To Barbara—my friend, business partner, soul mate, and wife to whom I owe so much; I could never have written this book without your love and support.
Unlike most technical reviews, this one took a team approach, leveraging the talents of the internal team at KAMIND IT. This book lays out a collective and strategic security road map for businesses using Office 365. It brings together hard-earned “notes from the field” that the team at KAMIND IT has generated to help educate our clients as we support their goals for migrating to a secure environment based on Microsoft Office 365. Also, many customers attended KAMIND IT’s Microsoft Cloud Immersion Experience training and gave feedback and suggestions to further clarify how Office 365 security can be easily implemented.
I started writing this book in 2016. At that time, the European Union had just released the new requirements for data privacy. Businesses were being breached, and millions of data records were being stolen and sold. Large organizations such as Sony, Target, and Equifax had millions of records of information stolen and sold on the dark web. Privacy was in turmoil. Some online search companies were selling millions of records of information for revenue. I was concerned and wanted to help businesses that use Office 365 do so in a secure manner.
Fresh off of coauthoring two security books, I personally felt that there were no reasons for having data breaches on Office 365. I researched the problem and discovered that the issue was directly related to the Office 365 subscriptions that the users purchased and their configurations. I also discovered that there was a secondary problem: users and most IT professionals did not know how to configure Office 365 in a secure manner. So, my goal with this book was to produce a practical security guide that could be used by businesses and IT companies in the Office 365 community.
Office 365 is a cloud-based service based on familiar software that you know—the Microsoft Office suite. It simply works, and you don’t have to give up your intellectual property to use the service. Microsoft is adamant that the customer owns the data; Microsoft is only a custodian of the customer data, with a shared responsibility with the client. This is important. Not all cloud solutions are this forthright. My customers who use Office 365 have significantly reduced their IT service costs and their concerns in the areas of data security, compliance, and discovery. They reduce their IT costs because my company helps them choose the correct Office 365 licenses and helps them manage the security and logs.
This is a critical book of knowledge based on tried-and-true methods to deploy the services for Office 365. Office 365 is a secure service. The challenge was to write a book on a complex subject about security configurations in Office 365 and Azure cloud services and structure the book in such a way that any user could deploy Office 365/Azure securely. In some ways, I consider this a living book about security for Office 365. Not only does it cover the security of today, but given the changing nature of the tech world, the content will expand and evolve with newer tips and techniques through the blog at www.kamind.com/blog .
The problem has been how to present the information in a roadmap form that will help you build a secure solution for your company on Office 365. To do this I decided to use the Microsoft 365 E5 subscription along with an Azure Cloud Solution Provider (CSP) subscription and walk through the configuration process.
Security and compliance need to be a way of life as business becomes more digital. We need to look at the tools and how we run our businesses to determine how best to manage and secure them. The goal of the chief information security officer (CISO) and business owners is to protect and secure assets to increase business value. Security, Office 365, and Azure are all complex topics. I found the best way to describe this is to use one of the Microsoft simplified roadmaps that shows the security products and how they interoperate with each other. This chapter is an overview of the different security technologies and gives you the background. At the end of this chapter, you will have an understanding of the path we will follow on Office 365 and Azure security configuration.
Office 365 and Azure are complex. As an Office 365 administrator, you need to configure the Office 365 portion of security but also the Azure security services. In this chapter, we build out the Azure data collection portals and the dashboards that are used to monitor and collect data. The information services we configure are Log Analytics Services, Azure Security Center and Office 365 Admin and Compliance Center. As part of this chapter, we link Cloud App Security to start the data collection from Office 365 and the device endpoints. Security is about information collection and analysis. In this chapter, you will see how to set up the Office 365 Security & Compliance Center and Azure Security Center. At the end of this chapter, you will have configured the key cloud data collection services.
Security is a difficult topic to address with moving threats. How do you tell whether you need to do more (or even if you have done enough)? In this chapter, you will take a deep dive into your security score and the measures that you can use to configure your Office 365 tenant and Windows 10 Security Center. This chapter talks about the security metrics and how to measure against them. At the end of the chapter, you will have a Microsoft security score (composed of Windows 10 and Office 365) that can be used to manage your security profile and threats against your business in the cloud.
