Microsoft has released the Office 365 Secure Score tool, currently in public preview. Secure Score analyzes your Office 365 tenant's security configuring, rating against a series of weighted criteria and providing an overall “score” to represent how many available security controls you've adopted.
The scoring system is a refreshing change from the usual critical/warning/information that sometimes distracts customers from addressing real issues. Instead of responding by trying to address every “critical” issue, you can take the results of Secure Score and improve your score over time by implementing the recommended controls.
I ran the Office 365 Secure Score tool over a few of my demo and customer tenants. Here's a look at how Secure Score works. Note that at this time Secure Score checks 27 items, but Microsoft plans to add more, so if you start using Secure Score today and implement every recommendation, you can expect to see more later on.
First, go to the Office 365 Secure Score website, and log in with a global admin account. Naturally this tool needs some access to read information about your tenant.
The Secure Score dashboard tells me that this tenant scores 75, and is currently at risk of account breach, elevation of privilege, and data exfiltration.
Secure Score has set a target score of 341 for my tenant. You can move the slider all the way to the right and set a target score of 514 if you like. In doing so, more actions are added to the list (mine increases to 49 actions at that level) which means more work for you to achieve that score. Should you go for the maximum score every time? Not necessarily. As Microsoft says…
The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity.
And that's where the Secure Score tool can start to be misapplied. If your approach to security is to aim for the maximum score, you're going to need to implement controls that aren't always a good idea. Let's take the example of mobile device controls. In the score analyzer view I can filter the list of actions to see which device controls I've already implemented in this tenant. Secure Score has given me some points because I have:
- Required device encryption
- Required device passwords
- Disallowed jail broken devices
- Disallowed simple passwords
- Enabled Office 365 MDM
A default Office 365 tenant has none of those controls, so they would not score as well. You might agree that those are reasonable controls to implement. But to score even higher there's some other security controls to consider, listed in the “Incomplete actions” view, such as requiring mobile devices to wipe on multiple sign-in failures.
That's one of my favorite examples of why not every security control should be turned on. If you implement that option in your mobile device policies, chasing the perfect Secure Score result, you're very likely to end up in a conversation with one of your users who lost all their family photos because their child got hold of their mobile device and started mashing buttons to on the lock screen.
So we shouldn't just blindly implement everything. But of course, Secure Score is going to make a good number of recommendations that you determine are worth implementing. Back to my example tenant, I certainly don't want my account breached (which Secure Score is warning me about), so let's see what I can do about it. In the list of Account-related actions are a series of technical changes, as well as review tasks. Technical changes are those for which you can flip a switch or configure a feature, and you'll be scored accordingly. For example, enabling multi-factor authentication (MFA) for all tenant admins would score me an additional 50 points. Review tasks involve such things as periodically checking the role assignments in your tenant to ensure that they are still aligned with your users' responsibilities. In all cases, Secure Score provides a detailed explanation about why a control exists, what the recommendation is, and connects you to the appropriate admin portal to implement the recommendation.
When you've spent a few minutes exploring Secure Score, the value that it provides should be clear. Security is one of the top concerns for businesses when they are considering cloud services. The question is often asked, “Is the cloud secure?” For Office 365, and other cloud services, there is not a simple yes or no answer. Cloud services have a “shared responsibility” approach to security. Microsoft can secure the Office 365 datacenters, and protect your data in transit and at rest. But a lot of the responsibility for security falls on you, the customer. Security is not a single button you can press to enable it. Instead, security for your Office 365 services is the combination of dozens of technical controls, processes, and reviews that you as the customer need to implement. Office 365 Secure Score provides you with a wealth of information about what you should be doing to secure your tenant. In some ways, it is the “Office 365 security guide” that many people have been looking for.
Give Office 365 Secure Score a try and see for yourself. Do you think it's providing you with valuable information you can use to secure your tenant? Leave a comment below with your thoughts.