Skip to main content


Securing Email in a Cloud Environment

Securing Email in a Cloud Environment

Like with many technologies, organizations have been steadily moving email environments from on premise servers to the cloud. This transfers a portion of the risk and management of the service from the organization to the third-party, most commonly Microsoft or Google. However, while these tech giants may have a thousand times the cybersecurity budgets at their disposal than the average business, properly configuring these environments falls to each adopting organization.

According to data provided by Microsoft, 2020 saw an increase in 40.6 billion emails sent/received year over year. Additionally, there was a 148% increase in the number of meetings, 45% increase in the number of chats, and a 66% increase in the number of shared documents. This uptick in cloud operations has increased the attack vectors and target value for criminals, so whether you are in the cloud or considering moving there, hardening your cloud email platform has never been more critical.


A Changing Landscape 

The way we do business changed in 2020 with the pandemic, and this trend is more likely to increase than decrease. If the HAFNIUM Exchange and SolarWinds breaches taught us anything, it is that no matter the size of the organization, from the Department of Defense to the local coffee shop, technology is vulnerable and attackers will use whatever avenue available to turn a profit.

The Microsoft 365 platform is the most widely used SaaS platform and is what we will focus on in this article. It offers the tools we need to protect our information: It is just a matter of knowing how to configure it for security. While this data might not sit behind our firewall, using controls to develop a layered security model which gives us the capabilities to identify, respond to, contain, and eradicate attacks has never been easier.


Implementing a Layered Cloud Security Model

Data is typically defined to have three states: data at rest, data in use, and data in motion. While we cannot cover all of Microsoft's control environment in one post, we can focus on some of the high-level controls at each of these data states. It is important to factor in what your license includes when purchasing and hardening your instance or tenant.

  • Data in transit, or attempting to enter our cloud instance, will inherently include Exchange Online Protection, anti-spam, and anti-virus solutions. While the out-of-the-box option provides a good security baseline, these can be bolstered through creation of custom policies, use of Sender Policy Framework (SPF) records, DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).
  • For data in use and in transit, depending on licensing, Advanced Threat Protection (ATP) offers the ability for additional scanning of links and attachments. This includes a feature called zero-hour auto purge, which will retroactively remove malicious files or links that had previously made it through the spam filter. ATP will also work in storage areas such as Teams, SharePoint, and OneDrive to identify malicious documents moved or created in the platform.
  • In terms of accessing information from a user level, Microsoft's Information Classification can also apply labels to information, such as identifying a folder within SharePoint that may contain Social Security Numbers and applying a specific label to this folder. Administrators have the capability to create conditional access policies to restrict who, on what device, or how this information is accessed based on the condition set. Conditional access policies can be created to custom fit your organization's security policies and should, perhaps most importantly, include multi-factor authentication requirements for accessing any information.
  • Finally, focusing on data leaving the platform, it is important to develop strong Data Loss Prevention (DLP) rules. Whether on 365, or using other third-party solutions like Zix, DLP provides our last line of defense against data exfiltration. Rules within 365 can be set to notify, encrypt, or stop data from leaving the network based on, you guessed it, conditional access policies. 365 offers a bevy of default rules such as GLBA and HIPAA, but also allows for custom rules to protect information specific to your organization.


Creating the Right Condition

Conditional access gives administrators the flexibility to custom-tailor rules to secure information and apply access controls. This is similar to the Active Directory/Group Policy rules of the classic Windows domain controller. Administrators should use conditional access to enforce multi-factor authentication (MFA) where possible and create strong remote access rules on who and how information is accessed. Conditional access is just what it sounds like, if a user meets a condition (ie: MFA on a registered device), an applied level of access is granted. However, understanding what is going on in our platform is equally critical. This can be found through the “Alerts” tab in the Security Center. CIS and Microsoft recommend a number of these be turned on, but some to focus on are:

  1. Risky sign-ons
  2. Risky users
  3. When an eDiscovery search is made
  4. Creation of a forward or redirect rule
  5. When a large number of files are edited, deleted or renamed

Understanding what is going on, who is accessing data, and what is “normal” is crucial for being able to identify and respond to incidents. Depending on licensing, 365 has automated incident investigation and response to help administrators respond to specific event types.


Good Security Has Layers

The movie Shrek highlighted that ogres have layers, like onions. Like ogres, our email security should have layers as well. While configuring these layers can be labor intensive, there are many resources available from Microsoft Docs, CIS Hardening Guidelines, and even through SBS’ Office 365 Implementation Review to help you along the way. Ensuring the system is always operational is the main goal of IT and a main benefit of moving email to the cloud. However, ensuring its security should be right at the top of the priority list for any ISO.

The ability to protect our information at all three data states should be a focus in determining which license and controls are adopted based on the confidentiality, availability, integrity, and volume of our information. While risk will always persist in any environment, organizations should work to mitigate that risk using all the tools at their disposal. Luckily for us, those tools have never been more accessible.


Written by: Dylan Kreutzfeldt, Information Security Consultant
SBS CyberSecurity


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Service} Office 365 Implementation Review: Has your organization migrated to the Microsoft Office 365 (O365) platform? Is it secure? With the Office 365 Implementation Review, SBS will assess your instance of O365 and provide insight on improving the overall security configurations based on recommendations and standards from Microsoft, NIST, and CIS.
  • {Blog} FFIEC Releases New Cloud Computing Security GuidanceDo you ever find yourself thinking about cloud computing on a weekday afternoon, wondering if you have considered the appropriate risks? Do you worry that the contracts or vendor due diligence with the cloud vendors might not be enough? If only you had more comprehensive guidance that could point you in the right direction. Well, you are in luck! The Federal Financial Institutions Examination Council (FFIEC) issued a Joint Statement on April 30, 2020, titled “Security in a Cloud Computing Environment.” 
  • {Tip Sheet} Microsoft Office 365 Security Suggestions: The suggestions included in this tip sheet are intended to provide ideas on improving the overall security of your instance of Microsoft Office 365.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Vulnerability Assessor  

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, May 27, 2021
Categories: Blog