Businesses are increasingly relying on cloud-based applications like Microsoft 365 to stay productive and competitive. However, managing the security of these applications can be a daunting task, especially for small businesses with limited IT and Security resources.
In this short post, we will discuss some of the key security challenges facing small businesses that use Microsoft 365.
The Challenge of Managing Multiple Admin Portals
One of the biggest challenges facing businesses that use Microsoft 365 is the sheer number of admin portals that they need to manage. There are over 20 main admin portals, ranging from Azure AD to Yammer, with 200+ sub portals. This makes it virtually impossible to manually keep track of which settings need to be configured and where they are located.
Even for the most technical IT admins, it can be difficult to get a clear view of all of the security settings that need to be configured in a Microsoft 365 environment. Take a look at http://msportals.io/ where the site lists all the cloud portals that Microsoft offers:
To make matters worse, there are also nearly 200 settings groups within this collection of portals. This means that there are potentially thousands of settings that need to be configured in order to properly secure a Microsoft 365 environment.
The Difficulty of Implementing Security Recommendations
Microsoft provides a long list of security recommendations for Microsoft 365 environments. The Microsoft Security Score is an attempt to benchmark where customers are in terms of these security recommendation, however, they can be difficult to implement, especially for small businesses with limited IT resources.
The recommendations are often scattered across multiple portals and settings groups and despite some of the deep-linking that the Security Score tool offers, you soon get lost in the incoherent settings screens you encounter and lose track of where you are as you refer to multiple help screen to decipher the impact of what the changes will entail.
What makes matters worse is that the recommendations can apply to services that the business does not even have access to based on their existing subscription capabilities!
Auto-Enforced Security Defaults
Knowing how much of a mess this is, Microsoft announced last year that it will start rolling out the auto-enforcement of certain security defaults for Microsoft 365 environments. This is a very positive step in terms of improving security, but it also comes with some challenges that we know IT administrators and Managed Service Providers will cringe at!
The auto-enforced security defaults can disrupt certain functionality in some environments. In fact, when this was turned on for a local small business I know, they were caught off guard as their shared email account began enforcing MFA and all but one of their employees lost access to email - I didn’t have too much sympathy from a security perspective, but they had no idea what had gone wrong and caused them no end of headaches as they needed to figure out how to resolve this.
The Need for a Security Partner
Given the challenges discussed above, it is clear that businesses need help in managing the security of their Microsoft 365 environments (and a myriad of other SaaS platforms and Apps). A security partner can help with a variety of tasks, including:
Advising the most suitable security recommendations that align with their customer's needs and risk profile
Implementing security recommendations without the client needing to be an expert
Monitoring for security threats 24/7 to ensure their client's environments remain secure
Responding to security incidents should an adversary or insider incident occur
At Overe, we understand the need for this and believe that the first step is to raise awareness of the potential issues that businesses may face. One way we intend to do this is with a free tool, that will give businesses an easy to understand way to see their security posture as it relates to Microsoft 365, we hope that this goes some way to close some of the gaps that will inevitably be present when dealing with 🍝 Microsoft 365's Settings Spaghetti 🍝
We are currently building the Overe security platform and this tool is one of the first services to be released, so be sure to sign up to our service so we can let you know when it's ready!