Content, Governance, Risk and Compliance

DHS Statement: Some MSPs, IT Consultants Weaken Office 365 Security


The Department of Homeland Security has issued a Microsoft Office 365 cybersecurity statement. The memo essentially states that some IT consulting firms and MSPs (managed IT service providers) involved in Office 365 migrations are not properly securing the cloud productivity suite for customers.

Twitter: @DHSgov
Twitter: @DHSgov

The statement, from the US-CERT arm of the DHS, represents both a challenge and an opportunity for MSPs and MSSPs. On the one hand, such statements can give the overall IT consulting and IT services market a black eye. But on the other hand, partners that communicate the warning (and proper Office 365 security settings) to end-customers can likely differentiate themselves from less reputable firms.

The DHS statement tactfully calls out some partners for dropping the cybersecurity ball on some Office 365 migrations, stating:

"Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have used third-party partners to migrate their email services to O365.

The organizations that used a third party have had a mix of configurations that lowered their overall security posture (e.g., mailbox auditing disabled, unified audit log disabled, multi-factor authentication disabled on admin accounts). In addition, the majority of these organizations did not have a dedicated IT security team to focus on their security in the cloud. These security oversights have led to user and mailbox compromises and vulnerabilities."

US-CERT: Office 365 Cloud Security Recommendations

The DHS says IT consulting firms and end-customers can mitigate the Office 365 configuration issues by taking five steps:

  1. Use multi-factor authentication. This is the best mitigation technique to use to protect against credential theft for O365 users, the organization says.
  2. Enable unified audit logging in the Security and Compliance Center.
  3. Enable mailbox auditing for each user.
  4. Ensure Azure AD password sync is planned for and configured correctly, prior to migrating users.
  5. Disable legacy email protocols, if not required, or limit their use to specific users.

Public cloud services providers (CSPs) have faced a growing list of cyberattacks. Office 365 customers, in particular, have faced Account Takeover Attacks, recent Barracuda Networks research states.

Moreover, end-customers and consulting firms frequently leave customer lists and other databases wide open for viewing on Microsoft Azure and Amazon Web Services (AWSs). Most of the errors involve customer misconfigurations rather than security issues or vulnerabilities at the CSPs.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.