Setting up your cloud security guardrails in Microsoft 365: Challenges and tips for getting them right

Microsoft 365 Cloud Image Featured 20 1

Setting up cloud security guardrails is an essential part of every Microsoft 365 implementation. We explain the common challenges to building cloud security solutions and provide recommendations.

​​Setting up cloud security guardrails ensures your users can safely access the tools and systems they need to do their work without causing a data breach or some other costly security issue.

Broadly speaking, a security guardrail is any mechanism that prevents security vulnerabilities or risks. When it comes to any cloud environment, risks are pervasive.

In its 2022 report on the cost of a data breach, IBM security found that 83% of the organizations surveyed have had more than one data breach, and more than half of those (45%) were cloud-based. This is not surprising—the study also showed that nearly half (43%) of the organizations surveyed were either in the very early stages of securing their cloud environments or had done nothing at all. 

While breaches in the public cloud were far more costly than those that occurred in hybrid cloud environments, these results underscore the need for good security guardrails for any organization operating in the cloud, regardless of the type of cloud services it’s using.


Figuring out upfront what security controls you need

One of the core challenges to securing your network is ensuring you have control over what and who is connecting to the corporate network. While most cloud providers offer built-in security controls, the task of setting them up falls to you, the customer. This is why you need to know from the start all the aspects of your system that you must protect and the level of protection they require so you can set up your guardrails effectively.

For Microsoft Teams, for example, you’ll want to develop a plan for governance upfront because rolling out new policies across an entire organization later can be very difficult and risks locking at least some of your users out of the systems they need to access.   

Carrying out a risk assessment prior to implementation is ideal. But it can also be conducted at any time to help you identify vulnerabilities in your deployment and take the necessary steps proactively to eliminate them. Risk assessments start with an audit of your cloud architecture to find any gaps, the security controls deployed and how efficiently they’re currently operating. This type of audit is usually conducted by security teams, and the results they provide will help you decide what kinds of guardrails you need to strengthen your cloud security.


Choosing guardrails that balance security with users’ needs

Guardrails are essential to achieving the right balance between making sure your applications are accessible to the users that need them while at the same time, protecting your organization from the multitude of security risks inherent in the cloud environment. Some of the most common cloud-related security risks include: 

  • Phishing
  • Malware
  • Ransomware
  • Data leaks and breaches

There are many guardrails that as an administrator you can set up in your Microsoft 365 deployment to help mitigate risks when users are interacting with their applications and the network. Password management and configuring access privileges based on the principle of least privilege—the practice of restricting access to only those users,  applications, and resources required to perform legitimate functions—is a prime example.

In addition to setting guardrails at the application level, Microsoft Azure provides a wide array of security options and the ability to customize them to meet your organization’s deployment needs.

While it may be tempting to apply a thick blanket of security policies, you should instead refine the scope of your guardrails by examining your system in a more granular way.

 It’s important to find the right balance between security and your users’ ability to access the system. So, you don’t want to focus only on the data you need to protect, but also look at who needs to access the data stored in different systems within your organization. To do this, you’ll need a data classification scheme to identify your most sensitive and critical data, a solid plan for provisioning, and a well-conceived system for ​​​​​​​identity and access management.

“I think you can allow self-serve, but you need to have some guardrails around that. And that means, for example, you can still have an approval process, but make sure it’s automated, smooth, and quick, and implement a lot of the technical controls in the back end in an automated way.”

Microsoft MVP Joanne Klein

With the right combination of Microsoft 365 cloud security guardrails and Azure policies, you can fine-tune the security of your security Microsoft 365 implementation to keep things running smoothly, without friction, and without locking down the entire system.​​​​​​​


Not knowing about (or taking full advantage of) Azure’s security features

Azure provides a number of security capabilities through various services designed to make it easier to set up cloud service guardrails. Taking advantage of these capabilities will not only reduce your risk but also the security debt associated with addressing issues after they occur. Azure ​​​​​​​​​​​​​organizes its security capabilities into the following six functional areas:

  • Operations
  • Applications
  • Storage
  • Networking
  • Compute
  • Identity 

Let’s take a closer look at just a few of these capabilities and how they can enhance your cloud security.

