OFFICE 365 SECURITY REVIEW
Office 365 is a fantastic resource for the modern company. Our team has a thorough review process to assess all aspects and identify any threats or areas for improvement in your Office365.
If you have any concerns regarding your O365’s safety from threat actors or other potential issues, our team can help you with your Office 365 security controls.
Get In Touch
Office 365
Office 365 is a powerful tool that provides all sorts of business services from email to cloud storage, and it’s much more than just another productivity suite.
It provides more than just email and office productivity tools – with over 200 million active users worldwide who are constantly growing their products’ capabilities there really isn’t much missing when compared to Microsoft on-premises solutions (such as Exchange Server).
Is office 365 email secure?
Whether it’s applications, devices or storage including backups, these are the three main categories where email data resides. Before understanding whether Office 365 is secure or not, it’s important to understand the cloud model concept. Just like major cloud providers, Microsoft offers this product as part of a shared responsibility model in cloud computing. This means:
Cloud provider is responsible for security of the cloud
Tenant or organisation client is responsible for security in the cloud
As customers have control of user accounts, access, authentication and authorisation of O365 data, it is customer’s (tenant organisation) responsibility to maintain the security of their sensitive data. There are good security controls out of the box that come with Office 365, however, they are not auto-magically serving an organisation’s demands.
Common O365 security misconfigurations and vulnerabilities
Our certified security professionals will perform a review of the Office 365 configuration to identify misconfigurations that may have occurred. It is very common for potential threats to be found during this process, and our team will support the mitigation of these threats. Recent bugs i.e. actual vulnerabilities identified within the product had also increased the attack surface for Office 365 users. Some of these recent flaws include improper validation (CVE-2020-16875) and smart bypass issues (CVE-2020-171324). Common Office365 misconfigurations include lack of multi-factor authentication, password sync and mailbox auditing.
- Accounts and authentication policies
- Email security configuration and Exchange Online Protection
- Mobile Device Management Areas
- Data and secure storage management
- Application permissions
- Auditing configuration & monitoring controls
- O365 Active Directory related security concerns
Benefits of Office 365 Security Assessment
- Assurance that secure email strategy is effective
- Validation of Office 365 security controls
- Ensure strong authentication and data encryption practices
- Sufficient logging and monitoring to ensure readiness for security incidents
- User permissions review and add-ons review
- Minimise chances against account take over attacks and ransomware
Follow best security practices
Security reviews findings are mostly around areas described under common misconfiguration. As a standard best practice checklist, an Office 365 installation should follow the following areas:
- Unified Audit Logging
- Multi-Factor Authentication
- Privileged accounts management
- Protecting against malware using features based on subscriptions such as anti-phishing, auto-forwarding, ATP safe attachments and ATP safe links.
Microsoft Office 365 provides cloud resources, securing it is your responsibility.
Office365 Security Review Methodology
Our assessment approach involves benchmark based assessments as well as standard pentest methodology extended to include Microsoft cloud specific security concerns. We support industry-leading testing standards and methodologies:
- OWASP
- Mitre Att&ck Framework
- NIST SP 800-115
Identity and Access Management
This phase involves reviewing identity and access management related controls. Generally, these include checks on the use of higher privilege accounts, use of MFA, password policy, IAM policies, access keys and credentials usage policies
Review Authentication Architectures
Authentication and authorization problems are prevalent security risks. Most mobile apps or azure web applications implement user authentication. Even though part of the authentication and state management logic is performed by the back end service, authentication is such an integral part of most mobile app architectures that understanding its common implementations is important.
Network Security
This area involves checks around network security controls such as ingress, egress rulesets, flow logging, traffic restrictions, and least access privileges.
Logging API Calls, Events
All major cloud service providers offer web services that record API calls for tenant account. This information contains various parameters such as API source, calls details, requests/response elements. This phase includes a review of API calls for an account, log file validation, encryption at rest, access checks if logs are restricted from public view and access logging, configuration management and monitoring options.
Monitoring
The monitoring phase is one of the critical tasks responsible for alerting relevant contacts during an incident. This involves reliance on the logging and related configuration parameters to ensure right metric filters are in place. These reviews include checks for real-time monitoring configuration, alarms for any changes made to access control lists, security policy/groups, routing tables, and related parameters.
Our Cyber Security Testing Services
Network & Infrastructure Penetration Testing
- Protect your business against evolving network & infrastructure threats
- Check services, patching, passwords, configurations & hardening issues
- Internal, external, network segregation & device reviews
- PCI DSS, ISO 27001, GDPR Compliance support
- Helps shape IT strategy & investments
Web Application & API Pen Testing
- Assess real-world threats to web applications
- Validate secure design best practices against OWASP Top 10
- Timely check to avoid common pitfalls during development
- Ensure strong authentication, authorisation, encryption mechanisms
- Find loopholes to avoid data leakage or theft
Mobile Penetration Testing
- Assess real-world mobile app security vulnerabilities
- Validate secure design & configuration best practices
- Increased flexibility and productivity of users through secure mobile offerings
- Ensure strong mobile app authentication, authorisation, encryption mechanisms
- Find mobile app or device loopholes to avoid data leakage or theft
- PCI DSS, ISO 27001, Compliance Support
Cloud Penetration Testing
- Better visibility on cloud process aligning
- Secure validation of internal and third party integrations
- Support ever changing regulatory/compliance requirements
- Ensure strong authentication, authorisation, encryption mechanisms
- Demonstrate data security commitment
- Less is more – reduced costs, servers and staff
Digital Attack Surface Analysis
- Attack surface analysis to identify high risk areas and blind spots
- Improve your security team’s efficiency
- Streamline your IT spends
- Lower Risks and Likelihood of Data Breaches
