In our previous security articles, we discussed some of the tools available within the Microsoft 365 suite, what Zero Trust Strategy is, and why it’s important. In this article we will be running through how joint Microsoft and NCSC guidance recommends that you secure your Microsoft 365 environment.
NCSC Guidance: Office 365
Following the publication of the NCSC’s 14 Cloud Security Principles documentation, Microsoft created a very detailed response on how this can be implemented in Office 365. Microsoft also created a document detailing the level of protection based on the configuration that you implement, graded from Good to Better to Best.
The NCSC have recommended that organizations implement all configuration labelled as ‘Good’ in this Microsoft guidance as a minimum.
- NCSC 14 Cloud Security Principles
- Microsoft Technical Guide
- NCSC Office 365 Security Configuration Guidance
Some of the key identity security guidance proposed by the NCSC and Microsoft include the below points:
- Multi-factor Authentication (MFA), Legacy Authentication and Password Protection
- Cloud-Native Authentication (Hybrid Environments)
- Conditional Access
MFA, Block Legacy Authentication and Password Protection
These key points are all a high priority recommended by both the NCSC and Microsoft. We have already gone through these points in more detail in our previous blog: ‘Help Prevent Account Compromises with These 3 Key Microsoft 365 Tools’.
These are some of the simplest security features to roll out to your organisation that make the biggest impact in securing your environment. MFA alone prevents over 99% of account breaches, used in conjunction with blocking Legacy Authentication with Conditional Access, and Password Protection policies – you have a robust identity security solution with very minimal effort Cloud-Native Authentication (Hybrid Environments).
We have a lot of experience with helping companies integrate their on-premises solutions to the cloud with Microsoft 365. In a lot of these scenarios, companies will keep their on-premises AD intact and synchronise identities to Azure AD. In this type of Hybrid solution using AAD Connect, the recommendation now is to use Seamless Single Sign-On with Password Hash Sync. This means that Azure AD is handling the authentication for users – and this means that additional security features available with Microsoft 365, such as Conditional Access and Azure MFA, can be used fully to increase the security of authentication.
Some people may have reservations in doing this as they see it as potentially not being secure as continuing to use on-premises AD as the primary source of authentication. But this is false! Here are some of the key reasons why:
- The hashes of your password hashes are what is sent to Azure AD. The hashes of the passwords that have been synced all undergo a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm before being sent to Azure AD. (This is very safe!)
- The availability of Office 365 will not be affected by any outages/downtime suffered by your on-premises infrastructure.
- Microsoft have a lot of credential protection technologies that are only available with accounts that are fully synchronised with the cloud. These benefits include identifying users with easily guessed passwords, and flagging accounts whose reused passwords have been leaked through data breaches from other services.
- Conditional Access - we highly recommend using Conditional Access with a Zero Trust approach to really secure your Microsoft 365 environment. This forms the cornerstone of an enterprise level Zero Trust implementation. We discuss this a bit further below.
Conditional Access and the cost of a breach
Covered in the Microsoft Guidance article, they recommend implementing a more "holistic identity-centric Conditional Access approach". We completely agree with this and believe this to be the perfect opportunity for using a Zero Trust approach when it comes to Identity. The Microsoft line of ‘identity is the new control plane’ is not new, but we continually see customers who have been breached because they went with default settings. Equally, we see when Conditional Access has stopped breaches.
According to research conducted by IBM in 2019, the average total cost of a data breach is $3.92 million.
An Azure AD Premium P1 which can be used to implement the above key security features costs £4.50 per user per month.
For those unfamiliar with Zero Trust – please refer to our previous article.
We strongly recommend that everyone should start thinking about all their security with a Zero Trust mindset and approach, especially those of which use the cloud. Microsoft 365 contains all the necessary tools to be able to maximise your security with Zero Trust and Identity is a perfect first step.
If you would like to know more about Zero Trust Identity – we do have a solution for this. You can find out more here.