Every industry, regardless of size, is eager to realize the benefits of the cloud. The cloud providers’ ability to move from a Capital Expenditures (CAPEX) model to Operating Expenses (OPEX) is not all about upfront cost savings, which the cloud platforms offer. From experience, most clients’ digital transformation strategy is not based on cost vector, but rather the other benefits of agility and scalability the cloud provides in a very limited timeline.
It’s crucial to align the cloud strategy with the business goals and outcomes needed from consumers. From a security standpoint, it’s also important to know your regulatory and compliance needs and how that can be achieved in cloud platforms.
In a world where security breaches at large corporations dominate the headlines, the ambiguity that surrounds cloud computing can make securing the enterprise seem daunting for CIOs, CISOs and their colleagues. The challenge exists not in the security of the cloud itself, but in policies and technologies for security and control of the related technology. Although most enterprises are familiar with cloud, or at least the idea of cloud, pervasive misconceptions and misunderstandings about what the technology can still offer remain.
The naive belief that the cloud provider is entirely responsible for its customers’ security means that many enterprises are failing to address how their employees use external applications, leaving them free to share huge amounts of often inappropriate data with other employees, external parties and, sometimes, the entire internet.
Cloud providers’ Software as a Service (SaaS) model does not mean customers do not need a holistic program that covers people, processes and technology. Rather, this means the customer needs to know what needs to be fulfilled as part of their responsibility to secure these applications.
Designing a holistic M365 Security program
About 80 percent of M365 programs operate on default tenant configurations. The question is are these configurations secure by default. Microsoft provides tools like Microsoft Secure Score – are these scores applicable for all clients and environments?
One of the examples below shows the elements needed to design such an M365 security program:
Organizations implementing M365 programs can consider these six main priorities as they design what is fit-for-purpose.
First, the program must enable security from a policy and control standpoint vs. the enabling technology parameter alone. At the same time, organizations should seek to understand they need to have enough security coverage to safeguard their interest and mapping of technology controls to security principles is of most importance.
Please feel free to reach out to me on LinkedIn if you have any questions or would like to further discuss this program.