I am deeply convinced that moving to the Cloud – for most companies – will increase their security dramatically – I would even go that far that a secure future without leveraging the cloud is not possible anymore. However, it does not come “just for free”, you still need to know what you need and what you do.
Typically the complexity for the customer is lower the higher you go up the stack. You obviously need to do more on Infrastructure as a Service compared to Software as a Service as the responsibility shifts.
So far so good but this morning I read an article on a study by CISA at the DHS in the US on Microsoft Office 365 Security Observations, which shows that a lot of partners actually weaken the Microsoft default, when it comes to security. That’s what they found:
- Multi-factor authentication for administrator accounts not enabled by default
- Mailbox auditing disabled
- Password sync enabled
- Authentication unsupported by legacy protocols
I basically disagree with the complaint that password sync is enabled. We never sync passwords but salted hashes and the sync allows us to support you with account protection and it might be the way to survive a ransomware attack.
But the rest….. At least an interesting read