Most organizations have moved to Office 365 or a different cloud provider. The protection of identities and data should be their number one priority as credential leaks are for example easier to abuse in a cloud environment. Microsoft implemented a lot of security settings and products in Office 365 where it depends on the license which setting or product you can use. Exchange Online Protection (EOP) is by default enabled for all mailboxes which may already be better than an on-premises Exchange environment.
Organizations should strive to optimize its security using a security maturity model. An example is the Cybersecurity Maturity Model from the U.S. government which can be used to receive a formal certificate. More information about the CMMC can be found at https://www.acq.osd.mil/cmmc/index.html. This maturity model isn’t specific to the cloud but the PDF on the site describes the different domains and levels which can be found in most maturity models. It will also provide information that can be used for the cloud.
A maturity model describes best practices regarding domains and what you should do to reach a higher level. For Office 365 and Azure it is advisable to create a baseline specific for your organization which states all the settings and the configuration of the environment. A baseline is an on-going document that needs to be updated periodically with newer settings and changes to current settings. It’s also important that you can easily verify if the environment is still compliant with the baseline. For Office 365 and Azure you can use scripting tools to automatically verify the configuration. Any changes should be handled using a documented process so updates can be approved, or changes should be undone.
I’ve written security settings that can be added to a baseline per product. It is possible to use these settings and PowerShell scripts to create your own baseline and report based on the baseline. Note that this list will never be complete as there are security settings being added or altered continuously.
Office 365 and Azure monitors and audits a lot of activities in the environment where an administrator should act upon. The difference between level 1 and 5 in a maturity model is the way that the organization can react to changes. The end user is in most companies still the person that reports issues in the environment. Using monitoring and acting on alerts you can pro-actively find issues. It is for example possible to identify issues in Office 365 that have been reported by Microsoft or when an email has been blocked by the DLP policy.
I’ve written a blog about Office 365 monitoring with actions an administrator should monitor to be able to reach a proactive maturity level. It depends on the processes an organization creates and documents if you really reach a mature level. There are many cases where lots of alerts are being sent to a shared mailbox, but nobody looks or acts on these alerts. Each type of alert should have a process with stakeholders assigned so administrators know what to do and who to contact.