Microsoft Cloud Security: Top 10 low-hanging fruits

Niklas Tinner
6 min readJul 8, 2024

--

Introduction

Almost every modern organization, regardless of startup or established enterprise has Microsoft 365 or Azure services in place to fulfill IT requirements and operations. The most common services include:

  • Microsoft 365 Apps (Teams, Outlook, Office etc.) for collaboration
  • Entra ID for the user accounts, identity (resources)
  • Azure platform hosting computing resources

What to expect

In this post I want to share my experience for small & medium businesses (SMB) as well as large enterprises when it comes to Microsoft Cloud Security. The target audience are especially managed service providers (MSP) or internal IT administrators who aren’t experts on the Microsoft Cloud subject and want to have an easy to understand guide. This is it 😉

I define a “low-hanging fruit”🍒 as:

Easy to implement control that elevates your security posture immensely, without disturbing processes.

In my daily work I have insights into a lot of Microsoft 365 and Azure infrastructures and their usage. Regardless of large enterprise or SMB, most of the low hanging fruits are equal. BUT an SMB is more agile and can implement those faster and is easier with adjustments. Large enterprises should host an internal IT department with more budget for security.

Challenge: How to start?

There are endless of security measurements that you could take to make your digital infrastructure more secure. However, resources are limited and we want to achieve the highest possible security. In this post I will make a list of topics and key considerations and provide a description to them. Those are based on industry standards, personal experience and common security knowledge.

Defining the goal

We want to focus on topics that:

  • 🚀 Bring in the most obvious security and protect the largest attack surfaces
  • ✅ Are easy to implement and operate
  • 😡 Don’t mean end user drawbacks or high negative impact on productivity

In my definition, cybersecurity is about:

Ruin the potential attackers return on investment.

Means: Security technologies and controls should be as effective, that the attackers effort isn’t worth the return. (Return in this case would be access to accounts, data or digital infrastructures.)

Surprisingly, this is achievable by basic security hygiene and simple configurations. Based on the Microsoft Digital Defense Report, basic security hygiene protects against 99% of the attacks. Sounds like a good deal, if we can achieve the basic security hygiene 🤝.

Overview Top 10

This is my personal list of top 10 security controls that should be implemented in every organization.

1. Enable multi-factor authentication

Multi-factor authentication is the best and easiest way to elevate your security. It protects your identities by requiring two factors to authenticate. Modern MFA methods that should be used are the Microsoft Authenticator App, FIDO 2 keys and passkeys or a Temporary Access Pass. You can start enforcing MFA with a registration campaign in Entra ID Protection:

2. Stay up to date

Up-to-date software ensures that vulnerabilities are patched directly by the vendor of the software. If you mainly use SaaS (Software as a Service) apps in the web, you are released from this challenge. But if you have client installations or any operating system, you should ensure that those products automatically update themself. Ensure auto-update features are enabled or regularly update the version manually. There are also tools on the market that do auto-update for you.

3. Use endpoint protection software

Threat protection and endpoint detection and response systems should be installed on every endpoint. My recommendation is to use Microsoft Defender Antivirus and Defender for Endpoint for cloud-powered protection. Make sure to enable these products and configure them accordingly. Find more information here:

4. Review role assignments and RBAC

Roles are user with special permissions like administrators in your environment. Role-based access controls should be implemented to adhere the least privilege principle that states that should only be able to perform actions that you need to do based on your job role. With every tenant that I touch, I have a look at the roles blade in Entra ID:

5. Activate Conditional Access template policies

Conditional Access is the heart of every Microsoft tenant when it comes to identity & access management. This is one of the key products to implement and use. It lets you define signals like geographical location, device state or risk level to define access requirements. Micorsoft equips every tenant with a set of recommended template policies. You should review them, estimate the impact and set them live.

6. Ensure tenant security settings

Tenant security settings build the foundation of your identity platform such as Microsoft Entra ID. There are many good frameworks to orientate which settings are important. Nevertheless, you should at least have a look at all the settings and know whats possible. I can recommend Maester as Microsoft Security test automation framework.

7. Implement modern mail protection

Mail threats are one of the most common attack methods. End users frequently interact with mails and mail content like attachments or links, that could be malicious. Defender for Office 365 provides adequate protection to those threats. Read more in my dedicated blog post:

8. Set up notification on alerts

Notifications in Microsoft Defender XDR can easily be set up at security.microsoft.com in the settings. Set up alerts for Incidents (a group of alerts triggered, indicating for a security incident), Actions (tasks and operations that were started in Defender automatically or manually) or Threat analytics (Information on the cybersecurity landscape, provided by Microsoft.)

9. Awareness trainings

Last but not least I recommend to involve all of your users (including admins) to do awareness trainings. Those should raise the understanding and readiness for potential upcoming threats and how to treat them. From my experience, a personal workshop is always the best method to achieve this. But for sure it must be said, that you should not rely on the users decision, but make the security controls as effective as possible. Also you can consider the Defender for Office 365 attack simulation training.

10. Evaluate new technology and keep an eye on the market

This is probably one of the most challenging parts of staying secure. As adversaries don’t stop developing their technology-related attacks, neither should you! Microsoft releases new features almost every day, and it can sometimes be hard to keep track. Evaluate new features regularly and check if they are worth implementing. This way, you will ensure not just to be safe, but to stay safe!

Oceanleaf is your one-stop Microsoft learning shop.

powered by Oceanleaf

Originally published at https://www.oceanleaf.ch on July 8, 2024.

--

--

Niklas Tinner
Niklas Tinner

Written by Niklas Tinner

Founder Oceanleaf & Microsoft MVP

No responses yet