re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities<\/a>. We typically recommend your support team is .2 percent of the organization’s supported community, so two support people for every 1,000 users.<\/strong><\/p>\nWhen we work with clients to plan, rollout or remediate Microsoft 365<\/a>, we look at the entire IT structure, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.<\/p>\nYour first-level help desk will be key in taking some of the repetitive tasks away from your admins, and an updated knowledge base will provide a reference to help them.<\/p>\n
If you are the help desk and the global admin, keep a knowledge base for yourself in a SharePoint list for easy reference.<\/p>\n
Service Availability Monitoring<\/h3>\n
It\u2019s up to us to ensure we are aware of the level of service we can expect and that we monitor the availability of our own tenants.<\/p>\n
If a service falls below the SLA documented by Microsoft, you will need proof of that outage. Keep an eye on the service health dashboard in the admin center.<\/p>\n
You can find service incidents in your Microsoft 365 Admin Portal, and those come in two varieties:<\/strong><\/p>\n\n- Planned maintenance events:<\/strong> Planned maintenance is regular service updates from Microsoft done to infrastructure and software applications. Notifications about planned maintenance events let customers know about service work that might affect their service from Microsoft. Customers are notified no later than five days before all planned maintenance through the message center in the admin portal. Microsoft typically plans maintenance for times when service usage is at its lowest based on regional time zones.<\/li>\n
- Unplanned downtime:<\/strong> Unplanned service incidents happen when one of the services in the Microsoft 365 suite is unexpectedly down or unavailable.<\/li>\n<\/ul>\n
Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required, and expected outages. Microsoft Defender<\/a> has default alert policies configured to send admins email messages in a variety of circumstances, such as:<\/strong><\/p>\n\n- A mail flow rule has been created.<\/li>\n
- Malware is detected.<\/li>\n
- An unusual volume of email has been detected.<\/li>\n
- Unusual external user activities have been detected.<\/li>\n
- And more.<\/li>\n<\/ul>\n
The Secure Score dashboard<\/a> is a good place to start for a visual look at anomalies and for tips on what to update next. Beyond Secure Score, you can also use the following to monitor service availability:<\/p>\n\n- Microsoft 365 Admin App.<\/li>\n
- Add-in for Microsoft 365 for System Center.<\/li>\n
- The service communication API.<\/li>\n
- Third-party provider of monitoring solutions.<\/li>\n<\/ul>\n
Enhancing Monitoring and Supportability<\/h3>\n
If you are interested in enhancing out-of-the-box security monitoring, check out Microsoft Defender for Cloud Apps. This gives you further insight into activity, app use, alerts, and log reviews, among other tasks. It allows you to create policies, from templates or from scratch, that give you deeper insight into shadow IT, allowing you to better control where you store sensitive information.<\/strong><\/p>\nAnother security enhancement is Microsoft Entra ID Protection. Entra ID Protection is a collection of algorithms that determine if a user sign-in is risky or not. If you\u2019re already using conditional access, you can set up the tool to deny access if Azure determines the sign-in to be of a risky nature. This will take some testing, but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (for example, you can\u2019t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).<\/p>\n
These monitoring and operations tasks usually take a few months to settle into your organization’s work pace, so be attentive and flexible early on.<\/strong> You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell<\/a> or other third-party add-ins.<\/p>\nAlmost anything you can do with the UI, you can customize and do it through PowerShell. If the built-in reports don\u2019t offer the data to meet the needs of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Microsoft 365.<\/p>\n
<\/a>Digital Asset Protection in Microsoft 365: Final Thoughts<\/h2>\n
Physical Architecture: Security Features<\/a><\/h2>\nBusiness Continuity and Disaster Recovery in Microsoft 365<\/a><\/h2>\nAdditional Business Continuity Tips<\/a><\/h2>\nOperational Support Structure for Digital Asset Protection<\/a><\/h2>\nDigital Asset Protection in Microsoft 365: Final Thoughts<\/a><\/h2>\n
\n<\/a>Why Digital Asset Protection Is Important<\/h2>\nWhile working as a consultant at a global manufacturer in the 1990s, I first heard the phrase, \u201cSecurity is everybody\u2019s business.\u201d This company had, and likely still has, a robust security training program with videos, classes and more.<\/p>\n
I admit that I scoffed at this effort until I first flew somewhere for business. Across the aisle and one row up, a well-dressed man extracted a laptop and shared his company\u2019s financial information with all of us behind him. Then, I understood.<\/p>\n
We\u2019ve come a long way since then, yet I still get questioned today about why I use complex passwords and two-factor authentication for everything. My answer: Some service passwords in Azure require 12 characters, and I will always recommend multifactor authentication.<\/p>\n
With everything in the cloud, security is now more important than ever especially when it comes to protecting your two biggest assets: identity and information.<\/strong><\/p>\nThis blog will focus on both identity and information \u2013 from the tools available to how they work together to achieve a holistic and security-centric approach to your cloud investment in Microsoft 365<\/a> and Azure. I\u2019ll specifically dive into seven areas to keep in mind to thoroughly protect your digital assets.<\/p>\nWhile the focus won\u2019t be on the technical procedures for implementing these tools, rest assured that I\u2019ll direct you to the technical references everywhere possible.<\/p>\n
<\/a>1. Encryption for Microsoft 365 Cloud Security<\/h2>\nVigen\u00e8re. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, we\u2019ll soon be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for years.<\/p>\n
RSA is the cipher used for today\u2019s public key cryptography implementation and is the public key infrastructure<\/a> widely in use. To securely facilitate the transfer of information, a message sender uses a known public key to encode a message, and the recipient uses a private key, known only to them, to decode the message.<\/strong> Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.<\/p>\nYou can use these encryption technologies to protect assets in your Microsoft 365 platform and Azure. Here\u2019s how:<\/p>\n
<\/a><\/p>\nYour Data at Rest (Infrastructure)<\/h3>\n
When it is not being sent, received or used, your organization\u2019s data lives on a server in a datacenter<\/a>.<\/p>\nYour data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism encrypted using Bitlocker<\/a>.<\/p>\nBe sure to gather information in the links above to reference the location of your organization\u2019s data.<\/strong> This is extremely important for topics like the General Data Protection Regulation (GDPR) in the EU and High Availability, which describes a system\u2019s ability to continue operating even when some components of that system fail.<\/p>\nYour Data in Transit (Information)<\/h3>\n
Your data in transit is the most customer-involved decision-making piece of the Microsoft 365 encryption solution. That is why we work so hard to provide updated guidance and support throughout the life of your Microsoft 365 investment.<\/p>\n
Dozens upon dozens of endpoints are available from any device and any location in the world, providing information entrance and exit paths to and from the various services Microsoft 365 and Azure offer.<\/p>\n
Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.<\/strong><\/p>\nAt the application layer (OSI 7)<\/a>, Microsoft provides Transport Layer Security and Secure Sockets Layer (TLS\/SSL) (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver to generate agreed-upon keys to encrypt data being sent \u2013 this is also known as symmetric cryptography.<\/p>\n<\/a>Original image: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/windows-network-architecture-and-the-osi-model<\/p><\/div>\n
The sender and recipient must agree on the encryption method based on what is available to them and what is in common between them. As a result, this does not always guarantee the highest level of security, but it does guarantee the highest level of security in common between both parties.<\/p>\n
Here are some of the customer tasks involved with data-encryption information security:<\/p>\n
\n- Avoid accidental and malicious data deletion by configuring:<\/strong>\n
\n- Data Loss Prevention (DLP)<\/a> and Labels in Microsoft Purview \u2013 This is not encryption-related, but important nonetheless.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data exfiltration using:<\/strong>\n
\n- Azure Rights Management Service (RMS)<\/a> \u2013 Applies protection and encryption to messages and data.<\/li>\n
- Information Rights Management (IRM)<\/a> \u2013 Applies protection and classification to messages and SharePoint libraries.<\/li>\n
- Microsoft Purview Information Protection (IP)<\/a> \u2013 Applies classification, encryption, and permissions for use through policies for data and messages.<\/li>\n
- Exchange Online Protection (EOP)<\/a> along with other Exchange settings \u2013 Strengthens your basic messaging stance with rules and malware policies, to name a few.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data contamination using:<\/strong>\n
\n- Microsoft Defender for Office 365<\/a> \u2013 Send messages through an isolated channel to a detonation chamber to thoroughly test any message links and attachments, and remove them where necessary. Also, it is not specifically encryption-related, but it is important nonetheless.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Your Data in Use (Identity)<\/h3>\n
When you and your colleagues collaborate on a document using Microsoft Teams<\/a>, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository opened in Teams, Office Online, or a client, you can encrypt all communications between the client and the data source using Azure VPN Gateway.<\/p>\nIf you have configured and deployed the information encryption options previously mentioned, these will also be in use during the collaborative transport of data.<\/strong><\/p>\nIf, or when, you receive an encrypted email, your identity is verified, and permissions for the message and its attachments are maintained using IP in concert with Azure RMS. This information is only visible with a protected viewer (client or browser) and is otherwise encrypted at all times.<\/p>\n
Users can set the encryption, or it can be done automatically using various criteria set in the IP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs<\/a>, so I\u2019ll leave the details to her.<\/p>\nYour organization\u2019s discussions around each encryption technology mentioned above will depend on what features of Enterprise Mobility + Security (EMS) you\u2019re going to deploy and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.<\/p>\n
One major factor to consider while determining which features are best for your digital asset protection needs is the legal regulations that impact your organization.<\/p>\n
<\/a>2. Microsoft 365 for Legal Compliance<\/h2>\nThe tools you need for security and legal compliance<\/a>, transparency<\/a>, and reporting<\/a> are in the Microsoft Purview compliance portal and various other Microsoft sites specific to these topics. This compliance portal is the hub for legal work and protects your data using specific user roles for different operations in the center.<\/p>\nMicrosoft maintains a high level of transparency, trust and certifications surrounding the services it offers in the cloud, and you can locate any information your legal department requires using the above links.<\/p>\n
Digital asset protection plays a major role in both security and compliance. There was no shortage of security incidents in 2023<\/a>, and all of them had legal implications in some measure.<\/strong><\/p>\nFor example, I was fortunate enough to be able to provide guidance and technical assistance in an incident involving a Microsoft 365 user in a foreign country who was involved in a legal investigation.<\/p>\n
The legal team requested that an email be held, which is as simple as a checkbox and a duration option. However, they were unaware that there were also options for locating and holding data in place in other locations, such as Groups, Teams, SharePoint, and OneDrive.<\/p>\n
For this particular incident, we used an eDiscovery case to perform all the required holds, content searches, and exports. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it, and finally export it for transport.<\/p>\n
I only encountered a few issues at the time, and the main one was the time frame. I didn\u2019t know anything about the case \u2013 and I like to keep it that way \u2013 but we had 72 hours to make usable data available to the legal team in the other country.<\/p>\n
With about 150Gb in the mailbox, it was slow \u2013 Microsoft has made improvements to increase the speed of operations, and it is much faster now \u2013 and had to be split into multiple files.<\/p>\n
One thing we know for sure when trying to find what you need: Narrow down those searches using filters and locations to get exactly what you\u2019re looking for for your case!<\/strong> You will save time, reduce throughput issues like timeouts, create more space, and probably some more time.<\/p>\nSecurity and Compliance Center Capabilities<\/h3>\n
So, what do you need, and what are your capabilities in the Microsoft Purview compliance portal?<\/p>\n
First, you\u2019ll need a Microsoft 365 Enterprise E3 license or a la carte P2 licenses for Exchange and SharePoint to retain user data. Also, if you need enhanced security and management, you\u2019ll need an EMS license to use Microsoft Purview IP, as well as advanced features of MFA, and more.<\/p>\n
Next, use the following tools as needed within your organization:<\/p>\n
\n- Classification labels and DLP policies<\/strong> \u2013 To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.<\/li>\n
- Content Search<\/strong> \u2013 To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.<\/li>\n
- Audit Log<\/strong> \u2013 To search for and locate any administrative activities for an individual or by a particular administrator.<\/li>\n
- eDiscovery<\/strong> \u2013 Serves as a complete management tool for legal cases, including searching, holding, exporting, and reporting on user data. I\u2019ve also used the eDiscovery tool in the past to retain departed employees\u2019 information for a required period of time.<\/li>\n<\/ul>\n
There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.<\/p>\n
