There are many roads an organization can take on their journey to the cloud. Whether you’re just starting to put your strategy and roadmap together, you’ve already moved your first workload, or you’re deeply entrenched in cloud services, it’s not too late to start thinking about (or rethinking about) the foundation.
Microsoft makes it incredibly easy for organizations to turn on and light up new services within their Microsoft 365 tenant. This is, of course, by design and makes sense: SaaS providers want to make it as easy as possible for customers to start consuming their services.
Since the beginning of 2020, we’ve seen many organizations take advantage of this ease-of-enablement to continue normal business operations while adapting to a new hybrid workforce. Due to the unprecedented speed at which change has been required, there’s rarely time to think about the basics – resulting in reactive action instead of proactive strategy.
Regardless of the workload that is being enabled, “lit-up”, or adopted, there are some basic foundational items that need to be addressed to set up Microsoft 365 for long-term success.
Foundation 1: Security
Transitioning services and data to the cloud introduces a new approach to and redefines the boundaries of the security perimeter: Data is accessible on more devices and from more locations than ever before.
The modern workforce is also very adept with consumer grade apps in their everyday lives. These apps are intuitive and leverage easy to use interfaces. Employees are expecting enterprise apps to bring the same ease of use and availability in order to perform their jobs.
The natural challenge is that, in order to apply enterprise grade security to enterprise apps, the user experience takes a hit. This needs to be addressed up front with a good adoption and change management plan to ensure users are educated and informed as new tools and services are rolled out. Change champions programs can be used to drive excitement and awareness.
At the security layer, Microsoft promotes a Zero Trust model: Verify explicitly, use least privileged access, and assume breach. The focus is on three main areas:
- Securing the Identity
- Verify the identity with strong authentication
- Ensure access is compliant and typical for that identity
- Follow least privilege access principles
- Securing the Data
- Define a label taxonomy that makes sense to users and meets business requirements
- Ensure data is automatically classified and labeled
- Inform and enforce policy decisions
- Securing the Device
- Centrally enforce policies to cover endpoint security, device configuration, app protection, device compliance, and risk posture
- Ensure the apps that run on the devices are securely provisioned, properly configured, and kept up to date
- Containerize access to corporate data within protected apps
- Ensure that all policy controls are in effect before the data is accessed
To meet organizations’ growing security concerns and requirements, here are a few of the capabilities that can be leveraged within Microsoft 365:
- Conditional Access
- Azure Multi-Factor Authentication
- Self-Service Password Reset
- Microsoft Identity Protection
- Azure Information Protection
- Microsoft Cloud App Security
- Microsoft Endpoint Manager
- Microsoft Defender ATP
- Azure ATP
- BitLocker
A solid place to start is by analyzing your current Microsoft Secure Score. The Secure Score is a measurement of an organization’s security posture, found within the Microsoft 365 security center. It provides a report on the current state of the organization’s security posture, provides recommendations on how to improve the security posture by providing discoverability, visibility, guidance, and control, and compares the security posture with benchmarks and establishes key performance indicators (KPIs).
Foundation 2: Compliance
Analyzing and understanding an organization’s need to comply with legal and regulatory standards typically applies across all Microsoft 365 services. Similar requirements will apply to Exchange Online, SharePoint Online, and Microsoft Teams (for example). Establishing a cloud adoption roadmap that includes a focus on compliance helps ensure organizational requirements are met from day one – without the need for a complete overhaul when additional workloads are enabled and adopted.
To meet compliance obligations in the cloud, Microsoft provides an array of integrated solutions, available across services, that provide end-to-end compliance needs:
- Information Protection & Governance
- Data Loss Prevention
- Information Protection
- Information Governance
- Records Management
- Insider Risk Management
- Communication Compliance
- Insider Risk Management
- Discovery and Response
- Audit
- Data Investigation
- Data subject requests
- eDiscovery
Like the Secure Score, Microsoft provides a Compliance Score within the Microsoft 365 compliance center. It’s a risk-based score measuring progress towards completing Microsoft-recommended compliance actions.
Foundation 3: Governance
Office 365 governance builds upon the first two foundations, ensuring the organization can meet compliance requirements and enforce appropriate security controls, but now looks at incorporating the user’s ability to access and interact with tools and services.
There is always a balance between risk and benefit. Designing to meet compliance and security requirements without understanding and analyzing business goals and priorities is a recipe for low adoption and poor user experience. This lack of planning often results in shadow IT and users finding unsanctioned tools to perform their jobs.
Governance decisions should be built directly into the solutions being implemented. Microsoft 365 provides out-of-the-box features that can be turned on and customized to meet many requirements. When native features don’t go far enough, Microsoft provides a robust set of APIs that can be used to create custom solutions that meet most needs.
The following governance capabilities are built directly within Teams, SharePoint, and Microsoft Entra ID:
- Naming policy
- Expiration policy
- Guest Access policy
- Self-Service Site creation policy
- Domain allow / block policy
- Team and site sharing policy
Note: Don’t forget to create a governance board. Record decisions and meet regularly to review and refine policies and procedures. Microsoft releases features weekly, users continue to learn and discover new ways to interact with these tools and services, and threat actors continue to develop more sophisticated ways of targeting organizations.
Strategy Creates a Successful Foundation
A strategic approach to Microsoft 365 focusing on security, compliance, and governance creates a foundation for long-term success. With an established governance board, key decisions are made up front and can be applied holistically as new services and workloads are enabled. Policies can be re-evaluated over time, reassessed as new capabilities are delivered, and updated as new user stories are created. And finally, change champion programs should be used as an effective adoption and change management strategy for educating, exciting, and preparing the organization for what’s to come.