Microsoft 365 Security and Compliance

Chris Bortlik (@cbortlik)
5 min readJun 25, 2021

--

This is part 5 in my Top 5 Emerging Trends in the Microsoft 365 Cloud Adoption Journey Blog Series

Overview

Security and compliance for Microsoft Office 365 is not a new topic. For the past 8+ years, my colleagues and I have been working with customers across a variety of industries to help them secure, govern, and protect their investments as they have moved from traditional on-premises servers (e.g. Exchange, SharePoint, Skype for Business) to Office 365 (and Business Productivity Online Services — BPOS before that). For example, I have regularly presented on this topic over the years at the SharePoint Conference, Microsoft Ignite, and various other events.

What has changed over the past few years is customers continuing to embrace the ability for their employees to work from anywhere, at anytime, and on any device. COVID-19 has further accelerated this trend and need over the past 15+ months as organizations of all sizes needed to rapidly move from working on site and on the corporate network to most employees working remotely from home.

As companies around the world begin slowly returning to the office, the need for remote, flexible, and hybrid work options will continue to be an important trend to attract and retain many employees that have become accustomed to having the flexibility to work and be productive outside of the office.

Microsoft has continued to invest in our security and compliance offerings and are proud of the consistent positive feedback from customers, partners, and analysts including Gartner and Forrester.

While we work with customers on a variety of topics related to Security and Compliance, this blog post will focus on 2 primary scenarios that have been coming up repeatedly over the past year: Zero Trust and Information Protection.

Zero Trust

As customers have continued to shift from the network being the primary focus of security (e.g. requiring their employees and partners to be on the corporate network to access systems and resources) and supporting anywhere access from any device (e.g. not just company issued/provided devices) a consistent industry theme and topic of discussion is around Zero Trust.

Mark Simos, Lead Cybersecurity Architect at Microsoft, has done tremendous work with his team over the past few years to create, maintain, and freely publish Chief Information Security Officer (CISO) Workshop Training.

Module 3 focuses on Zero Trust. The key principles of a Zero Trust strategy include:

Zero Trust Principles

A key concept that we discuss with customers is around conditional and limited access policies and controls that focus on identity and device security and risk at the core. We can no longer just rely on the fact that a device is managed or even on our corporate network to confirm that it, or the person using it, is trustworthy. Not only do we need to verify explicitly upon the initial access of the resource but we also need to continuously check and validate. For example, we may enforce additional policy requirements when accessing content that has been labeled and classified as being “highly confidential” or if a device or user account have become compromised.

Zero Trust User Access Controls

Within Microsoft, we have been on the Zero Trust journey for a number of years and have been sharing a number of resources and lessons learned from our experience as well as a Zero Trust Assessment tool and framework to help customers and partners benchmark and plot their path ahead.

Information Protection

As organizations enable their employees to work more remotely — and collaborate with external customers, suppliers, and partners across a variety of cloud, on premises, and hybrid applications and services — detecting, classifying, and protecting information has become even more critical.

An area that I often spend a considerable amount of time with customers on is understanding how Microsoft’s solutions for data loss prevention and information protection have evolved over the past few years. This includes native Microsoft developed technology (e.g. Rights Management Services) and companies we have acquired and integrated (e.g. Secure Islands and Adallom).

I often whiteboard the evolution and unification of these solutions which I eventually created the following Visio diagram:

Evolution of Microsoft Information Protection and Data Loss Prevention Solutions

This illustrates Microsoft’s execution and realization of our broader strategy for creating a single set of unified information classification labels and policies that can be leveraged across Office 365 (e.g. Exchange, SharePoint, Teams, Microsoft 365 Groups), Office client applications (including Office Online and mobile apps), 3rd party cloud services (via Microsoft Cloud App Security), and endpoints/clients. This has been extended even further to structured data sources via Azure Purview and reporting in Power BI.

One practical and common example that I often review with customers is how these labels can be applied to services based on Microsoft 365 groups (e.g. SharePoint Online team sites, Teams) to drive and enforce policies. In the following example, we have a label for classifying groups/sites/teams as having competitive information in them. The policy requires that the group be set as private and blocks the ability to invite external/guest users.

Compete Info Label Applied to a Team
Information Provided to End Users Related to Label Purpose

Additional label settings also exist to enforce other policies including conditional or limited access to content from unmanaged devices.

Label Policy Requiring Private Label and Blocking External Users
Options to Enforce Conditional and Limited Access Policies Based on Label

Industry and Horizontal Solutions

The final part of this blog series will focus on how we are working with customers across a variety of industries (e.g. Healthcare, Retail, Financial Services, Manufacturing) to map and apply Microsoft cloud solutions to meet their needs. This includes industry specific scenarios (e.g. first line workers in Retail and Healthcare) as well as horizontal use cases (e.g. for Finance, Human Resources, Corporate Communications, etc. departments) that span multiple industries.

--

--

Chris Bortlik (@cbortlik)

Works for Microsoft as a Principal Technical Architect at the MTC in Boston, MA. Author. Speaker. Blogger. Husband. Dad.