A lot of companies are migrating to Microsoft 365. Doing so has a number of advantages, but the migration process itself can be fraught with problems. One worry companies might have is keeping everything secure through the process. Here are some migration security measures to consider to ensure a smooth and secure switch to Microsoft 365.
Set up Multi-Factor Authentication
Multi-factor authentication is available in 365, but it is not a default for administrators. You should, thus, enable it for Global Administrators before starting to migrate data. This protects those accounts from bad actors, particularly internal ones such as disgruntled employees.
Keep global administrators to the minimum required for the migration. Instead, use lesser administrator roles within Azure AD to ensure role-based access control. All users should have multi-factor authentication enabled and you should encourage employees to use it, across all departments and regardless of the level of access they have. It should absolutely be mandatory for anyone with an admin role.
Turn on Logs and Alerts
The Unified Audit Log defaults to off and must be enabled by an administrator. You can find it in the Security and Compliance Center. The UAL logs events from the various applications and allows you to run queries. This can help you spot compromises or violations of company protocol
This is still something IT has to check, so you should also turn on suspicious activity alerts, which will proactively inform administrators if there is a potential issue. As a minimum, these alerts should be enabled for suspicious location logins and high levels of outgoing emails (which could indicate that somebody has been hacked and their account is being used to send spam).
Logs can be integrated into Azure Sentinel, Microsoft’s Security Information and Event Management tool, or, if you prefer, into a SIEM tool your organization is already using.
Use the Right Migration Security Method
Microsoft 365 provides several methods for migration. You should investigate these methods and establish which one is right for you from both a security and a user perspective. For email, Microsoft generally recommends a hybrid deployment, which allows you to use your existing on-premises Exchange organization on the cloud, with no changes to your experience or administrative controls. Make sure that, for example, you use Multi-Geo if you have employees in different countries.
Microsoft 365 encrypts data-at-rest at the application layer. Service encryption using Customer Key lets you control your own encryption keys. To encrypt a mailbox for the first time requires that the mailbox be moved, a process that can take several days.
Thus, it is much easier to deploy service encryption with Customer Key at the time of migration so that you don’t have to mess around with it later. The system encrypts all files in SharePoint Online, OneDrive for Business and Teams, as well as your Exchange Online mailbox and any text conversations with Skype for Business. If you have specific compliance issues, using Customer Key rather than Microsoft’s own encryption keys can help support them much better.
Additionally, use virtual machines encrypted with Azure Disk Encryption, and that if you are using Platform as a Service, you activate the Always Encrypted wizard in SQL Server Management Studio. With modern encryption, there is literally no reason to leave any files unencrypted; the performance impact is minimal to non-existent.
Follow Azure Security Center Recommendations
Administrators should start by familiarizing themselves with Azure Security Center, which provides unified security management across all of your services.
The Security Center provides its own recommendations based on your policy and regulatory requirements and performs continuous security assessments. Although this shouldn’t be considered a tool to guarantee compliance, following those recommendations does help you move in the right direction and provides a quick audit.
Enable Just-in-Time Access
Hackers love open ports. With just-in-time (JIT) access, the key port 3389 opens only when needed with the proper clearances. The access expires after a certain amount of time.
This helps prevent exploits that might come in through the open port and also helps secure role-based access. By enabling this prior to migration you can ensure that your VM is properly protected and those bad actors that probe for open ports can’t find a way in.
Enable Adaptive Application Controls
Shadow IT is a huge problem for some companies. Users, and even administrators, may install unapproved applications that create security holes or cause other problems, such as performance loss. Azure allows you to use dynamic allow lists to block attempts to run unwanted applications. You could also set up an alert system. It’s helpful to know what applications users may be trying to install so proper solutions can be provided. This can also block certain kinds of malware.
Enable File Integrity Monitoring
One common reason why VM’s fail is unintentional or malicious changes to system files. While role-based access reduces the changes made to system files, file integrity monitoring notifies you if changes are made to system files and registry settings, allowing you to then investigate whether a change was intentional/necessary or not.
Not everyone realizes that virtual machines are vulnerable to malware. If you are migrating an older virtual machine, in particular, it might not be well protected.
Microsoft provides its own antimalware solution for Azure Cloud Services at no extra cost, with automatic updates, and Azure Security Center will detect VMs that don’t already have endpoint protection. Alternatively, you can look into your own antimalware solutions. Make sure that existing solutions will continue to work on Azure, and if not upgrade or replace.
Secure Your Web Apps
Remember that on-premises networks often have strong firewall protection whilst the cloud, by definition, is more open to the internet. Ensure that any web apps you are migrating are properly protected. This might include using Azure Application Gateway’s own firewall or using Azure Key Vault to extract and protect sensitive information.
Learn More About Maintaining Migration Security
Migrating to Office 365 can be a great decision for your company, but it can also be a complicated one that can create security issues (or highlight ones that you were previously unaware of). The Cloud Adoption Framework can help with migration security to Microsoft 365 or another cloud provider. To find out more, contact Agile IT and find out how we can help you manage to migrate to Office 365.