It is important to remember that once you put a user\u2019s data location on hold, that data and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I\u2019ve seen some really large operations using a lot of space).<\/p>\n
But in order to do anything with a specific user\u2019s data location or other information, you need to make sure your company has a strategy for identity control<\/a>.<\/strong><\/p>\n<\/a>3. A New Strategy for Identity Control<\/h2>\nPrior to transforming your business to meet today\u2019s needs, you probably created an account for your user in your company\u2019s directory.<\/p>\n
You likely provided that account with permissions to folders and applications on your network \u2013 perhaps individually or in groups. And, you fully understand where your users will be logging in, from what devices, and at what times.<\/p>\n
But with today\u2019s business anywhere mentality, you can no longer protect your digital assets and users\u2019 identities using the old methodologies for on-premises networks. And if your company isn\u2019t ready or cannot be completely in the cloud, then you\u2019ll need a hybrid strategy.<\/p>\n
Steps to Identity Control in a Hybrid Environment<\/h3>\n
Enter Azure role-based access control (RBAC)<\/a>, Microsoft Entra Privileged Identity Management (PIM)<\/a>, Microsoft Entra ID Protection<\/a>, and the Microsoft Graph Security API based on machine learning and AI<\/a>.<\/p>\nWhen you make a move to a hybrid cloud scenario you will need these. You will also want Microsoft Intune for device management, which is the other side of the identity control scenario.<\/p>\n
The hybrid strategy will remain until all your existing software solutions \u2013 HR, payroll, receivables, and more \u2013 are also in the cloud, and you\u2019re prepared to decommission your entire local infrastructure.<\/p>\n
This is also the case whether you\u2019re using Microsoft Entra ID or another third-party directory, single sign-on, or multifactor authorization provider.<\/p>\n
<\/a><\/p>\n1. Determine your cloud identity model<\/a>.<\/h4>\nIf you already have infrastructure available for identity management, check to see if you can federate that with Microsoft 365 and Azure. It\u2019s a simple process, even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management, and resource requests.<\/p>\n
2. Define roles, resources and strategies.<\/h4>\n
Determine what applications will be available in the cloud, what roles you\u2019ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Microsoft Entra ID that you should be aware of prior to a migration.<\/p>\n
Keep in mind that these decisions don\u2019t take place in a vacuum, and you will need to carefully consider this as a sub-project of your overall cloud migration project.<\/p>\n
3. Review additional options.<\/h4>\n
Take a look at the additional options available to you in the Microsoft Entra ID Premium subscriptions, most importantly ID Protection<\/a> and Privileged Identity Management<\/a>:<\/p>\n\n- ID Protection<\/strong> \u2013 risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation.<\/li>\n
- Privileged Identity Management<\/strong> \u2013 assign just-in-time (JIT) access to provide a user with elevated access during a specified time window and just-enough-access (JEA) to provide least privileged access to resources.<\/li>\n<\/ul>\n
4. Establish conditional access policies.<\/h4>\n
In the Entra ID P1 subscription, you\u2019ll find the opportunity to create conditional access<\/a> policies. If you don\u2019t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 11 infrastructure.<\/p>\nOnce you\u2019ve established who will have access to what, you need to make sure you have security policies in place so that each person knows how to treat your company\u2019s data and keep your organization safe.<\/strong><\/p>\n<\/a>4. Security Policies in Microsoft 365<\/h2>\nLet\u2019s first make a distinction between the types of policies you have to work with when establishing digital asset protection.<\/p>\n
First, there are policies in Microsoft 365 and Azure such as passwords, DLP, labels, Threat management, data governance<\/a>, and mobile device management. These are the policies you can create in your Microsoft 365 and Azure tenants, and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/strong><\/p>\nThere are, however, other policies that you\u2019ll need, and they\u2019re vital to your organization\u2019s operations. These are documented policies that cannot change without your governance board or boards\u2019 approval.<\/p>\n
Identity Policy<\/h3>\n
This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n
\n- Passwords<\/strong> \u2013 It\u2019s likely your company manages your password policies on-premises and not in the cloud, but make sure these are documented and updated. NIST\u2019s guidelines<\/a> can help.<\/li>\n
- Multifactor Authentication<\/strong><\/a> \u2013 Due to NIST\u2019s guidelines, you will want to enforce this for all admins and all mobile or off-network logins.<\/li>\n
- Data Loss Prevention<\/strong> \u2013 Automatically label documents and emails containing social security numbers or credit cards, and prevent them from being shared outside the organization.<\/li>\n
- Mobile Devices<\/strong> \u2013 Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.<\/li>\n
- Administration and Support<\/strong> \u2013 Use roles to determine who will administer what portions of your tenant and when they will have access.<\/li>\n
- Onboarding and Offboarding<\/strong> \u2013 Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.<\/li>\n<\/ul>\n
Information Policy<\/h3>\n
This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n
\n- External Sharing<\/strong> \u2013 Document who can share, what they can share, where they can share from, and how to monitor sharing.<\/li>\n
- Classification and Encryption<\/strong> \u2013 Use IP to allow users to classify, automatically classify, and encrypt information in your tenant.<\/li>\n
- Retention<\/strong> \u2013 Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.<\/li>\n<\/ul>\n
Governance Policy<\/h3>\n
This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n
\n- Exchange<\/strong> \u2013 Document what services your company allows, who can use them, and how to effectively monitor and adjust as needed.<\/li>\n
- Teams<\/strong> \u2013 Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.<\/li>\n
- SharePoint<\/strong> \u2013 Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.<\/li>\n
- OneDrive for Business<\/strong> \u2013 Decide on quotas and sharing strategy.<\/li>\n
- Viva Engage<\/strong> \u2013 Determine how you want to use Yammer, and how sharing and group creation will take place.<\/li>\n
- Power Automate, Power Apps, Power BI, Dynamics, Planner, Sway, Forms, and more<\/strong> \u2013 These are apps that don\u2019t have the traditional Microsoft 365 Admin Center. But don\u2019t let down your guard. They still have access, usage, and sharing policies that you need to govern.<\/li>\n
- Microsoft 365 Groups<\/strong> \u2013 You\u2019ll need a naming strategy and retention policy, ownership and membership policy, and an external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, Power BI, and more.<\/li>\n<\/ul>\n
In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place, and you will need to document and manage them.<\/strong><\/p>\nTo manage and maintain all of this, however, you need to understand how your own physical servers and Microsoft\u2019s physical architecture work together to protect your company\u2019s data.<\/p>\n
<\/a>5. Physical Architecture: Security Features<\/h2>\nMicrosoft\u2019s physical architecture uses the same principles most organizations use to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.<\/p>\n
Some of the physical protection features in use by Microsoft\u2019s data centers are:<\/p>\n
\n- High-security perimeter fences.<\/li>\n
- 24\/7\/365 surveillance.<\/li>\n
- Vehicle checkpoints.<\/li>\n
- World-class access procedures to facilities.\n
\n- Multi-factor, biometric entry points.<\/li>\n
- Full body metal detection.<\/li>\n<\/ul>\n<\/li>\n
- On-site hard drive destruction (shredding).<\/li>\n
- State-of-the-art fire suppression.<\/li>\n
- Secure access to physical components.<\/li>\n
- Geo-located and geo-replicated data.<\/li>\n<\/ul>\n
You are likely using many of the security features and principles listed above where they make sense in your own organizations. That\u2019s good.<\/p>\n
The question is, how will you architect your network for the change? That depends on your final goal.<\/strong><\/p>\n\n- Will you peacefully coexist?<\/li>\n
- Are you going to extend your directory to the cloud?<\/li>\n
- Do you want an isolated tunnel between your location and Office 365?<\/li>\n<\/ul>\n
Option 1: Keep Your Infrastructure<\/h3>\n
This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Microsoft 365 through your firewall(s).<\/p>\n
This uses your current ISP and the public internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft 365 and Dynamics 365 are designed for this type of access.<\/p>\n
Option 2: Use Express Route<\/h3>\n
In certain situations, we recommend ExpressRoute. You still keep your infrastructure in place, but this is a private connection between your infrastructure and Microsoft\u2019s data center through an ExpressRoute carrier, widely available in the U.S.<\/p>\n
This type of connection offers higher security, reliability and speed with lower latencies than internet connections.<\/strong> Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.<\/p>\nOption 3: Implement a Site-to-Site VPN<\/h3>\n
If you\u2019re planning to use an Azure infrastructure workload like a virtual network or you plan to extend or replace your Entra ID entirely, then you have a few options.<\/p>\n
You can use the ExpressRoute<\/a> solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN<\/a>. The gateway can then provide customized access to resources with user-defined routing.<\/p>\nOption 4: Opt for a Third-Party<\/h3>\n
If you\u2019re in between a site-to-site VPN and ExpressRoute, there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.<\/p>\n
This is in no way a comprehensive look at the infrastructure configurations possible.<\/strong> Rather, it\u2019s a broad overview to help you start planning.<\/p>\nThere are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches.<\/p>\n
<\/a><\/h3>\n<\/a>6. Business Continuity and Disaster Recovery in Microsoft 365<\/h2>\nOnce you\u2019re fully set up in your hybrid or cloud environment, you need to implement a few additional policies and procedures, the most important of which is a business continuity and disaster recovery plan.<\/p>\n
But what is your organization ultimately responsible for versus Microsoft\u2019s role as your provider? You have plenty of options to make sure your data is protected in a worst-case scenario.<\/strong><\/p>\nMicrosoft\u2019s Responsibilities<\/h3>\n<\/a><\/h3>\nMicrosoft remains committed to transparency<\/a> when it comes to service health monitoring and outage notifications and updates. They have also implemented a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.<\/p>\nThe company ensures that customer data is available whenever it is needed through the following features:<\/p>\n
\n- Data storage and redundancy:<\/strong> Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.<\/li>\n
- Data monitoring:<\/strong> Microsoft 365 services maintain high levels of performance by:\n
\n- Monitoring databases:<\/strong>\n
\n- Blocked processes.<\/li>\n
- Packet loss.<\/li>\n
- Queued processes.<\/li>\n
- Query latency.<\/li>\n<\/ul>\n<\/li>\n
- Completing preventative maintenance:<\/strong> Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Administration Responsibilities<\/h3>\n
It\u2019s up to us as the customer, however, to ensure we are aware of the level of service<\/a> we can expect and monitor the availability of our own tenants. Here are some basics for Microsoft 365:<\/p>\nExchange:<\/h4>\n\n- By default, the recoverable item store is set to keep deleted items for only 14 days.<\/li>\n
- You can increase this 14-day value, but it can only be set to a maximum of 30 days.<\/li>\n
- All Microsoft 365 licensing plans have a soft limit of 20GB of recoverable items storage per user, at which point users will receive a warning, and a hard limit of 30GB, at which point the system will delete the oldest emails first. However, individuals can configure their mailboxes with different quotas.<\/li>\n
- The litigation hold version of the recoverable items store has no size or version limits.<\/li>\n<\/ul>\n
SharePoint and OneDrive:<\/h4>\n\n- Deleted items remain in the Recycle Bin for 93 days unless the recycle bin storage exceeds its quota.<\/li>\n
- SharePoint Online data is backed up every 12 hours.<\/li>\n
- Backups are kept for an additional 14 days.<\/li>\n
- One-hour recovery point objective (RPO): Microsoft maintains a copy of your SharePoint Online data, ensuring it is less than or equal to one hour old.<\/li>\n
- Six-hour recovery time objective (RTO): If a disaster knocks out or disrupts a hosting data center, Microsoft tries to ensure that organizations can resume service within six hours after the disruption.<\/li>\n<\/ul>\n
Users have a tremendous amount of control over the deletion and restoration of their own personal documents.<\/strong> Administrators have at least 30 days to retrieve data from their tenant as data is first soft deleted.<\/p>\nDid a user account get deleted accidentally? No problem: Recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now, so no problem there, either.<\/p>\n
OneDrive users have a point-in-time restore utility built-in, so be sure users are aware of the feature.<\/p>\n
Data Retention in Office 365<\/h3>\n
Don\u2019t forget about retention policies<\/a> for data across Microsoft 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:<\/strong><\/p>\n\n- Retaining content so it can\u2019t be permanently deleted before the end of the retention period.<\/li>\n
- Deleting content permanently at the end of the retention period.<\/li>\n<\/ul>\n
With a retention policy, you can:<\/strong><\/p>\n\n- Decide proactively whether to retain content, delete content, or both \u2013 retain and then delete the content.<\/li>\n
- Apply a single policy to the entire organization or only specific locations or users.<\/li>\n
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.<\/li>\n<\/ul>\n
<\/a>Additional Business Continuity Tips<\/h3>\nBeyond maintaining business continuity on your own using Microsoft 365’s procedures, there are a couple of other things you can do to keep your data safe:<\/p>\n
Use Outside Help<\/h4>\n
If you\u2019re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:<\/p>\n
\n- See if a hybrid or scripted solution would work.<\/li>\n
- Use a third-party SaaS solution to fill this gap.<\/li>\n<\/ul>\n
Explore Azure Cloud Security Options:<\/h4>\n
There are a few additional options from Azure Cloud<\/a> security to help you maintain your data integrity:<\/p>\n\n- Failover your on-premises environment to Azure if you can\u2019t move it all yet.<\/li>\n
