“We’ve seen two years’ worth of digital transformation in two months”. – Satya Nadella at Ignite 2020.
I think this quote encompasses much of what we’ve seen worldwide in IT recently. Business everywhere have scrambled to adapt, most obviously to having staff working from home, whether it’s a teacher trying to deliver a class over Teams or Zoom or call center representatives answering calls from home with flaky access to systems. But there have been many other changes, such as figuring out how to run a factory in a Covid safe way, running virtual meetings efficiently and ultimately ensuring that all these changes don’t open up the business to compromise.
In this article we’ll look at how Office and Microsoft 365 has helped, what (underutilized) tools can be implemented for a better user experience and the importance of backup.
A strong foundation
Businesses who were already on the “digital transformation” journey to Microsoft 365 were in a much better place when the world turned upside down. Take a traditional business, who may have resisted migrating workloads to the cloud, citing security, regulatory requirements or just “we’ve always done it this way, let’s not change it”. Sending everyone home to work, perhaps bringing work desktops or laptops with them, to unprepared home “offices” brings the major challenge of accessing company applications and data, which all still in the corporate data center. Unless a secure reverse proxy is in place, the only way is to use the corporate VPN setup. This was likely designed for a small proportion of the overall workforce such as travelling staff and executives and probably not sized to cope with everyone using it every day for access to everything.
One of my clients have a Citrix infrastructure that maybe half of the workforce (about 400 staff) would access via LAN connections in the office before the pandemic. All of a sudden, most staff were trying to use it via home broadband connections, which resulted in a terrible user experience. Their Exchange 2013 and file server and Line of Business (LOB) application infrastructure were all designed to be accessed from the office, with few remote access capabilities. They are now well into their migration to Office 365 and have started dabbling with Azure IaaS VMs.
Contrast this with a business that had already shifted to Office 365 and weren’t relying on on-premises SharePoint and Exchange infrastructure. Add the forethought of having moved LOB applications to SaaS services (where possible) and having shifted identity and access to Azure Active Directory and the prospect of having everyone work from home is not such a daunting one – it’s mainly a shift in where the connection comes from.
Microsoft Endpoint Manager Portal
Say that your business has moved most of its infrastructure to the cloud and it seems to be working pretty OK at the moment and you finally have some time to take a breath – what’s next? Whenever shifts happen in a hurry and the focus is on making things work, rather than thinking through all the ramifications, security suffers.
Take the time now to re-evaluate, starting with adopting a Zero Trust model, powered in Microsoft 365 by Azure Active Directory (AAD), highlighting that identity protection is your number one priority. Whether your user accounts are born in the cloud in AAD or synchronized from Active Directory (AD) on-premises (using AAD Connect) the first step is to enable Multi Factor Authentication (MFA). This stops 99.9% of identity-based attacks and is included with every license of Office 365.
Next, evaluate your password policy. If it was last updated in 1999 it’s probably time to modernize it. Based on NIST and GHCQ guidelines it should look something like this – don’t force regular password changes (Microsoft internally use one year), require a minimum length of 8 characters, don’t enforce special characters / uppercase / lowercase but allow them to be used. Do use a system to block common passwords / passwords that have previously been seen in breaches –AAD provides a built in feature called Password Protection, this article goes through how to enable it and deploy it in your on-premises AD forest.
If possible, go beyond MFA to password-less and where practicable, use biometrics such as Windows Hello for Business.
Another important step is improving your visibility, consider using a Cloud App Security Broker such as the market leader – Microsoft’s Cloud App Security (MCAS), part of Microsoft 365 E5 licensing (or available as a separate add-on). Think of this as a firewall in the cloud that talks to SaaS services and ingests logs from your firewalls and proxies.
Microsoft Cloud App Security Portal
Continuing on the Zero Trust path, use Conditional Access policies to control access to data and applications and publish all third-party SaaS applications through AAD for governance. Provide access to on-premises web applications securely through AAD Proxy, with no VPN required. Add Machine Learning based Identity Protection to manage user and sign-in risk and Privileged Identity Management to protect your administrative accounts.
Apart from identity and user protection, device access to your resources needs to be managed, if you have Microsoft 365 E3 or higher licensing –look closely at Microsoft Endpoint Manager (MEM), formerly known as Intune(and it’s on-premises cousinConfiguration Manager). This lets you manage corporate owned devices from anywhere as well as application access from BYOD devices.
Azure AD Conditional Access Policies
Protecting your data
The single most important, and uninsurable, asset your organization has (apart from the people themselves) is your data. Whilst Office 365 does have some data protection technologies on offer (remember to turn them on), a third party backup for Microsoft Office 365 solution is a great way to ensure that you can restore critical data quickly, whether from an accidental deletion event or a ransomware attack. This is of course important at any time but doubly so in these times with many people working from home, increasing the risk of both accidents and cyber-attacks.
Being able to quickly restore documents in OneDrive for Business, SharePoint and emails in Exchange Online is crucial for any business and particularly so in a high-pressure situation such as a ransomware attack.
Altaro Office 365 Backup
As you can see – Office / Microsoft 365 has many technologies that can help your business thrive in this new world we find ourselves in. Understanding the threats is also important, because knowledge is power, a good place to start is the recently released Digital Defense Report from Microsoft.
Stay safe out there and remember to back up your data!