Digital Transformation Today

Microsoft 365 Security and Compliance – 5 Ways to Get You Closer to Your Goal


Here at Withum, we’ve been helping clients reach their compliance and regulatory goals. Our audit and cybersecurity experts produce SOC reports and have talked at length about NIST 800-171 and the September 2020 Cybersecurity Maturity Model Certification (CMMC) requirements.  In this blog, we’d like to highlight five ways Microsoft 365 supports your compliance journey.

1.     Move Your Data to the Cloud

While this seems obvious and most clients are well underway, we still see file servers and database driven applications running on-premise.  Once you are leveraging the cloud, Microsoft’s datacenters will address most of your compliance requirements. Take NIST 800-53 as an example. When clients use Microsoft 365, Microsoft helps you to manage 79% of the 1,021 controls, so you only need to focus on implementing and maintaining the remaining 21% of the controls. You can save a lot of time and effort, and benefit from the shared responsibility model in cloud compliance. On the contrary, imagine that you are using on-premise services, then you would need to implement and maintain all 1,201 controls by yourself. If you still have files on site, check out our recent blog, Marching to the Cloud – File Share to OneDrive Migration Tips.

2.     Microsoft 365 Compliance Score

Compliance Score is a portal for IT and Security staff that helps simplify the way you manage compliance by recommending actions you can take to comply with industry regulations and standards.

Microsoft 365 will provide an initial score based on common regulations and standards. You can then make the Compliance Score more powerful by creating assessments that are relevant to your organization. When we begin our compliance projects, we use the Compliance Center as a baseline, and as we drill down into the implementation of these controls, we check back often to see how the score has improved.  It provides some glimmer of inspiration for the consultants performing the tasks!

3.     Data Classification

Now that we have our data in the cloud, how do we know what is classified and needs to be controlled?  First apply labels, financial data for example, and then use the Content explorer to discover classified financial data in emails and files:

While you see Exchange, SharePoint and OneDrive, soon Windows, Web applications and Microsoft Teams can be explored automatically.  Yes, your chats are discoverable.  File types will also include PDFs. Native connectors to 3rd party systems will be available soon.  Microsoft is developing new trainable classifiers to identify specific content types, take source code as an example:

4.     Insider Risk Management

Security activities traditionally protect from outside threats, but what about potential nefarious actions from our staff?  Insider Risk Management applies machine learning from Microsoft 365 audit logs to track and report suspicious activities using built-in Alert policies.  In this example, a user has a pattern of sending random emails that may be thwarted.

Check out this Microsoft documentation to learn more about Insider Risk Management with Microsoft 365.

5.     Application Compliance

Let’s look at the big picture of our last topic.  How can you trust that all the application usage is safe and secure?  Microsoft Cloud App Security can analyze internet traffic to provide insights to all cloud services in use.  In this example, we see that cloud storage is processing the bulk of our bandwidth with 48 cloud storage services used by our staff of 457.

Microsoft also scores the risks of each app using a 1-10 rating.  Here, we have sorted by the lowest-scoring applications.  We can drill down and see why they rank so low.

Cloud App Security also alerts us if one of our application providers has had a breach, and if any of our users may be impacted.

On a final note, we find that our clients are not aware that they already have baseline security and compliance capabilities (take eDiscovery, for example) in their Microsoft cloud subscriptions.  You may also be thinking of buying a more expensive and less integrated third-party solution, or you are not aware of the add on licensing and premium plans to achieve higher levels of compliance with Microsoft 365.  Contact us to define the optimal cloud subscription for your compliance journey.


Digital and Technology Transformation

Previous Post

Next Post