- Use Azure\u2019s site recovery.<\/li>\n
- Use an Azure partner for disaster recovery.<\/li>\n<\/ul>\n
You won\u2019t find 20-plus-year-old strategies anymore for a continuity and disaster recovery scenario. Today, it\u2019s more convenient, cost-effective, and simpler to find continuity and disaster recovery as a service.<\/strong><\/p>\nBeyond disaster recovery, there are a few other operations you need to have in place to support digital asset protection in Microsoft 365.<\/p>\n
<\/a>7. Operational Support Structure for Digital Asset Protection<\/h2>\nIf you\u2019re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities<\/a>. We typically recommend your support team is .2 percent of the organization’s supported community, so two support people for every 1,000 users.<\/strong><\/p>\nWhen we work with clients to plan, rollout or remediate Microsoft 365<\/a>, we look at the entire IT structure, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.<\/p>\nYour first-level help desk will be key in taking some of the repetitive tasks away from your admins, and an updated knowledge base will provide a reference to help them.<\/p>\n
If you are the help desk and the global admin, keep a knowledge base for yourself in a SharePoint list for easy reference.<\/p>\n
Service Availability Monitoring<\/h3>\n
It\u2019s up to us to ensure we are aware of the level of service we can expect and that we monitor the availability of our own tenants.<\/p>\n
If a service falls below the SLA documented by Microsoft, you will need proof of that outage. Keep an eye on the service health dashboard in the admin center.<\/p>\n
You can find service incidents in your Microsoft 365 Admin Portal, and those come in two varieties:<\/strong><\/p>\n\n- Planned maintenance events:<\/strong> Planned maintenance is regular service updates from Microsoft done to infrastructure and software applications. Notifications about planned maintenance events let customers know about service work that might affect their service from Microsoft. Customers are notified no later than five days before all planned maintenance through the message center in the admin portal. Microsoft typically plans maintenance for times when service usage is at its lowest based on regional time zones.<\/li>\n
- Unplanned downtime:<\/strong> Unplanned service incidents happen when one of the services in the Microsoft 365 suite is unexpectedly down or unavailable.<\/li>\n<\/ul>\n
Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required, and expected outages. Microsoft Defender<\/a> has default alert policies configured to send admins email messages in a variety of circumstances, such as:<\/strong><\/p>\n\n- A mail flow rule has been created.<\/li>\n
- Malware is detected.<\/li>\n
- An unusual volume of email has been detected.<\/li>\n
- Unusual external user activities have been detected.<\/li>\n
- And more.<\/li>\n<\/ul>\n
The Secure Score dashboard<\/a> is a good place to start for a visual look at anomalies and for tips on what to update next. Beyond Secure Score, you can also use the following to monitor service availability:<\/p>\n\n- Microsoft 365 Admin App.<\/li>\n
- Add-in for Microsoft 365 for System Center.<\/li>\n
- The service communication API.<\/li>\n
- Third-party provider of monitoring solutions.<\/li>\n<\/ul>\n
Enhancing Monitoring and Supportability<\/h3>\n
If you are interested in enhancing out-of-the-box security monitoring, check out Microsoft Defender for Cloud Apps. This gives you further insight into activity, app use, alerts, and log reviews, among other tasks. It allows you to create policies, from templates or from scratch, that give you deeper insight into shadow IT, allowing you to better control where you store sensitive information.<\/strong><\/p>\nAnother security enhancement is Microsoft Entra ID Protection. Entra ID Protection is a collection of algorithms that determine if a user sign-in is risky or not. If you\u2019re already using conditional access, you can set up the tool to deny access if Azure determines the sign-in to be of a risky nature. This will take some testing, but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (for example, you can\u2019t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).<\/p>\n
These monitoring and operations tasks usually take a few months to settle into your organization’s work pace, so be attentive and flexible early on.<\/strong> You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell<\/a> or other third-party add-ins.<\/p>\nAlmost anything you can do with the UI, you can customize and do it through PowerShell. If the built-in reports don\u2019t offer the data to meet the needs of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Microsoft 365.<\/p>\n
<\/a>Digital Asset Protection in Microsoft 365: Final Thoughts<\/h2>\n
Additional Business Continuity Tips<\/a><\/h2>\nOperational Support Structure for Digital Asset Protection<\/a><\/h2>\nDigital Asset Protection in Microsoft 365: Final Thoughts<\/a><\/h2>\n
\n<\/a>Why Digital Asset Protection Is Important<\/h2>\nWhile working as a consultant at a global manufacturer in the 1990s, I first heard the phrase, \u201cSecurity is everybody\u2019s business.\u201d This company had, and likely still has, a robust security training program with videos, classes and more.<\/p>\n
I admit that I scoffed at this effort until I first flew somewhere for business. Across the aisle and one row up, a well-dressed man extracted a laptop and shared his company\u2019s financial information with all of us behind him. Then, I understood.<\/p>\n
We\u2019ve come a long way since then, yet I still get questioned today about why I use complex passwords and two-factor authentication for everything. My answer: Some service passwords in Azure require 12 characters, and I will always recommend multifactor authentication.<\/p>\n
With everything in the cloud, security is now more important than ever especially when it comes to protecting your two biggest assets: identity and information.<\/strong><\/p>\nThis blog will focus on both identity and information \u2013 from the tools available to how they work together to achieve a holistic and security-centric approach to your cloud investment in Microsoft 365<\/a> and Azure. I\u2019ll specifically dive into seven areas to keep in mind to thoroughly protect your digital assets.<\/p>\nWhile the focus won\u2019t be on the technical procedures for implementing these tools, rest assured that I\u2019ll direct you to the technical references everywhere possible.<\/p>\n
<\/a>1. Encryption for Microsoft 365 Cloud Security<\/h2>\nVigen\u00e8re. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, we\u2019ll soon be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for years.<\/p>\n
RSA is the cipher used for today\u2019s public key cryptography implementation and is the public key infrastructure<\/a> widely in use. To securely facilitate the transfer of information, a message sender uses a known public key to encode a message, and the recipient uses a private key, known only to them, to decode the message.<\/strong> Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.<\/p>\nYou can use these encryption technologies to protect assets in your Microsoft 365 platform and Azure. Here\u2019s how:<\/p>\n
<\/a><\/p>\nYour Data at Rest (Infrastructure)<\/h3>\n
When it is not being sent, received or used, your organization\u2019s data lives on a server in a datacenter<\/a>.<\/p>\nYour data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism encrypted using Bitlocker<\/a>.<\/p>\nBe sure to gather information in the links above to reference the location of your organization\u2019s data.<\/strong> This is extremely important for topics like the General Data Protection Regulation (GDPR) in the EU and High Availability, which describes a system\u2019s ability to continue operating even when some components of that system fail.<\/p>\nYour Data in Transit (Information)<\/h3>\n
Your data in transit is the most customer-involved decision-making piece of the Microsoft 365 encryption solution. That is why we work so hard to provide updated guidance and support throughout the life of your Microsoft 365 investment.<\/p>\n
Dozens upon dozens of endpoints are available from any device and any location in the world, providing information entrance and exit paths to and from the various services Microsoft 365 and Azure offer.<\/p>\n
Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.<\/strong><\/p>\nAt the application layer (OSI 7)<\/a>, Microsoft provides Transport Layer Security and Secure Sockets Layer (TLS\/SSL) (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver to generate agreed-upon keys to encrypt data being sent \u2013 this is also known as symmetric cryptography.<\/p>\n<\/a>Original image: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/windows-network-architecture-and-the-osi-model<\/p><\/div>\n
The sender and recipient must agree on the encryption method based on what is available to them and what is in common between them. As a result, this does not always guarantee the highest level of security, but it does guarantee the highest level of security in common between both parties.<\/p>\n
Here are some of the customer tasks involved with data-encryption information security:<\/p>\n
\n- Avoid accidental and malicious data deletion by configuring:<\/strong>\n
\n- Data Loss Prevention (DLP)<\/a> and Labels in Microsoft Purview \u2013 This is not encryption-related, but important nonetheless.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data exfiltration using:<\/strong>\n
\n- Azure Rights Management Service (RMS)<\/a> \u2013 Applies protection and encryption to messages and data.<\/li>\n
- Information Rights Management (IRM)<\/a> \u2013 Applies protection and classification to messages and SharePoint libraries.<\/li>\n
- Microsoft Purview Information Protection (IP)<\/a> \u2013 Applies classification, encryption, and permissions for use through policies for data and messages.<\/li>\n
- Exchange Online Protection (EOP)<\/a> along with other Exchange settings \u2013 Strengthens your basic messaging stance with rules and malware policies, to name a few.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data contamination using:<\/strong>\n
\n- Microsoft Defender for Office 365<\/a> \u2013 Send messages through an isolated channel to a detonation chamber to thoroughly test any message links and attachments, and remove them where necessary. Also, it is not specifically encryption-related, but it is important nonetheless.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Your Data in Use (Identity)<\/h3>\n
When you and your colleagues collaborate on a document using Microsoft Teams<\/a>, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository opened in Teams, Office Online, or a client, you can encrypt all communications between the client and the data source using Azure VPN Gateway.<\/p>\nIf you have configured and deployed the information encryption options previously mentioned, these will also be in use during the collaborative transport of data.<\/strong><\/p>\nIf, or when, you receive an encrypted email, your identity is verified, and permissions for the message and its attachments are maintained using IP in concert with Azure RMS. This information is only visible with a protected viewer (client or browser) and is otherwise encrypted at all times.<\/p>\n
Users can set the encryption, or it can be done automatically using various criteria set in the IP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs<\/a>, so I\u2019ll leave the details to her.<\/p>\nYour organization\u2019s discussions around each encryption technology mentioned above will depend on what features of Enterprise Mobility + Security (EMS) you\u2019re going to deploy and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.<\/p>\n
One major factor to consider while determining which features are best for your digital asset protection needs is the legal regulations that impact your organization.<\/p>\n
<\/a>2. Microsoft 365 for Legal Compliance<\/h2>\nThe tools you need for security and legal compliance<\/a>, transparency<\/a>, and reporting<\/a> are in the Microsoft Purview compliance portal and various other Microsoft sites specific to these topics. This compliance portal is the hub for legal work and protects your data using specific user roles for different operations in the center.<\/p>\nMicrosoft maintains a high level of transparency, trust and certifications surrounding the services it offers in the cloud, and you can locate any information your legal department requires using the above links.<\/p>\n
Digital asset protection plays a major role in both security and compliance. There was no shortage of security incidents in 2023<\/a>, and all of them had legal implications in some measure.<\/strong><\/p>\nFor example, I was fortunate enough to be able to provide guidance and technical assistance in an incident involving a Microsoft 365 user in a foreign country who was involved in a legal investigation.<\/p>\n
The legal team requested that an email be held, which is as simple as a checkbox and a duration option. However, they were unaware that there were also options for locating and holding data in place in other locations, such as Groups, Teams, SharePoint, and OneDrive.<\/p>\n
For this particular incident, we used an eDiscovery case to perform all the required holds, content searches, and exports. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it, and finally export it for transport.<\/p>\n
I only encountered a few issues at the time, and the main one was the time frame. I didn\u2019t know anything about the case \u2013 and I like to keep it that way \u2013 but we had 72 hours to make usable data available to the legal team in the other country.<\/p>\n
With about 150Gb in the mailbox, it was slow \u2013 Microsoft has made improvements to increase the speed of operations, and it is much faster now \u2013 and had to be split into multiple files.<\/p>\n
One thing we know for sure when trying to find what you need: Narrow down those searches using filters and locations to get exactly what you\u2019re looking for for your case!<\/strong> You will save time, reduce throughput issues like timeouts, create more space, and probably some more time.<\/p>\nSecurity and Compliance Center Capabilities<\/h3>\n
So, what do you need, and what are your capabilities in the Microsoft Purview compliance portal?<\/p>\n
First, you\u2019ll need a Microsoft 365 Enterprise E3 license or a la carte P2 licenses for Exchange and SharePoint to retain user data. Also, if you need enhanced security and management, you\u2019ll need an EMS license to use Microsoft Purview IP, as well as advanced features of MFA, and more.<\/p>\n
Next, use the following tools as needed within your organization:<\/p>\n
\n- Classification labels and DLP policies<\/strong> \u2013 To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.<\/li>\n
- Content Search<\/strong> \u2013 To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.<\/li>\n
