The DHS has issued a memo essentially stating that some IT consulting firms and Managed IT service providers (MSPs) involved in Office 365 migrations are not properly securing the cloud productivity suite for customers.
The statement, from the US-CERT arm of the DHS, represents both a challenge and an opportunity for MSPs and MSSPs. On the one hand, such statements can give the overall IT consulting and IT services market a black eye. But on the other hand, partners that communicate the warning (and proper Office 365 security settings) to end-customers can likely differentiate themselves from others.
“Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have used third-party partners to migrate their email services to O365.
The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts). In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities.”
US-CERT: Office 365 Cloud Security Recommendations
The DHS says IT consulting firms and customers can mitigate by taking these five steps:
- Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users.
- Enable unified audit logging in the Security and Compliance Center.
- Enable mailbox auditing for each user.
- Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
- Disable legacy email protocols, if not required, or limit their use to specific users.
Public cloud services providers (CSPs) have faced a growing list of cyberattacks. Not knowing the security implications, customers and IT consulting firms frequently leave customer databases wide open for viewing on Azure and AWS. Most errors involve customer misconfigurations rather than security issues or vulnerabilities at the CSPs.