Business | March 15, 2024 8 min to read

Microsoft 365 Security and Compliance Guide

Chances are, if you have used a spreadsheet, you have used Microsoft 365 – one of the most popular office suites in use. According to Statista, Microsoft has 46% of the world market. The suite consists of numerous related applications, including Word, Excel, PowerPoint, Teams, OneDrive, and SharePoint. In total, there are up to 14 different apps.

Microsoft manages M365 security using the in-tool Microsoft Defender Portal and Microsoft Purview features for compliance. A Software-as-a-Service (SaaS) solution, M365 has shared responsibilities between the company and users. The Microsoft 365 shared responsibility model states that Microsoft is responsible for all physical infrastructure in the cloud, as well as the operating systems, network controls, and applications, such as Teams.

However, the customer is always responsible for their information, data security, accounts, and identities, along with user devices, such as laptops and mobile devices. To make this possible, Microsoft provides a set of cutting-edge security and compliance tools. These tools include identity and access management, threat protection, security and risk management, and compliance.

While Microsoft commits to a service level agreement of 99.9% availability for most applications, it’s still the customer’s responsibility to protect and back up their data. Microsoft doesn’t offer a full backup service, and users need a modern data protection solution outside of M365’s native security features to ensure their data is safe from accidental deletion, security threats, and ransomware.

What is Microsoft 365 Security and Compliance?

Security and compliance in Microsoft 365 have historically been managed in the Security and Compliance Center. However, security and compliance are subtly different topics. Microsoft has recognized this by separating these functions into the Microsoft Defender Portal and a compliance center known as the Microsoft Purview Compliance Portal.

The primary focus of Microsoft 365 security is protecting data from internal and external threats. This focus includes threat detection, access management, and data protection risk management.

To achieve compliance, users must adherence to a set of policies, rules, and procedures for data management, retention, and protection, including complying with relevant data protection regulations, accounting standards, cybersecurity frameworks, and consumer privacy regulations. This is also inclusive of the internal compliance processes an organization adopts to manage systems and data, as well as those external regulations require.

To briefly summarize these ideas, compliance is a set of data protection requirements, while security refers to the measures your administrator takes to back up and protect the organization’s data.

Microsoft 365 Security and Compliance Features

Microsoft 365 is a platform with comprehensive and layered security. Features include a sophisticated identity and access management system, threat protection, data protection, security and risk management, and compliance management.

Microsoft goes out of its way to ensure Office 365 is a stable, secure, and resilient platform with multiple data centers that provide comprehensive fail-over protection. When it comes to user and data security, however, users should note their responsibilities in terms of the Microsoft Office shared responsibility model. These responsibilities include securing user data, accounts, and identity management.

Identity and Access Management (IAM)

Microsoft 365 IAM offers secure access to 365 office applications, including Outlook, Excel, Access, Word, and Teams. Working on the principle that users should only have ready access to the data they need for their work, identity and access management operates at two levels. The first step is to verify that when someone attempts to log in, they authenticate their details against the identity management database. The second step is determining the resources the individual can access; this step is known as authorization. These rules apply equally to devices and remote logging equipment (IoT devices). Benefits of Microsoft 365 IAM include:

Seamless user experience: Once logged in, users have access to everything their user profile permits without the need for secondary logins.
Unified identity management: Manage user identities and permissions from one central database.
Role-based access control (RBAC): Simplify user management by determining access permissions based on the user’s role in the organization.

Threat Protection

Microsoft 365 incorporates advanced threat detection and protection features against cyber threats and attacks. These features include Microsoft Sentinel, an advanced security information and event management (SIEM) feature that automatically logs, correlates, and analyzes event data to detect and automatically respond to cyber threats. Another key feature is Microsoft Defender’s extended detection and response (XDR) capability. This tool proactively searches for threats and security blind spots across your Microsoft 365 environment. It automatically limits cyberattacks and prevents their lateral spread across your environment.

Information Protection

Information protection, a function of Microsoft Purview, allows you to organize and protect sensitive data across the organization’s network. Features include:

Data classification: Automatically catalogs data so you can classify important information by adding data labels while also protecting sensitive information from accidental deletion.
Data loss prevention (DLP): DLP facilitates the protection of sensitive data, such as key financial records, confidential employee information, customer details, and credit card numbers.
Data lifecycle management: Previously called information governance, Microsoft Purview data lifecycle management helps you develop data retention policies and maintain compliance with data privacy requirements.

Security and Risk Management

Microsoft Office 365 security and risk management features offer advanced levels of protection against internal and external risks. These features include:

Information barriers: Prevents communication between groups and individual users. Examples may include preventing employees working on confidential projects from communicating or sharing files with other employees and keeping financial employees from sharing confidential information with outside groups.
Customer lockbox: Allows you to exercise full control over who can access your data stored in the Microsoft 365 cloud. Prevents Microsoft personnel from accessing data unless the user specifically approves it, like when a support request to Microsoft requires access to the data for troubleshooting purposes.
Communication compliance: Detects inappropriate messages and images on your network, especially those in conflict with corporate policies. Identifies conflict of interest communications or the dissemination of sensitive information to third parties.
Privileged access management (PAM): Detects unusual attempts to access confidential information, such as user credentials or sensitive data. Other uses include monitoring privileged account activity to ensure compliance and temporary just-in-time access for investigative audits.
Advanced audit: Conducts forensic and compliance audits.
Insider risk management: Detect insider risks by using AI-powered algorithms to identify risky user behavior. Use this information to mitigate data security risks automatically.

Compliance Manager

The M365 compliance manager tool allows you to conduct an inventory of your organization’s data protection risks and compare your organization against benchmarks for your industry. It measures the status of your Microsoft 365 compliance controls. You can use the tool to assess your organization’s compliance with various standards, such as the ISO 27001 Information Security Standard, or against local data protection laws, such as the Health Insurance Portability and Accountability Act (HIPAA). It provides a compliance score and identifies actionable improvement actions.