- Audit Log<\/strong> \u2013 To search for and locate any administrative activities for an individual or by a particular administrator.<\/li>\n
- eDiscovery<\/strong> \u2013 Serves as a complete management tool for legal cases, including searching, holding, exporting, and reporting on user data. I\u2019ve also used the eDiscovery tool in the past to retain departed employees\u2019 information for a required period of time.<\/li>\n<\/ul>\n
There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.<\/p>\n
It is important to remember that once you put a user\u2019s data location on hold, that data and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I\u2019ve seen some really large operations using a lot of space).<\/p>\n
But in order to do anything with a specific user\u2019s data location or other information, you need to make sure your company has a strategy for identity control<\/a>.<\/strong><\/p>\n<\/a>3. A New Strategy for Identity Control<\/h2>\nPrior to transforming your business to meet today\u2019s needs, you probably created an account for your user in your company\u2019s directory.<\/p>\n
You likely provided that account with permissions to folders and applications on your network \u2013 perhaps individually or in groups. And, you fully understand where your users will be logging in, from what devices, and at what times.<\/p>\n
But with today\u2019s business anywhere mentality, you can no longer protect your digital assets and users\u2019 identities using the old methodologies for on-premises networks. And if your company isn\u2019t ready or cannot be completely in the cloud, then you\u2019ll need a hybrid strategy.<\/p>\n
Steps to Identity Control in a Hybrid Environment<\/h3>\n
Enter Azure role-based access control (RBAC)<\/a>, Microsoft Entra Privileged Identity Management (PIM)<\/a>, Microsoft Entra ID Protection<\/a>, and the Microsoft Graph Security API based on machine learning and AI<\/a>.<\/p>\nWhen you make a move to a hybrid cloud scenario you will need these. You will also want Microsoft Intune for device management, which is the other side of the identity control scenario.<\/p>\n
The hybrid strategy will remain until all your existing software solutions \u2013 HR, payroll, receivables, and more \u2013 are also in the cloud, and you\u2019re prepared to decommission your entire local infrastructure.<\/p>\n
This is also the case whether you\u2019re using Microsoft Entra ID or another third-party directory, single sign-on, or multifactor authorization provider.<\/p>\n
<\/a><\/p>\n1. Determine your cloud identity model<\/a>.<\/h4>\nIf you already have infrastructure available for identity management, check to see if you can federate that with Microsoft 365 and Azure. It\u2019s a simple process, even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management, and resource requests.<\/p>\n
2. Define roles, resources and strategies.<\/h4>\n
Determine what applications will be available in the cloud, what roles you\u2019ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Microsoft Entra ID that you should be aware of prior to a migration.<\/p>\n
Keep in mind that these decisions don\u2019t take place in a vacuum, and you will need to carefully consider this as a sub-project of your overall cloud migration project.<\/p>\n
3. Review additional options.<\/h4>\n
Take a look at the additional options available to you in the Microsoft Entra ID Premium subscriptions, most importantly ID Protection<\/a> and Privileged Identity Management<\/a>:<\/p>\n\n- ID Protection<\/strong> \u2013 risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation.<\/li>\n
- Privileged Identity Management<\/strong> \u2013 assign just-in-time (JIT) access to provide a user with elevated access during a specified time window and just-enough-access (JEA) to provide least privileged access to resources.<\/li>\n<\/ul>\n
4. Establish conditional access policies.<\/h4>\n
In the Entra ID P1 subscription, you\u2019ll find the opportunity to create conditional access<\/a> policies. If you don\u2019t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 11 infrastructure.<\/p>\nOnce you\u2019ve established who will have access to what, you need to make sure you have security policies in place so that each person knows how to treat your company\u2019s data and keep your organization safe.<\/strong><\/p>\n<\/a>4. Security Policies in Microsoft 365<\/h2>\nLet\u2019s first make a distinction between the types of policies you have to work with when establishing digital asset protection.<\/p>\n
First, there are policies in Microsoft 365 and Azure such as passwords, DLP, labels, Threat management, data governance<\/a>, and mobile device management. These are the policies you can create in your Microsoft 365 and Azure tenants, and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/strong><\/p>\nThere are, however, other policies that you\u2019ll need, and they\u2019re vital to your organization\u2019s operations. These are documented policies that cannot change without your governance board or boards\u2019 approval.<\/p>\n
Identity Policy<\/h3>\n
This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n
\n- Passwords<\/strong> \u2013 It\u2019s likely your company manages your password policies on-premises and not in the cloud, but make sure these are documented and updated. NIST\u2019s guidelines<\/a> can help.<\/li>\n
- Multifactor Authentication<\/strong><\/a> \u2013 Due to NIST\u2019s guidelines, you will want to enforce this for all admins and all mobile or off-network logins.<\/li>\n
- Data Loss Prevention<\/strong> \u2013 Automatically label documents and emails containing social security numbers or credit cards, and prevent them from being shared outside the organization.<\/li>\n
- Mobile Devices<\/strong> \u2013 Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.<\/li>\n
- Administration and Support<\/strong> \u2013 Use roles to determine who will administer what portions of your tenant and when they will have access.<\/li>\n
- Onboarding and Offboarding<\/strong> \u2013 Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.<\/li>\n<\/ul>\n
Information Policy<\/h3>\n
This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n
\n- External Sharing<\/strong> \u2013 Document who can share, what they can share, where they can share from, and how to monitor sharing.<\/li>\n
- Classification and Encryption<\/strong> \u2013 Use IP to allow users to classify, automatically classify, and encrypt information in your tenant.<\/li>\n
- Retention<\/strong> \u2013 Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.<\/li>\n<\/ul>\n
Governance Policy<\/h3>\n
This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n
\n- Exchange<\/strong> \u2013 Document what services your company allows, who can use them, and how to effectively monitor and adjust as needed.<\/li>\n
- Teams<\/strong> \u2013 Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.<\/li>\n
- SharePoint<\/strong> \u2013 Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.<\/li>\n
- OneDrive for Business<\/strong> \u2013 Decide on quotas and sharing strategy.<\/li>\n
- Viva Engage<\/strong> \u2013 Determine how you want to use Yammer, and how sharing and group creation will take place.<\/li>\n
- Power Automate, Power Apps, Power BI, Dynamics, Planner, Sway, Forms, and more<\/strong> \u2013 These are apps that don\u2019t have the traditional Microsoft 365 Admin Center. But don\u2019t let down your guard. They still have access, usage, and sharing policies that you need to govern.<\/li>\n
- Microsoft 365 Groups<\/strong> \u2013 You\u2019ll need a naming strategy and retention policy, ownership and membership policy, and an external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, Power BI, and more.<\/li>\n<\/ul>\n
In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place, and you will need to document and manage them.<\/strong><\/p>\nTo manage and maintain all of this, however, you need to understand how your own physical servers and Microsoft\u2019s physical architecture work together to protect your company\u2019s data.<\/p>\n
<\/a>5. Physical Architecture: Security Features<\/h2>\nMicrosoft\u2019s physical architecture uses the same principles most organizations use to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.<\/p>\n
Some of the physical protection features in use by Microsoft\u2019s data centers are:<\/p>\n
\n- High-security perimeter fences.<\/li>\n
- 24\/7\/365 surveillance.<\/li>\n
- Vehicle checkpoints.<\/li>\n
- World-class access procedures to facilities.\n
\n- Multi-factor, biometric entry points.<\/li>\n
- Full body metal detection.<\/li>\n<\/ul>\n<\/li>\n
- On-site hard drive destruction (shredding).<\/li>\n
- State-of-the-art fire suppression.<\/li>\n
- Secure access to physical components.<\/li>\n
- Geo-located and geo-replicated data.<\/li>\n<\/ul>\n
You are likely using many of the security features and principles listed above where they make sense in your own organizations. That\u2019s good.<\/p>\n
The question is, how will you architect your network for the change? That depends on your final goal.<\/strong><\/p>\n\n- Will you peacefully coexist?<\/li>\n
- Are you going to extend your directory to the cloud?<\/li>\n
- Do you want an isolated tunnel between your location and Office 365?<\/li>\n<\/ul>\n
Option 1: Keep Your Infrastructure<\/h3>\n
This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Microsoft 365 through your firewall(s).<\/p>\n
This uses your current ISP and the public internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft 365 and Dynamics 365 are designed for this type of access.<\/p>\n
Option 2: Use Express Route<\/h3>\n
In certain situations, we recommend ExpressRoute. You still keep your infrastructure in place, but this is a private connection between your infrastructure and Microsoft\u2019s data center through an ExpressRoute carrier, widely available in the U.S.<\/p>\n
This type of connection offers higher security, reliability and speed with lower latencies than internet connections.<\/strong> Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.<\/p>\nOption 3: Implement a Site-to-Site VPN<\/h3>\n
If you\u2019re planning to use an Azure infrastructure workload like a virtual network or you plan to extend or replace your Entra ID entirely, then you have a few options.<\/p>\n
You can use the ExpressRoute<\/a> solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN<\/a>. The gateway can then provide customized access to resources with user-defined routing.<\/p>\nOption 4: Opt for a Third-Party<\/h3>\n
If you\u2019re in between a site-to-site VPN and ExpressRoute, there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.<\/p>\n
This is in no way a comprehensive look at the infrastructure configurations possible.<\/strong> Rather, it\u2019s a broad overview to help you start planning.<\/p>\nThere are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches.<\/p>\n
<\/a><\/h3>\n<\/a>6. Business Continuity and Disaster Recovery in Microsoft 365<\/h2>\nOnce you\u2019re fully set up in your hybrid or cloud environment, you need to implement a few additional policies and procedures, the most important of which is a business continuity and disaster recovery plan.<\/p>\n
But what is your organization ultimately responsible for versus Microsoft\u2019s role as your provider? You have plenty of options to make sure your data is protected in a worst-case scenario.<\/strong><\/p>\nMicrosoft\u2019s Responsibilities<\/h3>\n<\/a><\/h3>\nMicrosoft remains committed to transparency<\/a> when it comes to service health monitoring and outage notifications and updates. They have also implemented a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.<\/p>\nThe company ensures that customer data is available whenever it is needed through the following features:<\/p>\n
\n- Data storage and redundancy:<\/strong> Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.<\/li>\n
- Data monitoring:<\/strong> Microsoft 365 services maintain high levels of performance by:\n
\n- Monitoring databases:<\/strong>\n
\n- Blocked processes.<\/li>\n
- Packet loss.<\/li>\n
- Queued processes.<\/li>\n
- Query latency.<\/li>\n<\/ul>\n<\/li>\n
- Completing preventative maintenance:<\/strong> Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Administration Responsibilities<\/h3>\n
It\u2019s up to us as the customer, however, to ensure we are aware of the level of service<\/a> we can expect and monitor the availability of our own tenants. Here are some basics for Microsoft 365:<\/p>\nExchange:<\/h4>\n\n- By default, the recoverable item store is set to keep deleted items for only 14 days.<\/li>\n
- You can increase this 14-day value, but it can only be set to a maximum of 30 days.<\/li>\n
- All Microsoft 365 licensing plans have a soft limit of 20GB of recoverable items storage per user, at which point users will receive a warning, and a hard limit of 30GB, at which point the system will delete the oldest emails first. However, individuals can configure their mailboxes with different quotas.<\/li>\n
- The litigation hold version of the recoverable items store has no size or version limits.<\/li>\n<\/ul>\n
SharePoint and OneDrive:<\/h4>\n\n- Deleted items remain in the Recycle Bin for 93 days unless the recycle bin storage exceeds its quota.<\/li>\n
- SharePoint Online data is backed up every 12 hours.<\/li>\n
- Backups are kept for an additional 14 days.<\/li>\n
- One-hour recovery point objective (RPO): Microsoft maintains a copy of your SharePoint Online data, ensuring it is less than or equal to one hour old.<\/li>\n
- Six-hour recovery time objective (RTO): If a disaster knocks out or disrupts a hosting data center, Microsoft tries to ensure that organizations can resume service within six hours after the disruption.<\/li>\n<\/ul>\n
Users have a tremendous amount of control over the deletion and restoration of their own personal documents.<\/strong> Administrators have at least 30 days to retrieve data from their tenant as data is first soft deleted.<\/p>\nDid a user account get deleted accidentally? No problem: Recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now, so no problem there, either.<\/p>\n
OneDrive users have a point-in-time restore utility built-in, so be sure users are aware of the feature.<\/p>\n
Data Retention in Office 365<\/h3>\n
Don\u2019t forget about retention policies<\/a> for data across Microsoft 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:<\/strong><\/p>\n\n- Retaining content so it can\u2019t be permanently deleted before the end of the retention period.<\/li>\n
- Deleting content permanently at the end of the retention period.<\/li>\n<\/ul>\n
With a retention policy, you can:<\/strong><\/p>\n\n- Decide proactively whether to retain content, delete content, or both \u2013 retain and then delete the content.<\/li>\n
- Apply a single policy to the entire organization or only specific locations or users.<\/li>\n
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.<\/li>\n<\/ul>\n
