Uncontrolled Access to Microsoft 365

When an organization moves its services into the Cloud, they are accessible globally. But how are the informational assets protected; not only from bad actors but also from internal threats? 

Microsoft 365 and other Cloud services have become a godsend for many organizations looking to move away from local infrastructure, and the costs associated with managing it and upgrading it.  The Cloud provides organizations with convenient access anywhere, utilizing a truly pervasive platform that allows employees to access organizational data across the globe and from a mixture of different devices, including workstations and mobile devices.    

With this convenience comes the propensity for scammers, hackers and other unscrupulous individuals to access the organization’s proprietary documents and correspondence, potentially causing serious financial or reputational harm to the firm.  

Issues 

The issues begin with the ability of Microsoft 365 to provide versatile access to different devices.   Although Microsoft supports many different devices, providing true mobile office connectivity by supporting Windows PCs, MacIntosh, mobile phones and tablets, Microsoft 365 by default does not distinguish between a corporately owned device and a privately owned device, including a cell phone, an internet café PC, a business center PC or a home PC.  When logging into Office 365, all functionality and access to data will be afforded to that device, including caching of login credentials.  

Most organizations would be aghast at letting any workstation access their network and data without it being managed.  But that is exactly what happens at many companies. Ensuring a workstation encrypts data and is running the latest services packs, security updates, and anti-malware software is key to protecting a company’s information assets.  

Another issue is that with the correct license, Microsoft will allow a home pc or other device to install Microsoft Office Applications on that local device.  Office Applications like Word, Excel and Power Point may not store local data, but a lack of controls could expose them to malicious files that run scripts.  Additionally, the inclusion of Outlook in the Office Suite allows remote workstations to download a copy of all email and store it on the local machine. Thus, if files on the remote device get infected, they can easily transfer malware and other threats to the corporate environment. 

Further, an Office Software installation also installs OneDrive Sync, a local application that creates a copy of your files in OneDrive and selected SharePoint libraries on the local PC, and keeps them synchronized with the Cloud.  Consequently, corruption or infection of a local file could result in that file becoming corrupted or infected in the Cloud.   Another risk is that company data is now stored and replicated to that local non-managed, non-corporate device.   

Solutions 

Fortunately, Microsoft offers solutions to safeguard your organization’s data and system access, but these are not found with the basic business or enterprise licensing plans. To be truly covered, organizations need to adopt Mobile Device Management and Entra licensing, which are included in higher-end Microsoft licenses, such as Microsoft 365 E3/E5 and Microsoft Business Premium.  

Entra licensing provides your organization with the ability to create conditional access scripts, which restrict or even control system access, based on such parameters as a remote user’s location, the type of device they’re using, and even if that device is considered a corporate or private device. These policies can restrict the services that those remote devices can access, while also enforcing rudimentary functions, such as local encryption, minimum service pack levels and even the presence of valid anti-malware software.  

Mobile Device Management, better known as Intune from Microsoft, provides organizations with the ability to control and manage mobile devices and workstations.  Policies can be structured to control applications that mobile devices and workstations access, while providing mechanisms for destroying corporate data on private devices, if the individual is dismissed or otherwise separates from the organization.   

Implementing such solutions as document labeling and classification, data loss prevention, and other tools to monitor and control specific content should be considered for any organization that deals with sensitive data.  With these controls, certain functions can be denied on sensitive data, including the ability to download, print, edit or even forward.  Policies can also be enacted that control the distribution of sensitive content.   

Azure Virtual Desktop can also be a solution for safely granting remote and non-company owned resources full access to company data. With Azure VDI, for example, users run virtual applications in the Cloud — and all data and application access is maintained and managed in the Cloud — so no corporate data is downloaded to the local workstation. Users get the full application experience as if they were on a corporate PC, along with tight controls over the data they are accessing.   

Microsoft provides a myriad of different tools and technologies to control access to your Cloud environment and to manage your data access and storage. But they only work if your organization invests in that technology and deploys it.     

Trained eMazzanti professionals can help you assess their vulnerabilities and risks regarding leakage or corruption of information and other issues. Ultimately, the value of your information, and the critical risk of that information being lost or compromised, should drive your decisions to adopt a more secure and controlled Cloud environment.