Microsoft 365 Security Best Practices

Microsoft 365 incorporates excellent security features to protect client data and enhance network security. The security features available depend on your 365 package. For example, Microsoft 365 Business Premium and above have more advanced identity and access management systems than basic packages, as well as better cyber threat protection. The full version of Microsoft Purview is available on some packages and is an optional add-on with others.

Follow these best practices to keep your Microsoft 365 secure:

Enable multifactor authentication: MFA is more secure because login requires you to use two or more means of identification. These forms could include a password, bio identification, such as a fingerprint, or a unique passcode sent to a mobile device.
Regularly update and patch systems: Cybercriminals often try to exploit known vulnerabilities before they’re patched. Depending on your Microsoft 365 license, you can, in certain instances, manage when you download and apply updates. If you prefer this arrangement, it’s crucial to check for updates frequently and install critical ones as soon as possible. In most cases, it’s best to let Microsoft apply updates automatically, as this arrangement minimizes your vulnerability to hackers.
Use advanced threat protection (ATP): Microsoft’s ATP feature protects your network by blocking malware in emails, SharePoint, Microsoft Teams, and OneDrive. It scans email attachments, identifies spam emails, and checks for malicious URLs. This feature protects against sophisticated phishing attempts and blocks attempts to open unsafe web pages.
Implement data loss protection: Available in E5 packages or as an optional feature, Microsoft Purview identifies and protects sensitive information. It prevents the inadvertent leakage of sensitive data, such as social security numbers and credit card details. DLP is a key tool for ensuring compliance with HIPAA, the Payment Card Industry Data Security Standard, and the California Consumer Privacy Act (CCPA). Further, users are alerted when managing sensitive information through customizable sensitivity labels, which are displayed above emails, invites, or documents tagged as sensitive. Retention labels are similarly implemented, manually or automatically, to manage content with varying governence or retention specifications.
Audit and monitor user activity: Using the compliance tool, monitor user activity to check for abnormal activity, detect unauthorized file-sharing activities, and prepare data handling compliance reports.
Restrict access and permissions: Adopt a policy of restricting user access and permissions to the files and data employees need to perform their work. Provide access to sensitive data for limited periods only. Review access frequently and remove redundant permissions as soon as they’re no longer needed.
Educate users: Train employees on the ways cybercriminals use phishing to extract sensitive data from unsuspecting users. Typical examples of phishing include spear phishing, which targets a specific user; whaling, which is aimed at high-value targets; and forged business emails requesting payments or confidential information.
Back up Microsoft 365 data: Despite Microsoft’s common use of the term backup, it’s important to realize this usually refers to synchronizing files with OneDrive or from individual computers to SharePoint files. It isn’t a proper backup solution you can use to recover from a disaster or ransomware attack. It’s best to implement a third-party Microsoft 365 Backup as a Service (BaaS) solution that provides comprehensive and immutable backups that will allow you to recover quickly from a disaster.
Adopt a Zero Trust strategy: Zero Trust is a departure from the earlier trust but verify strategies, which were ineffectual against credential misuses. The Zero Trust principle requires that the system continually monitors users and their devices to explicitly verify their identity and location. Zero Trust assumes the possibility of a breach and uses continuous monitoring (SIEM) tools to verify user activity.

Implementing these best cybersecurity practices and using a secure Microsoft 365 backup solution will give you the tools you need to respond effectively to internal and external cyber threats.

Integration With Microsoft 365 Apps

Microsoft 365 is more than an office application. It’s an entire ecosystem that supports multiple workflows and work teams within an organization. Most business packages include additional services, such as:

Exchange: A central email and calendaring server. It’s protected by Microsoft’s Exchange Online Protection service, which is a cloud-based email filtering solution with spam and malware detection capabilities, email encryption, and data loss protection features.
OneDrive: This online file hosting and storage platform uses 256-bit AES encryption to protect stored data or data in transit. Other security features include password protection, activity monitoring, virus scanning, protection against mass deletion, and file versioning.
SharePoint: SharePoint is a web-based document and collaboration platform that incorporates the same security protections as Microsoft 365. SharePoint sites are part of a Microsoft 365 group and share permissions.
Teams: This comprehensive messaging application supports chat and video conferencing. Security features include Azure DDOS network protection, eavesdropping protection, and man-in-the-middle protection.

Secure Your Microsoft 365 Data With Veeam

The Microsoft 365 product family is a set of tools that allow individuals and teams within an organization to collaborate effectively. It supports multiple endpoints and remote working. As such, there are many potential attack surfaces that cybercriminals can exploit.

Fortunately, Microsoft 365 incorporates state-of-the-art security that includes:

Multifactor authentication
Privileged access management
Information barriers
Risk management
Message encryption
Data loss prevention

For these features to be effective, organizations must prioritize managing Office 365 security and compliance. The tools are there, but organizations need to effectively manage them using security management dashboards. One useful tool is the compliance manager, which allows administrators to benchmark the organization’s security and identify areas for improvement.

While Microsoft goes to great lengths to keep your data secure, ultimately, the responsibility falls on you as the owner and user of the data. Microsoft ensures your data is safe, but can’t protect you against accidental deletions, data theft, and malware attacks unless you configure the security tools effectively.

The new Microsoft 365 backup allows partners, such as Veeam, to provide a comprehensive Microsoft 365 backup solution to protect your data and allow you to rapidly restore your organization’s data and systems following a cyberattack or ransomware attack. Download a trial or call us for a demo.

Interested in learning more about our latest release, Veeam Data Cloud, delivering Microsoft 365 as a Service? Click HERE to learn more.