<\/a>Additional Business Continuity Tips<\/h3>\nBeyond maintaining business continuity on your own using Microsoft 365’s procedures, there are a couple of other things you can do to keep your data safe:<\/p>\n
Use Outside Help<\/h4>\n
If you\u2019re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:<\/p>\n
\n- See if a hybrid or scripted solution would work.<\/li>\n
- Use a third-party SaaS solution to fill this gap.<\/li>\n<\/ul>\n
Explore Azure Cloud Security Options:<\/h4>\n
There are a few additional options from Azure Cloud<\/a> security to help you maintain your data integrity:<\/p>\n\n- Failover your on-premises environment to Azure if you can\u2019t move it all yet.<\/li>\n
- Use Azure\u2019s site recovery.<\/li>\n
- Use an Azure partner for disaster recovery.<\/li>\n<\/ul>\n
You won\u2019t find 20-plus-year-old strategies anymore for a continuity and disaster recovery scenario. Today, it\u2019s more convenient, cost-effective, and simpler to find continuity and disaster recovery as a service.<\/strong><\/p>\nBeyond disaster recovery, there are a few other operations you need to have in place to support digital asset protection in Microsoft 365.<\/p>\n
<\/a>7. Operational Support Structure for Digital Asset Protection<\/h2>\nIf you\u2019re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities<\/a>. We typically recommend your support team is .2 percent of the organization’s supported community, so two support people for every 1,000 users.<\/strong><\/p>\nWhen we work with clients to plan, rollout or remediate Microsoft 365<\/a>, we look at the entire IT structure, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.<\/p>\nYour first-level help desk will be key in taking some of the repetitive tasks away from your admins, and an updated knowledge base will provide a reference to help them.<\/p>\n
If you are the help desk and the global admin, keep a knowledge base for yourself in a SharePoint list for easy reference.<\/p>\n
Service Availability Monitoring<\/h3>\n
It\u2019s up to us to ensure we are aware of the level of service we can expect and that we monitor the availability of our own tenants.<\/p>\n
If a service falls below the SLA documented by Microsoft, you will need proof of that outage. Keep an eye on the service health dashboard in the admin center.<\/p>\n
You can find service incidents in your Microsoft 365 Admin Portal, and those come in two varieties:<\/strong><\/p>\n\n- Planned maintenance events:<\/strong> Planned maintenance is regular service updates from Microsoft done to infrastructure and software applications. Notifications about planned maintenance events let customers know about service work that might affect their service from Microsoft. Customers are notified no later than five days before all planned maintenance through the message center in the admin portal. Microsoft typically plans maintenance for times when service usage is at its lowest based on regional time zones.<\/li>\n
- Unplanned downtime:<\/strong> Unplanned service incidents happen when one of the services in the Microsoft 365 suite is unexpectedly down or unavailable.<\/li>\n<\/ul>\n
Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required, and expected outages. Microsoft Defender<\/a> has default alert policies configured to send admins email messages in a variety of circumstances, such as:<\/strong><\/p>\n\n- A mail flow rule has been created.<\/li>\n
- Malware is detected.<\/li>\n
- An unusual volume of email has been detected.<\/li>\n
- Unusual external user activities have been detected.<\/li>\n
- And more.<\/li>\n<\/ul>\n
The Secure Score dashboard<\/a> is a good place to start for a visual look at anomalies and for tips on what to update next. Beyond Secure Score, you can also use the following to monitor service availability:<\/p>\n\n- Microsoft 365 Admin App.<\/li>\n
- Add-in for Microsoft 365 for System Center.<\/li>\n
- The service communication API.<\/li>\n
- Third-party provider of monitoring solutions.<\/li>\n<\/ul>\n
Enhancing Monitoring and Supportability<\/h3>\n
If you are interested in enhancing out-of-the-box security monitoring, check out Microsoft Defender for Cloud Apps. This gives you further insight into activity, app use, alerts, and log reviews, among other tasks. It allows you to create policies, from templates or from scratch, that give you deeper insight into shadow IT, allowing you to better control where you store sensitive information.<\/strong><\/p>\nAnother security enhancement is Microsoft Entra ID Protection. Entra ID Protection is a collection of algorithms that determine if a user sign-in is risky or not. If you\u2019re already using conditional access, you can set up the tool to deny access if Azure determines the sign-in to be of a risky nature. This will take some testing, but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (for example, you can\u2019t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).<\/p>\n
These monitoring and operations tasks usually take a few months to settle into your organization’s work pace, so be attentive and flexible early on.<\/strong> You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell<\/a> or other third-party add-ins.<\/p>\nAlmost anything you can do with the UI, you can customize and do it through PowerShell. If the built-in reports don\u2019t offer the data to meet the needs of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Microsoft 365.<\/p>\n
<\/a>Digital Asset Protection in Microsoft 365: Final Thoughts<\/h2>\n
Digital Asset Protection in Microsoft 365: Final Thoughts<\/a><\/h2>\n
\n<\/a>Why Digital Asset Protection Is Important<\/h2>\nWhile working as a consultant at a global manufacturer in the 1990s, I first heard the phrase, \u201cSecurity is everybody\u2019s business.\u201d This company had, and likely still has, a robust security training program with videos, classes and more.<\/p>\n
I admit that I scoffed at this effort until I first flew somewhere for business. Across the aisle and one row up, a well-dressed man extracted a laptop and shared his company\u2019s financial information with all of us behind him. Then, I understood.<\/p>\n
We\u2019ve come a long way since then, yet I still get questioned today about why I use complex passwords and two-factor authentication for everything. My answer: Some service passwords in Azure require 12 characters, and I will always recommend multifactor authentication.<\/p>\n
With everything in the cloud, security is now more important than ever especially when it comes to protecting your two biggest assets: identity and information.<\/strong><\/p>\nThis blog will focus on both identity and information \u2013 from the tools available to how they work together to achieve a holistic and security-centric approach to your cloud investment in Microsoft 365<\/a> and Azure. I\u2019ll specifically dive into seven areas to keep in mind to thoroughly protect your digital assets.<\/p>\nWhile the focus won\u2019t be on the technical procedures for implementing these tools, rest assured that I\u2019ll direct you to the technical references everywhere possible.<\/p>\n
<\/a>1. Encryption for Microsoft 365 Cloud Security<\/h2>\nVigen\u00e8re. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, we\u2019ll soon be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for years.<\/p>\n
RSA is the cipher used for today\u2019s public key cryptography implementation and is the public key infrastructure<\/a> widely in use. To securely facilitate the transfer of information, a message sender uses a known public key to encode a message, and the recipient uses a private key, known only to them, to decode the message.<\/strong> Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.<\/p>\nYou can use these encryption technologies to protect assets in your Microsoft 365 platform and Azure. Here\u2019s how:<\/p>\n
<\/a><\/p>\nYour Data at Rest (Infrastructure)<\/h3>\n
When it is not being sent, received or used, your organization\u2019s data lives on a server in a datacenter<\/a>.<\/p>\nYour data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism encrypted using Bitlocker<\/a>.<\/p>\nBe sure to gather information in the links above to reference the location of your organization\u2019s data.<\/strong> This is extremely important for topics like the General Data Protection Regulation (GDPR) in the EU and High Availability, which describes a system\u2019s ability to continue operating even when some components of that system fail.<\/p>\nYour Data in Transit (Information)<\/h3>\n
Your data in transit is the most customer-involved decision-making piece of the Microsoft 365 encryption solution. That is why we work so hard to provide updated guidance and support throughout the life of your Microsoft 365 investment.<\/p>\n
Dozens upon dozens of endpoints are available from any device and any location in the world, providing information entrance and exit paths to and from the various services Microsoft 365 and Azure offer.<\/p>\n
Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.<\/strong><\/p>\nAt the application layer (OSI 7)<\/a>, Microsoft provides Transport Layer Security and Secure Sockets Layer (TLS\/SSL) (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver to generate agreed-upon keys to encrypt data being sent \u2013 this is also known as symmetric cryptography.<\/p>\n<\/a>Original image: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/windows-network-architecture-and-the-osi-model<\/p><\/div>\n
The sender and recipient must agree on the encryption method based on what is available to them and what is in common between them. As a result, this does not always guarantee the highest level of security, but it does guarantee the highest level of security in common between both parties.<\/p>\n
Here are some of the customer tasks involved with data-encryption information security:<\/p>\n
\n- Avoid accidental and malicious data deletion by configuring:<\/strong>\n
\n- Data Loss Prevention (DLP)<\/a> and Labels in Microsoft Purview \u2013 This is not encryption-related, but important nonetheless.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data exfiltration using:<\/strong>\n
\n- Azure Rights Management Service (RMS)<\/a> \u2013 Applies protection and encryption to messages and data.<\/li>\n
- Information Rights Management (IRM)<\/a> \u2013 Applies protection and classification to messages and SharePoint libraries.<\/li>\n
- Microsoft Purview Information Protection (IP)<\/a> \u2013 Applies classification, encryption, and permissions for use through policies for data and messages.<\/li>\n
- Exchange Online Protection (EOP)<\/a> along with other Exchange settings \u2013 Strengthens your basic messaging stance with rules and malware policies, to name a few.<\/li>\n<\/ul>\n<\/li>\n
- Avoid accidental and malicious data contamination using:<\/strong>\n
\n- Microsoft Defender for Office 365<\/a> \u2013 Send messages through an isolated channel to a detonation chamber to thoroughly test any message links and attachments, and remove them where necessary. Also, it is not specifically encryption-related, but it is important nonetheless.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Your Data in Use (Identity)<\/h3>\n
When you and your colleagues collaborate on a document using Microsoft Teams<\/a>, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository opened in Teams, Office Online, or a client, you can encrypt all communications between the client and the data source using Azure VPN Gateway.<\/p>\nIf you have configured and deployed the information encryption options previously mentioned, these will also be in use during the collaborative transport of data.<\/strong><\/p>\nIf, or when, you receive an encrypted email, your identity is verified, and permissions for the message and its attachments are maintained using IP in concert with Azure RMS. This information is only visible with a protected viewer (client or browser) and is otherwise encrypted at all times.<\/p>\n
Users can set the encryption, or it can be done automatically using various criteria set in the IP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs<\/a>, so I\u2019ll leave the details to her.<\/p>\nYour organization\u2019s discussions around each encryption technology mentioned above will depend on what features of Enterprise Mobility + Security (EMS) you\u2019re going to deploy and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.<\/p>\n
One major factor to consider while determining which features are best for your digital asset protection needs is the legal regulations that impact your organization.<\/p>\n
<\/a>2. Microsoft 365 for Legal Compliance<\/h2>\nThe tools you need for security and legal compliance<\/a>, transparency<\/a>, and reporting<\/a> are in the Microsoft Purview compliance portal and various other Microsoft sites specific to these topics. This compliance portal is the hub for legal work and protects your data using specific user roles for different operations in the center.<\/p>\nMicrosoft maintains a high level of transparency, trust and certifications surrounding the services it offers in the cloud, and you can locate any information your legal department requires using the above links.<\/p>\n
Digital asset protection plays a major role in both security and compliance. There was no shortage of security incidents in 2023<\/a>, and all of them had legal implications in some measure.<\/strong><\/p>\nFor example, I was fortunate enough to be able to provide guidance and technical assistance in an incident involving a Microsoft 365 user in a foreign country who was involved in a legal investigation.<\/p>\n
The legal team requested that an email be held, which is as simple as a checkbox and a duration option. However, they were unaware that there were also options for locating and holding data in place in other locations, such as Groups, Teams, SharePoint, and OneDrive.<\/p>\n
For this particular incident, we used an eDiscovery case to perform all the required holds, content searches, and exports. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it, and finally export it for transport.<\/p>\n
I only encountered a few issues at the time, and the main one was the time frame. I didn\u2019t know anything about the case \u2013 and I like to keep it that way \u2013 but we had 72 hours to make usable data available to the legal team in the other country.<\/p>\n
With about 150Gb in the mailbox, it was slow \u2013 Microsoft has made improvements to increase the speed of operations, and it is much faster now \u2013 and had to be split into multiple files.<\/p>\n
One thing we know for sure when trying to find what you need: Narrow down those searches using filters and locations to get exactly what you\u2019re looking for for your case!<\/strong> You will save time, reduce throughput issues like timeouts, create more space, and probably some more time.<\/p>\nSecurity and Compliance Center Capabilities<\/h3>\n
So, what do you need, and what are your capabilities in the Microsoft Purview compliance portal?<\/p>\n
First, you\u2019ll need a Microsoft 365 Enterprise E3 license or a la carte P2 licenses for Exchange and SharePoint to retain user data. Also, if you need enhanced security and management, you\u2019ll need an EMS license to use Microsoft Purview IP, as well as advanced features of MFA, and more.<\/p>\n
