More and more people are switching to Office 365 because it is easy to set up and provides an accessible price point to Microsoft’s tools. Like everything on the cloud landscape today, there are new challenges to data loss and leak prevention. Even with the newest security tools and compliance guidance, there are still ways you can protect your system.
Risks and Tips:
1. Default Admin mailbox could be accessed without authorization
When an account is created it is given an admin mailbox by default that is actually unnecessary. The admin account doesn’t need to receive mail, but simply administer the solution. To address this risk, simply remove this account mailbox.
2. If you have a free trial account for Office 365 that you later convert to a paid business subscription, you should take extra precautions to make sure you don’t accidentally share your private, paid-subscription content with the trial account (and therefore the public). To check URLs of the information being shared from the account, use different browsers and anonymous modes to confirm your work.
3. Encrypt your shared data to avoid leaked emails and mail tampering
To do so, Force TLS. This is accomplished by navigating to Exchange —> Exchange Admin Center—> Mail Flow—> Connectors and specifying the domains for which you want to create connectors.
– As always, don’t re-use passwords and if possible mix in other ways of verifying the authenticity of someone signing in, such as text messages with specific codes.
– Apply session timeouts: defining how long you can stay logged into the web portal before the system logs the user out and forces a re-authentication action.
The Bottom Line:
Ultimately, sensitive data could leak within Office 365 and you should deploy a cloud-accessed security broker (CASB) that can support cloud-based data loss prevention. Such a program could help identify sensitive data that is already present in OneDrive and SharePoint along with sensitive data that is uploaded, downloaded, and/or shared.
It is a further risk to log into an Office 365 app such as OneDrive, download sensitive data, and upload it to an unsanctioned cloud app like a personal Dropbox. Deploying a CASB here to detect activity and data usage for your cloud apps can help control possible data exfiltration. Your CASB should support the ability to see details of all Office 365 traffic.
Deploy a CASB that can perform classification of managed vs. unmanaged devices, enabling organizations to bring that classification into policy so they can control activities based on the classification.