In this chapter, you will expand your learning by looking into the Enterprise Mobility Suite (EMS) from the viewpoint of identity management and information protection. Identity is how you manage information about the users and information protection is how you manage a user’s access to protect corporate data. These tools are important in the management of Office 365 and Azure. At the end of this chapter, you will have configured the necessary components required to set up Azure information protection services from the Microsoft 365 E5 suite. You will have configured a base line identity Management and Information protection services in Azure. The Azure integration is a key service that you can use to manage your digital assets.
How do you manage user devices in the enterprise today? The answer is with Windows Information Protection (WIP), Mobile Device Management (MDM) and Mobile Applications Management (MAM). This chapter walks you through the configuration of MAM, WIP and MDM to manage your environment for Office 365 and Azure. At the end of this chapter, you will have a configured solution for both MAM, WIP and MDM to manage your corporate data. This chapter concludes with some helpful suggestions on the management of the mobile applications in your environment.
Office 365 has a set of tools that are preconfigured for the compliance management of Office 365 through the Office 365 Security & Compliance Center. Office 365 includes a complete eDiscovery capability that offers all compliance managers the tools necessary to perform search discovery requests to meet the new regulation requirements. You are left with a “cookbook” on the deployment of the eDiscovery center and how to perform keyword searches across Exchange, OneDrive, and SharePoint.
The secret to a successful deployment to Office 365 is picking the correct plan that supports your business. Another key is the planning and purchase process. Once you select a plan, your primary consideration must be to ensure that the migration process is seamless for your organization. This chapter describes the basic purchase choices. It concludes with information about pre-deployment, deployment, and post-deployment.
This chapter describes the different administration centers in Office 365 and the most common tools that you will use to administer Office 365. Depending on your Office 365 plan, there are 15 possible administration centers that are used to manage Office 365 and Azure. This chapter focuses on the primary administration portals for your business. The chapter closes with showing you how to use PowerShell to manage your Office 365 tenant.
I want to share with you what I’ve learned over the years so that you can benefit from my mistakes. I’ve been fortunate in that my company is a Microsoft direct Tier 1 Cloud Solution Provider, Cloud Champion, and a multi-year Microsoft Partner award winner. We’ve learned a lot as an early cloud adopter and want to share our experience. I wanted to write the book with a combination of the “why” and the “how-to” so business owners, Corporate Security Officers and IT Managers will have a roadmap to protect your company’s digital assets. Good luck in your journey with the Microsoft Intelligent cloud!
I want to thank all of my customers who have spurred me on to write this book and have encouraged me to share what I have learned. To my editors, who kept me going even when it seemed impossible, I owe a special debt of gratitude: Nancy Chen, Joan Murray, and Gwenan Spearing. Thank you all.
A special mention must also be made to Justin Slagle, our Microsoft business development manager; Matt Soseman, security architect at Microsoft; and the countless support staff at Microsoft who have helped steer me in the right direction.
Robin Robins of Technology Marketing Toolkit has inspired me in so many ways, and I want to thank her for the countless opportunities she has opened up for me. Her support has been invaluable.
I also want to acknowledge my core team at KAMIND IT, which allowed me the time to write this book, especially Chris Speigel and Barbara Dawson. Your teamwork amazes me!
Brian Geraths, photographer extraordinaire, has also helped me in many ways. Thank you, Brian.
Last but by no means least, my wife, Barbara—I owe her so much for her encouragement and support.
Without the assistance of all these individuals and companies, this book would never have been written.
Matt’s focus on cloud solutions started in 2008, as he was looking at ways that businesses could grow quickly while still reducing operating costs. His interest in security began while working in Intel’s security division.
Matt holds a BSEE from the University of Michigan and an Executive MBA from the University of Oregon. His greatest satisfaction comes from helping customers and others become more competitive by scaling their businesses in an increasingly technology-driven world.
3.149.242.9