Next, use the following tools as needed within your organization:<\/p>\n
\n- Classification labels and DLP policies<\/strong> \u2013 To retain, detect or delete particular information for a period of time. The GDPR Dashboard brings these tools together quite nicely as well.<\/li>\n
- Content Search<\/strong> \u2013 To find the information you need, based on the criteria you have, in the locations you select, and for the individual who creates and uses it.<\/li>\n
- Audit Log<\/strong> \u2013 To search for and locate any administrative activities for an individual or by a particular administrator.<\/li>\n
- eDiscovery<\/strong> \u2013 Serves as a complete management tool for legal cases, including searching, holding, exporting, and reporting on user data. I\u2019ve also used the eDiscovery tool in the past to retain departed employees\u2019 information for a required period of time.<\/li>\n<\/ul>\n
There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.<\/p>\n
It is important to remember that once you put a user\u2019s data location on hold, that data and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I\u2019ve seen some really large operations using a lot of space).<\/p>\n
But in order to do anything with a specific user\u2019s data location or other information, you need to make sure your company has a strategy for identity control<\/a>.<\/strong><\/p>\n<\/a>3. A New Strategy for Identity Control<\/h2>\nPrior to transforming your business to meet today\u2019s needs, you probably created an account for your user in your company\u2019s directory.<\/p>\n
You likely provided that account with permissions to folders and applications on your network \u2013 perhaps individually or in groups. And, you fully understand where your users will be logging in, from what devices, and at what times.<\/p>\n
But with today\u2019s business anywhere mentality, you can no longer protect your digital assets and users\u2019 identities using the old methodologies for on-premises networks. And if your company isn\u2019t ready or cannot be completely in the cloud, then you\u2019ll need a hybrid strategy.<\/p>\n
Steps to Identity Control in a Hybrid Environment<\/h3>\n
Enter Azure role-based access control (RBAC)<\/a>, Microsoft Entra Privileged Identity Management (PIM)<\/a>, Microsoft Entra ID Protection<\/a>, and the Microsoft Graph Security API based on machine learning and AI<\/a>.<\/p>\nWhen you make a move to a hybrid cloud scenario you will need these. You will also want Microsoft Intune for device management, which is the other side of the identity control scenario.<\/p>\n
The hybrid strategy will remain until all your existing software solutions \u2013 HR, payroll, receivables, and more \u2013 are also in the cloud, and you\u2019re prepared to decommission your entire local infrastructure.<\/p>\n
This is also the case whether you\u2019re using Microsoft Entra ID or another third-party directory, single sign-on, or multifactor authorization provider.<\/p>\n
<\/a><\/p>\n1. Determine your cloud identity model<\/a>.<\/h4>\nIf you already have infrastructure available for identity management, check to see if you can federate that with Microsoft 365 and Azure. It\u2019s a simple process, even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management, and resource requests.<\/p>\n
2. Define roles, resources and strategies.<\/h4>\n
Determine what applications will be available in the cloud, what roles you\u2019ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Microsoft Entra ID that you should be aware of prior to a migration.<\/p>\n
Keep in mind that these decisions don\u2019t take place in a vacuum, and you will need to carefully consider this as a sub-project of your overall cloud migration project.<\/p>\n
3. Review additional options.<\/h4>\n
Take a look at the additional options available to you in the Microsoft Entra ID Premium subscriptions, most importantly ID Protection<\/a> and Privileged Identity Management<\/a>:<\/p>\n\n- ID Protection<\/strong> \u2013 risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation.<\/li>\n
- Privileged Identity Management<\/strong> \u2013 assign just-in-time (JIT) access to provide a user with elevated access during a specified time window and just-enough-access (JEA) to provide least privileged access to resources.<\/li>\n<\/ul>\n
4. Establish conditional access policies.<\/h4>\n
In the Entra ID P1 subscription, you\u2019ll find the opportunity to create conditional access<\/a> policies. If you don\u2019t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 11 infrastructure.<\/p>\nOnce you\u2019ve established who will have access to what, you need to make sure you have security policies in place so that each person knows how to treat your company\u2019s data and keep your organization safe.<\/strong><\/p>\n<\/a>4. Security Policies in Microsoft 365<\/h2>\nLet\u2019s first make a distinction between the types of policies you have to work with when establishing digital asset protection.<\/p>\n
First, there are policies in Microsoft 365 and Azure such as passwords, DLP, labels, Threat management, data governance<\/a>, and mobile device management. These are the policies you can create in your Microsoft 365 and Azure tenants, and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/strong><\/p>\nThere are, however, other policies that you\u2019ll need, and they\u2019re vital to your organization\u2019s operations. These are documented policies that cannot change without your governance board or boards\u2019 approval.<\/p>\n
Identity Policy<\/h3>\n
This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n
\n- Passwords<\/strong> \u2013 It\u2019s likely your company manages your password policies on-premises and not in the cloud, but make sure these are documented and updated. NIST\u2019s guidelines<\/a> can help.<\/li>\n
- Multifactor Authentication<\/strong><\/a> \u2013 Due to NIST\u2019s guidelines, you will want to enforce this for all admins and all mobile or off-network logins.<\/li>\n
- Data Loss Prevention<\/strong> \u2013 Automatically label documents and emails containing social security numbers or credit cards, and prevent them from being shared outside the organization.<\/li>\n
- Mobile Devices<\/strong> \u2013 Use some type of device management to govern what devices can connect to your tenant, what apps they can use, and what users can do with those apps.<\/li>\n
- Administration and Support<\/strong> \u2013 Use roles to determine who will administer what portions of your tenant and when they will have access.<\/li>\n
- Onboarding and Offboarding<\/strong> \u2013 Be sure to document your process and make concessions for data handling when users leave, especially in a hybrid environment.<\/li>\n<\/ul>\n
Information Policy<\/h3>\n
This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n
\n- External Sharing<\/strong> \u2013 Document who can share, what they can share, where they can share from, and how to monitor sharing.<\/li>\n
- Classification and Encryption<\/strong> \u2013 Use IP to allow users to classify, automatically classify, and encrypt information in your tenant.<\/li>\n
- Retention<\/strong> \u2013 Manage the lifecycle of your data and determine when or if it can be deleted so you retain critical data.<\/li>\n<\/ul>\n
Governance Policy<\/h3>\n
This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n
\n- Exchange<\/strong> \u2013 Document what services your company allows, who can use them, and how to effectively monitor and adjust as needed.<\/li>\n
- Teams<\/strong> \u2013 Decide on a Group and Team creation strategy, as well as retention plans, external application use, and external sharing.<\/li>\n
- SharePoint<\/strong> \u2013 Determine strategies for storage management and usage, site creation and lifecycle management, and sharing.<\/li>\n
- OneDrive for Business<\/strong> \u2013 Decide on quotas and sharing strategy.<\/li>\n
- Viva Engage<\/strong> \u2013 Determine how you want to use Yammer, and how sharing and group creation will take place.<\/li>\n
- Power Automate, Power Apps, Power BI, Dynamics, Planner, Sway, Forms, and more<\/strong> \u2013 These are apps that don\u2019t have the traditional Microsoft 365 Admin Center. But don\u2019t let down your guard. They still have access, usage, and sharing policies that you need to govern.<\/li>\n
- Microsoft 365 Groups<\/strong> \u2013 You\u2019ll need a naming strategy and retention policy, ownership and membership policy, and an external sharing plan. Remember that these are the underlying organizational units for Teams, Planner, Power BI, and more.<\/li>\n<\/ul>\n
In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place, and you will need to document and manage them.<\/strong><\/p>\nTo manage and maintain all of this, however, you need to understand how your own physical servers and Microsoft\u2019s physical architecture work together to protect your company\u2019s data.<\/p>\n
<\/a>5. Physical Architecture: Security Features<\/h2>\nMicrosoft\u2019s physical architecture uses the same principles most organizations use to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.<\/p>\n
Some of the physical protection features in use by Microsoft\u2019s data centers are:<\/p>\n
\n- High-security perimeter fences.<\/li>\n
- 24\/7\/365 surveillance.<\/li>\n
- Vehicle checkpoints.<\/li>\n
- World-class access procedures to facilities.\n
\n- Multi-factor, biometric entry points.<\/li>\n
- Full body metal detection.<\/li>\n<\/ul>\n<\/li>\n
- On-site hard drive destruction (shredding).<\/li>\n
- State-of-the-art fire suppression.<\/li>\n
- Secure access to physical components.<\/li>\n
- Geo-located and geo-replicated data.<\/li>\n<\/ul>\n
You are likely using many of the security features and principles listed above where they make sense in your own organizations. That\u2019s good.<\/p>\n
The question is, how will you architect your network for the change? That depends on your final goal.<\/strong><\/p>\n\n- Will you peacefully coexist?<\/li>\n
- Are you going to extend your directory to the cloud?<\/li>\n
- Do you want an isolated tunnel between your location and Office 365?<\/li>\n<\/ul>\n
Option 1: Keep Your Infrastructure<\/h3>\n
This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Microsoft 365 through your firewall(s).<\/p>\n
This uses your current ISP and the public internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft 365 and Dynamics 365 are designed for this type of access.<\/p>\n
Option 2: Use Express Route<\/h3>\n
In certain situations, we recommend ExpressRoute. You still keep your infrastructure in place, but this is a private connection between your infrastructure and Microsoft\u2019s data center through an ExpressRoute carrier, widely available in the U.S.<\/p>\n
This type of connection offers higher security, reliability and speed with lower latencies than internet connections.<\/strong> Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.<\/p>\nOption 3: Implement a Site-to-Site VPN<\/h3>\n
If you\u2019re planning to use an Azure infrastructure workload like a virtual network or you plan to extend or replace your Entra ID entirely, then you have a few options.<\/p>\n
You can use the ExpressRoute<\/a> solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN<\/a>. The gateway can then provide customized access to resources with user-defined routing.<\/p>\nOption 4: Opt for a Third-Party<\/h3>\n
If you\u2019re in between a site-to-site VPN and ExpressRoute, there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.<\/p>\n
This is in no way a comprehensive look at the infrastructure configurations possible.<\/strong> Rather, it\u2019s a broad overview to help you start planning.<\/p>\nThere are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches.<\/p>\n
<\/a><\/h3>\n<\/a>6. Business Continuity and Disaster Recovery in Microsoft 365<\/h2>\nOnce you\u2019re fully set up in your hybrid or cloud environment, you need to implement a few additional policies and procedures, the most important of which is a business continuity and disaster recovery plan.<\/p>\n
But what is your organization ultimately responsible for versus Microsoft\u2019s role as your provider? You have plenty of options to make sure your data is protected in a worst-case scenario.<\/strong><\/p>\nMicrosoft\u2019s Responsibilities<\/h3>\n<\/a><\/h3>\nMicrosoft remains committed to transparency<\/a> when it comes to service health monitoring and outage notifications and updates. They have also implemented a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.<\/p>\nThe company ensures that customer data is available whenever it is needed through the following features:<\/p>\n
\n- Data storage and redundancy:<\/strong> Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.<\/li>\n
- Data monitoring:<\/strong> Microsoft 365 services maintain high levels of performance by:\n
\n- Monitoring databases:<\/strong>\n
\n- Blocked processes.<\/li>\n
- Packet loss.<\/li>\n
- Queued processes.<\/li>\n
- Query latency.<\/li>\n<\/ul>\n<\/li>\n
- Completing preventative maintenance:<\/strong> Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Administration Responsibilities<\/h3>\n
It\u2019s up to us as the customer, however, to ensure we are aware of the level of service<\/a> we can expect and monitor the availability of our own tenants. Here are some basics for Microsoft 365:<\/p>\nExchange:<\/h4>\n\n- By default, the recoverable item store is set to keep deleted items for only 14 days.<\/li>\n
- You can increase this 14-day value, but it can only be set to a maximum of 30 days.<\/li>\n
- All Microsoft 365 licensing plans have a soft limit of 20GB of recoverable items storage per user, at which point users will receive a warning, and a hard limit of 30GB, at which point the system will delete the oldest emails first. However, individuals can configure their mailboxes with different quotas.<\/li>\n
- The litigation hold version of the recoverable items store has no size or version limits.<\/li>\n<\/ul>\n
SharePoint and OneDrive:<\/h4>\n\n- Deleted items remain in the Recycle Bin for 93 days unless the recycle bin storage exceeds its quota.<\/li>\n
- SharePoint Online data is backed up every 12 hours.<\/li>\n
- Backups are kept for an additional 14 days.<\/li>\n
- One-hour recovery point objective (RPO): Microsoft maintains a copy of your SharePoint Online data, ensuring it is less than or equal to one hour old.<\/li>\n
- Six-hour recovery time objective (RTO): If a disaster knocks out or disrupts a hosting data center, Microsoft tries to ensure that organizations can resume service within six hours after the disruption.<\/li>\n<\/ul>\n
Users have a tremendous amount of control over the deletion and restoration of their own personal documents.<\/strong> Administrators have at least 30 days to retrieve data from their tenant as data is first soft deleted.<\/p>\nDid a user account get deleted accidentally? No problem: Recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now, so no problem there, either.<\/p>\n