With regard to networking, Azure offers a built-in network layer that provides the basis for your network security by allowing you to control access to your network to ensure that the only users and devices accessing them are those that are authorized. 

In the applications area, the Azure Application Gateway offers a built-in web application firewall (WAF) that protects your web applications from many of the most common vulnerabilities. And, ​​​​​​​Azure’s App Service helps you more securely manage authentication and authorization while making it easier for users to authenticate to the applications they need.

For identity, Azure Active Directory simplifies the management of users and groups and helps to secure access to data stored in the cloud with features like single sign-on, multifactor authentication, and conditional access.


Safely sharing information in the cloud

Some of the most significant risks in cloud security involve unmonitored guests and external sharing of files or access to your systems. These include:

  • Sharing files with recipients that are not verified (if their devices or network are compromised, the files you share could be intercepted in transit). 
  • Intentional or unintentional sharing of sensitive data or personally identifiable information (PII).
  • Sharing data and information over devices or through unapproved devices or applications that do not have appropriate, enterprise-grade security features (a practice called shadow IT).

Microsoft recommends keeping self-service features like guest access and external sharing turned on for improved adoption and collaboration (and we agree!). However, doing so without a good governance plan can lead to a higher risk of security breaches due to improper sharing of access to your company’s Microsoft 365 environment. The solution here is to understand how to safely invite external collaborators into your Microsoft 365 tenant.


Cloud security guardrails recommendations

Institute a Zero Trust security posture

Zero Trust is an IT security strategy that requires rigorous authentication and frequent evaluation of every user and device before allowing them access to data or other resources in your network. The core tenant of the Zero Trust model is to “never trust, always verify.”

Designing a Zero Trust architecture can provide a strong foundation for cybersecurity in a hybrid environment because it can adapt to the complexity of a remote and mobile workforce, protecting not only your network, but also devices, applications, and data no matter where they’re located.

Meeting compliance requirements in regulated industries

When operating in the cloud, meeting regulatory requirements (also known as “cloud compliance”) in such industries as finance, healthcare, and government, can be a challenge with so many different local, national, and international laws.

There are a number of best practices you can implement to make cloud compliance easier. These include encryption, privacy by default, the principle of least privilege, and Zero Trust. Fortunately, most of the leading cloud providers, including Azure, offer well-architected, modular frameworks to help organizations more easily build resilient and secure applications on their platforms.

Identity management in your cloud environment

Identity management includes policies and technologies that are implemented across the entire organization to prevent unauthorized access to systems and resources, which can lead to a whole host of security breaches. A well-designed identity management system will identify, authenticate, and authorize individual users, user groups, and applications, granting access rights and imposing restrictions based on their identities and the security policies you have in place.  

Microsoft Azure security center

Microsoft Azure Security Center offers a set of tools for monitoring and managing the security of the cloud computing resources you use in Microsoft Azure. Features include policy configuration, data collection to ensure policies are enforced, and alerts when security threats are detected. Azure Security Center also provides several recommendations for creating Azure security policies based on different aspects of your organization’s cloud security needs, including:

Automated monitoring

Continuous monitoring of all activity in the cloud allows you to quickly detect and mitigate threats in real-time. You should configure automated monitoring based on the cloud security guardrails you have in place to ensure that any and all deviations are detected and to automatically notify your IT or security teams to investigate.

For Microsoft 365, ensuring compliance and never compromising security is easy with a third-party tool like ShareGate, which provides ​​​​​​​a centralized platform to manage and secure everything in one place so your IT team doesn’t have to manually look for security flaws!

What did you think of this article?

Recommended by our team

Getting started is easy

Try ShareGate free for 15 days. No credit card required.

Spot Icon Smiley Cool

MVP ROUNDTABLE Get expert insights to increase M365 productivity