OneDrive users have a point-in-time restore utility built-in, so be sure users are aware of the feature.<\/p>\n
Data Retention in Office 365<\/h3>\n
Don\u2019t forget about retention policies<\/a> for data across Microsoft 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:<\/strong><\/p>\n\n- Retaining content so it can\u2019t be permanently deleted before the end of the retention period.<\/li>\n
- Deleting content permanently at the end of the retention period.<\/li>\n<\/ul>\n
With a retention policy, you can:<\/strong><\/p>\n\n- Decide proactively whether to retain content, delete content, or both \u2013 retain and then delete the content.<\/li>\n
- Apply a single policy to the entire organization or only specific locations or users.<\/li>\n
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.<\/li>\n<\/ul>\n
<\/a>Additional Business Continuity Tips<\/h3>\nBeyond maintaining business continuity on your own using Microsoft 365’s procedures, there are a couple of other things you can do to keep your data safe:<\/p>\n
Use Outside Help<\/h4>\n
If you\u2019re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:<\/p>\n
\n- See if a hybrid or scripted solution would work.<\/li>\n
- Use a third-party SaaS solution to fill this gap.<\/li>\n<\/ul>\n
Explore Azure Cloud Security Options:<\/h4>\n
There are a few additional options from Azure Cloud<\/a> security to help you maintain your data integrity:<\/p>\n\n- Failover your on-premises environment to Azure if you can\u2019t move it all yet.<\/li>\n
- Use Azure\u2019s site recovery.<\/li>\n
- Use an Azure partner for disaster recovery.<\/li>\n<\/ul>\n
You won\u2019t find 20-plus-year-old strategies anymore for a continuity and disaster recovery scenario. Today, it\u2019s more convenient, cost-effective, and simpler to find continuity and disaster recovery as a service.<\/strong><\/p>\nBeyond disaster recovery, there are a few other operations you need to have in place to support digital asset protection in Microsoft 365.<\/p>\n
<\/a>7. Operational Support Structure for Digital Asset Protection<\/h2>\nIf you\u2019re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities<\/a>. We typically recommend your support team is .2 percent of the organization’s supported community, so two support people for every 1,000 users.<\/strong><\/p>\nWhen we work with clients to plan, rollout or remediate Microsoft 365<\/a>, we look at the entire IT structure, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.<\/p>\nYour first-level help desk will be key in taking some of the repetitive tasks away from your admins, and an updated knowledge base will provide a reference to help them.<\/p>\n
If you are the help desk and the global admin, keep a knowledge base for yourself in a SharePoint list for easy reference.<\/p>\n
Service Availability Monitoring<\/h3>\n
It\u2019s up to us to ensure we are aware of the level of service we can expect and that we monitor the availability of our own tenants.<\/p>\n
If a service falls below the SLA documented by Microsoft, you will need proof of that outage. Keep an eye on the service health dashboard in the admin center.<\/p>\n
You can find service incidents in your Microsoft 365 Admin Portal, and those come in two varieties:<\/strong><\/p>\n\n- Planned maintenance events:<\/strong> Planned maintenance is regular service updates from Microsoft done to infrastructure and software applications. Notifications about planned maintenance events let customers know about service work that might affect their service from Microsoft. Customers are notified no later than five days before all planned maintenance through the message center in the admin portal. Microsoft typically plans maintenance for times when service usage is at its lowest based on regional time zones.<\/li>\n
- Unplanned downtime:<\/strong> Unplanned service incidents happen when one of the services in the Microsoft 365 suite is unexpectedly down or unavailable.<\/li>\n<\/ul>\n
Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required, and expected outages. Microsoft Defender<\/a> has default alert policies configured to send admins email messages in a variety of circumstances, such as:<\/strong><\/p>\n\n- A mail flow rule has been created.<\/li>\n
- Malware is detected.<\/li>\n
- An unusual volume of email has been detected.<\/li>\n
- Unusual external user activities have been detected.<\/li>\n
- And more.<\/li>\n<\/ul>\n
The Secure Score dashboard<\/a> is a good place to start for a visual look at anomalies and for tips on what to update next. Beyond Secure Score, you can also use the following to monitor service availability:<\/p>\n\n- Microsoft 365 Admin App.<\/li>\n
- Add-in for Microsoft 365 for System Center.<\/li>\n
- The service communication API.<\/li>\n
- Third-party provider of monitoring solutions.<\/li>\n<\/ul>\n
Enhancing Monitoring and Supportability<\/h3>\n
If you are interested in enhancing out-of-the-box security monitoring, check out Microsoft Defender for Cloud Apps. This gives you further insight into activity, app use, alerts, and log reviews, among other tasks. It allows you to create policies, from templates or from scratch, that give you deeper insight into shadow IT, allowing you to better control where you store sensitive information.<\/strong><\/p>\nAnother security enhancement is Microsoft Entra ID Protection. Entra ID Protection is a collection of algorithms that determine if a user sign-in is risky or not. If you\u2019re already using conditional access, you can set up the tool to deny access if Azure determines the sign-in to be of a risky nature. This will take some testing, but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (for example, you can\u2019t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).<\/p>\n
These monitoring and operations tasks usually take a few months to settle into your organization’s work pace, so be attentive and flexible early on.<\/strong> You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell<\/a> or other third-party add-ins.<\/p>\nAlmost anything you can do with the UI, you can customize and do it through PowerShell. If the built-in reports don\u2019t offer the data to meet the needs of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Microsoft 365.<\/p>\n
<\/a>Digital Asset Protection in Microsoft 365: Final Thoughts<\/h2>\n
While working as a consultant at a global manufacturer in the 1990s, I first heard the phrase, \u201cSecurity is everybody\u2019s business.\u201d This company had, and likely still has, a robust security training program with videos, classes and more.<\/p>\n
I admit that I scoffed at this effort until I first flew somewhere for business. Across the aisle and one row up, a well-dressed man extracted a laptop and shared his company\u2019s financial information with all of us behind him. Then, I understood.<\/p>\n
We\u2019ve come a long way since then, yet I still get questioned today about why I use complex passwords and two-factor authentication for everything. My answer: Some service passwords in Azure require 12 characters, and I will always recommend multifactor authentication.<\/p>\n
With everything in the cloud, security is now more important than ever especially when it comes to protecting your two biggest assets: identity and information.<\/strong><\/p>\n This blog will focus on both identity and information \u2013 from the tools available to how they work together to achieve a holistic and security-centric approach to your cloud investment in Microsoft 365<\/a> and Azure. I\u2019ll specifically dive into seven areas to keep in mind to thoroughly protect your digital assets.<\/p>\n While the focus won\u2019t be on the technical procedures for implementing these tools, rest assured that I\u2019ll direct you to the technical references everywhere possible.<\/p>\n Vigen\u00e8re. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, we\u2019ll soon be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for years.<\/p>\n RSA is the cipher used for today\u2019s public key cryptography implementation and is the public key infrastructure<\/a> widely in use. To securely facilitate the transfer of information, a message sender uses a known public key to encode a message, and the recipient uses a private key, known only to them, to decode the message.<\/strong> Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.<\/p>\n You can use these encryption technologies to protect assets in your Microsoft 365 platform and Azure. Here\u2019s how:<\/p>\n When it is not being sent, received or used, your organization\u2019s data lives on a server in a datacenter<\/a>.<\/p>\n Your data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism encrypted using Bitlocker<\/a>.<\/p>\n Be sure to gather information in the links above to reference the location of your organization\u2019s data.<\/strong> This is extremely important for topics like the General Data Protection Regulation (GDPR) in the EU and High Availability, which describes a system\u2019s ability to continue operating even when some components of that system fail.<\/p>\n Your data in transit is the most customer-involved decision-making piece of the Microsoft 365 encryption solution. That is why we work so hard to provide updated guidance and support throughout the life of your Microsoft 365 investment.<\/p>\n Dozens upon dozens of endpoints are available from any device and any location in the world, providing information entrance and exit paths to and from the various services Microsoft 365 and Azure offer.<\/p>\n Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.<\/strong><\/p>\n At the application layer (OSI 7)<\/a>, Microsoft provides Transport Layer Security and Secure Sockets Layer (TLS\/SSL) (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver to generate agreed-upon keys to encrypt data being sent \u2013 this is also known as symmetric cryptography.<\/p>\n Original image: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/network\/windows-network-architecture-and-the-osi-model<\/p><\/div>\n The sender and recipient must agree on the encryption method based on what is available to them and what is in common between them. As a result, this does not always guarantee the highest level of security, but it does guarantee the highest level of security in common between both parties.<\/p>\n Here are some of the customer tasks involved with data-encryption information security:<\/p>\n When you and your colleagues collaborate on a document using Microsoft Teams<\/a>, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository opened in Teams, Office Online, or a client, you can encrypt all communications between the client and the data source using Azure VPN Gateway.<\/p>\n If you have configured and deployed the information encryption options previously mentioned, these will also be in use during the collaborative transport of data.<\/strong><\/p>\n If, or when, you receive an encrypted email, your identity is verified, and permissions for the message and its attachments are maintained using IP in concert with Azure RMS. This information is only visible with a protected viewer (client or browser) and is otherwise encrypted at all times.<\/p>\n Users can set the encryption, or it can be done automatically using various criteria set in the IP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs<\/a>, so I\u2019ll leave the details to her.<\/p>\n Your organization\u2019s discussions around each encryption technology mentioned above will depend on what features of Enterprise Mobility + Security (EMS) you\u2019re going to deploy and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.<\/p>\n One major factor to consider while determining which features are best for your digital asset protection needs is the legal regulations that impact your organization.<\/p>\n The tools you need for security and legal compliance<\/a>, transparency<\/a>, and reporting<\/a> are in the Microsoft Purview compliance portal and various other Microsoft sites specific to these topics. This compliance portal is the hub for legal work and protects your data using specific user roles for different operations in the center.<\/p>\n Microsoft maintains a high level of transparency, trust and certifications surrounding the services it offers in the cloud, and you can locate any information your legal department requires using the above links.<\/p>\n Digital asset protection plays a major role in both security and compliance. There was no shortage of security incidents in 2023<\/a>, and all of them had legal implications in some measure.<\/strong><\/p>\n For example, I was fortunate enough to be able to provide guidance and technical assistance in an incident involving a Microsoft 365 user in a foreign country who was involved in a legal investigation.<\/p>\n The legal team requested that an email be held, which is as simple as a checkbox and a duration option. However, they were unaware that there were also options for locating and holding data in place in other locations, such as Groups, Teams, SharePoint, and OneDrive.<\/p>\n For this particular incident, we used an eDiscovery case to perform all the required holds, content searches, and exports. An eDiscovery case allows us to create a case, assign users, search for content, select locations where we want to search, retain that data, report on it, and finally export it for transport.<\/p>\n I only encountered a few issues at the time, and the main one was the time frame. I didn\u2019t know anything about the case \u2013 and I like to keep it that way \u2013 but we had 72 hours to make usable data available to the legal team in the other country.<\/p>\n With about 150Gb in the mailbox, it was slow \u2013 Microsoft has made improvements to increase the speed of operations, and it is much faster now \u2013 and had to be split into multiple files.<\/p>\n One thing we know for sure when trying to find what you need: Narrow down those searches using filters and locations to get exactly what you\u2019re looking for for your case!<\/strong> You will save time, reduce throughput issues like timeouts, create more space, and probably some more time.<\/p>\n So, what do you need, and what are your capabilities in the Microsoft Purview compliance portal?<\/p>\n First, you\u2019ll need a Microsoft 365 Enterprise E3 license or a la carte P2 licenses for Exchange and SharePoint to retain user data. Also, if you need enhanced security and management, you\u2019ll need an EMS license to use Microsoft Purview IP, as well as advanced features of MFA, and more.<\/p>\n Next, use the following tools as needed within your organization:<\/p>\n There are plenty of tools available for this and, with the use of archive mailboxes and other strategies, plenty of storage available for these operations.<\/p>\n It is important to remember that once you put a user\u2019s data location on hold, that data and any data generated by the user from that point forward will be retained. I have yet to see any organization deplete their tenant space entirely, much less with eDiscovery as the reason (and I\u2019ve seen some really large operations using a lot of space).<\/p>\n But in order to do anything with a specific user\u2019s data location or other information, you need to make sure your company has a strategy for identity control<\/a>.<\/strong><\/p>\n Prior to transforming your business to meet today\u2019s needs, you probably created an account for your user in your company\u2019s directory.<\/p>\n You likely provided that account with permissions to folders and applications on your network \u2013 perhaps individually or in groups. And, you fully understand where your users will be logging in, from what devices, and at what times.<\/p>\n But with today\u2019s business anywhere mentality, you can no longer protect your digital assets and users\u2019 identities using the old methodologies for on-premises networks. And if your company isn\u2019t ready or cannot be completely in the cloud, then you\u2019ll need a hybrid strategy.<\/p>\n Enter Azure role-based access control (RBAC)<\/a>, Microsoft Entra Privileged Identity Management (PIM)<\/a>, Microsoft Entra ID Protection<\/a>, and the Microsoft Graph Security API based on machine learning and AI<\/a>.<\/p>\n When you make a move to a hybrid cloud scenario you will need these. You will also want Microsoft Intune for device management, which is the other side of the identity control scenario.<\/p>\n The hybrid strategy will remain until all your existing software solutions \u2013 HR, payroll, receivables, and more \u2013 are also in the cloud, and you\u2019re prepared to decommission your entire local infrastructure.<\/p>\n This is also the case whether you\u2019re using Microsoft Entra ID or another third-party directory, single sign-on, or multifactor authorization provider.<\/p>\n If you already have infrastructure available for identity management, check to see if you can federate that with Microsoft 365 and Azure. It\u2019s a simple process, even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management, and resource requests.<\/p>\n Determine what applications will be available in the cloud, what roles you\u2019ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Microsoft Entra ID that you should be aware of prior to a migration.<\/p>\n Keep in mind that these decisions don\u2019t take place in a vacuum, and you will need to carefully consider this as a sub-project of your overall cloud migration project.<\/p>\n Take a look at the additional options available to you in the Microsoft Entra ID Premium subscriptions, most importantly ID Protection<\/a> and Privileged Identity Management<\/a>:<\/p>\n In the Entra ID P1 subscription, you\u2019ll find the opportunity to create conditional access<\/a> policies. If you don\u2019t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 11 infrastructure.<\/p>\n Once you\u2019ve established who will have access to what, you need to make sure you have security policies in place so that each person knows how to treat your company\u2019s data and keep your organization safe.<\/strong><\/p>\n Let\u2019s first make a distinction between the types of policies you have to work with when establishing digital asset protection.<\/p>\n First, there are policies in Microsoft 365 and Azure such as passwords, DLP, labels, Threat management, data governance<\/a>, and mobile device management. These are the policies you can create in your Microsoft 365 and Azure tenants, and they consist of settings that were likely decided upon in your security requirements meetings. These should be part of your baseline platform documentation already.<\/strong><\/p>\n There are, however, other policies that you\u2019ll need, and they\u2019re vital to your organization\u2019s operations. These are documented policies that cannot change without your governance board or boards\u2019 approval.<\/p>\n This type of policy covers items that protect your users, their personal information, and access to your systems.<\/p>\n This type of policy governs the ingress and egress of your company\u2019s data.<\/p>\n This type of policy will help you maintain control over the permissions your users have to use your systems.<\/p>\n In many cases, you\u2019ll find that your existing policies will work fine and will only need to be tweaked a little. Many of these applications and processes, however, won\u2019t have well-defined policies in place, and you will need to document and manage them.<\/strong><\/p>\n To manage and maintain all of this, however, you need to understand how your own physical servers and Microsoft\u2019s physical architecture work together to protect your company\u2019s data.<\/p>\n Microsoft\u2019s physical architecture uses the same principles most organizations use to secure a data center. Because of the nature of Microsoft data centers and the information kept in them, securing the physical infrastructure is as paramount as data availability.<\/p>\n Some of the physical protection features in use by Microsoft\u2019s data centers are:<\/p>\n You are likely using many of the security features and principles listed above where they make sense in your own organizations. That\u2019s good.<\/p>\n The question is, how will you architect your network for the change? That depends on your final goal.<\/strong><\/p>\n This one is really simple. You keep your infrastructure in place and allow the URLs and IP addresses required for Microsoft 365 through your firewall(s).<\/p>\n This uses your current ISP and the public internet in the same way your users access it today. Traffic is encrypted and flows through a secure channel. Microsoft 365 and Dynamics 365 are designed for this type of access.<\/p>\n In certain situations, we recommend ExpressRoute. You still keep your infrastructure in place, but this is a private connection between your infrastructure and Microsoft\u2019s data center through an ExpressRoute carrier, widely available in the U.S.<\/p>\n This type of connection offers higher security, reliability and speed with lower latencies than internet connections.<\/strong> Pairing these connections with other regions requires an add-on but ensures your routing remains optimal for performance.<\/p>\n If you\u2019re planning to use an Azure infrastructure workload like a virtual network or you plan to extend or replace your Entra ID entirely, then you have a few options.<\/p>\n You can use the ExpressRoute<\/a> solution as we discussed in Option 2, or you can connect your on-premises routers to an Azure Gateway using a site-to-site VPN<\/a>. The gateway can then provide customized access to resources with user-defined routing.<\/p>\n If you\u2019re in between a site-to-site VPN and ExpressRoute, there are plenty of third-party network appliances in the Azure marketplace that can provide faster than site-to-site VPN with secure routing between your routers and an Azure Gateway. These devices sit between options 2 and 3 above. Barracuda and Cisco are popular device providers you can check out.<\/p>\n This is in no way a comprehensive look at the infrastructure configurations possible.<\/strong> Rather, it\u2019s a broad overview to help you start planning.<\/p>\n There are plenty of considerations based on workload, size and directory structure that can either add complexity or simplify the above approaches.<\/p>\n Once you\u2019re fully set up in your hybrid or cloud environment, you need to implement a few additional policies and procedures, the most important of which is a business continuity and disaster recovery plan.<\/p>\n But what is your organization ultimately responsible for versus Microsoft\u2019s role as your provider? You have plenty of options to make sure your data is protected in a worst-case scenario.<\/strong><\/p>\n Microsoft remains committed to transparency<\/a> when it comes to service health monitoring and outage notifications and updates. They have also implemented a system of geo-redundancy that makes it extremely unlikely for a complete Microsoft service outage to happen across all data centers and all services.<\/p>\n The company ensures that customer data is available whenever it is needed through the following features:<\/p>\n It\u2019s up to us as the customer, however, to ensure we are aware of the level of service<\/a> we can expect and monitor the availability of our own tenants. Here are some basics for Microsoft 365:<\/p>\n Users have a tremendous amount of control over the deletion and restoration of their own personal documents.<\/strong> Administrators have at least 30 days to retrieve data from their tenant as data is first soft deleted.<\/p>\n Did a user account get deleted accidentally? No problem: Recreate it, synchronize it, and access the data. Of course, the two-stage recycle bin in SharePoint has been around for a while now, so no problem there, either.<\/p>\n OneDrive users have a point-in-time restore utility built-in, so be sure users are aware of the feature.<\/p>\n Don\u2019t forget about retention policies<\/a> for data across Microsoft 365. These policies can ensure you remain legally compliant with any industry regulations you might have. Managing these policies typically requires two actions:<\/strong><\/p>\n With a retention policy, you can:<\/strong><\/p>\n Beyond maintaining business continuity on your own using Microsoft 365’s procedures, there are a couple of other things you can do to keep your data safe:<\/p>\n If you\u2019re interested in defining and managing what you keep, where you keep it, and how often you gather it, you also have a few options:<\/p>\n There are a few additional options from Azure Cloud<\/a> security to help you maintain your data integrity:<\/p>\n You won\u2019t find 20-plus-year-old strategies anymore for a continuity and disaster recovery scenario. Today, it\u2019s more convenient, cost-effective, and simpler to find continuity and disaster recovery as a service.<\/strong><\/p>\n Beyond disaster recovery, there are a few other operations you need to have in place to support digital asset protection in Microsoft 365.<\/p>\n If you\u2019re a large enough organization, you are likely transitioning teams from their on-premises duties to new cloud responsibilities<\/a>. We typically recommend your support team is .2 percent of the organization’s supported community, so two support people for every 1,000 users.<\/strong><\/p>\n When we work with clients to plan, rollout or remediate Microsoft 365<\/a>, we look at the entire IT structure, the number of users, what workloads are being rolled out, and how current support structures can be modified for the cloud.<\/p>\n Your first-level help desk will be key in taking some of the repetitive tasks away from your admins, and an updated knowledge base will provide a reference to help them.<\/p>\n If you are the help desk and the global admin, keep a knowledge base for yourself in a SharePoint list for easy reference.<\/p>\n It\u2019s up to us to ensure we are aware of the level of service we can expect and that we monitor the availability of our own tenants.<\/p>\n If a service falls below the SLA documented by Microsoft, you will need proof of that outage. Keep an eye on the service health dashboard in the admin center.<\/p>\n You can find service incidents in your Microsoft 365 Admin Portal, and those come in two varieties:<\/strong><\/p>\n Monitor the message center at least weekly, if not more often, for updated change notifications, any actions required, and expected outages. Microsoft Defender<\/a> has default alert policies configured to send admins email messages in a variety of circumstances, such as:<\/strong><\/p>\n The Secure Score dashboard<\/a> is a good place to start for a visual look at anomalies and for tips on what to update next. Beyond Secure Score, you can also use the following to monitor service availability:<\/p>\n If you are interested in enhancing out-of-the-box security monitoring, check out Microsoft Defender for Cloud Apps. This gives you further insight into activity, app use, alerts, and log reviews, among other tasks. It allows you to create policies, from templates or from scratch, that give you deeper insight into shadow IT, allowing you to better control where you store sensitive information.<\/strong><\/p>\n Another security enhancement is Microsoft Entra ID Protection. Entra ID Protection is a collection of algorithms that determine if a user sign-in is risky or not. If you\u2019re already using conditional access, you can set up the tool to deny access if Azure determines the sign-in to be of a risky nature. This will take some testing, but you can at least determine if the sign-ins are coming from unknown IP ranges (those not associated with a country) or if the sign-ins involve impossible travel (for example, you can\u2019t sign in from an IP address in London and five minutes later sign in from a different IP address in New York).<\/p>\n These monitoring and operations tasks usually take a few months to settle into your organization’s work pace, so be attentive and flexible early on.<\/strong> You should quickly find repetitive tasks that you can manage and automate more effectively using PowerShell<\/a> or other third-party add-ins.<\/p>\n Almost anything you can do with the UI, you can customize and do it through PowerShell. If the built-in reports don\u2019t offer the data to meet the needs of a specific report request, the information is usually available from the output of a script. You must be a global admin to use PowerShell with Microsoft 365.<\/p>\n<\/a>1. Encryption for Microsoft 365 Cloud Security<\/h2>\n
<\/a><\/p>\nYour Data at Rest (Infrastructure)<\/h3>\n
Your Data in Transit (Information)<\/h3>\n
<\/a>\n
\n
\n
\n
Your Data in Use (Identity)<\/h3>\n
<\/a>2. Microsoft 365 for Legal Compliance<\/h2>\n
Security and Compliance Center Capabilities<\/h3>\n
\n
<\/a>3. A New Strategy for Identity Control<\/h2>\n
Steps to Identity Control in a Hybrid Environment<\/h3>\n
<\/a><\/p>\n1. Determine your cloud identity model<\/a>.<\/h4>\n
2. Define roles, resources and strategies.<\/h4>\n
3. Review additional options.<\/h4>\n
\n
4. Establish conditional access policies.<\/h4>\n
<\/a>4. Security Policies in Microsoft 365<\/h2>\n
Identity Policy<\/h3>\n
\n
Information Policy<\/h3>\n
\n
Governance Policy<\/h3>\n
\n
<\/a>5. Physical Architecture: Security Features<\/h2>\n
\n
\n
\n
Option 1: Keep Your Infrastructure<\/h3>\n
Option 2: Use Express Route<\/h3>\n
Option 3: Implement a Site-to-Site VPN<\/h3>\n
Option 4: Opt for a Third-Party<\/h3>\n
<\/a><\/h3>\n<\/a>6. Business Continuity and Disaster Recovery in Microsoft 365<\/h2>\n
Microsoft\u2019s Responsibilities<\/h3>\n
<\/a><\/h3>\n\n
\n
\n
Administration Responsibilities<\/h3>\n
Exchange:<\/h4>\n
\n
SharePoint and OneDrive:<\/h4>\n
\n
Data Retention in Office 365<\/h3>\n
\n
\n
<\/a>Additional Business Continuity Tips<\/h3>\n
Use Outside Help<\/h4>\n
\n
Explore Azure Cloud Security Options:<\/h4>\n
\n
<\/a>7. Operational Support Structure for Digital Asset Protection<\/h2>\n
Service Availability Monitoring<\/h3>\n
\n
\n
\n
Enhancing Monitoring and Supportability<\/h3>\n
<\/a>Digital Asset Protection in Microsoft 365: Final Thoughts<\/h2>\n