Find your Office 365 Secure Score and see if your tenant is secure
Microsoft has released Office 365 Secure Score, think of it as a security credit score service for Office 365. Read on to see why this matters and how you can find your own ‘secure score’.
What is Office 365 Secure Score?
Office 365 Secure Score is a proactive security analytics tool. It shows how well you are adhering to security best practices and any potential shortcomings. The results are specific to your Office 365 tenant and how it's configured.
This isn’t a service you run once. It’s designed to track your security completeness and overtime hopefully show improvements. Secure Score measures what controls have been implemented, that reduce the risk of being breached.
To that aim, Microsoft gives you a score and a set of actions to further improve your Office 365 tenant security. This means you can benchmark your environment and see how it changes over time, as your score goes up.
Here is how Microsoft describe the service:
Microsoft Office 365 Secure Score is a new data service that Microsoft is building to help our tenants understand the extent to which they have adopted robust security configurations, behaviors, and best practices. The experience places all of the existing security-relevant features of the service in one place and makes it easy to tell which things you have adopted or not, and then makes it easy to remediate the gap.
Getting started with Office 365 Secure Score
To start, Office 365 Secure Score has been released as a preview. It was announced on the Office 365 Network. It’s well worth reading the announcement for further details - Office 365 Secure Score Released to Public Preview.
You can access Secure Score here https://securescore.office.com.
The first time you visit the site you will get a prompt asking for rights to access to your tenant. This prompt could do with improving, it's somewhat vague and asks for write access to the tenant, which should be explained. With this done your will be taken to the Secure Score dashboard.
Here is the welcome screen you first see, which I have put on four tabs. There is another one, not shown, that is a disclaimer that sets some expectations.
- Secure Score
What can can you do with Office 365 Secure Score?
What you will be first drawn to is the secure score for your tenant:
What does this score mean?
This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score.
This is how the score is calculated
- A full inventory is taken of all the security configurations and behaviors that customers can do to mitigate risks to their data in Office 365
- Evaluate the extent to which each of those controls mitigated a specific set of risks and award the control some points. More points means a more effective control for that risk
- Finally measure the extent to which your service has adopted the recommended controls, add up your points, and present it as a single score
How Office 365 Secure Score helps you improve security
A score wouldn't be much use on its own, so Microsoft gives you a list of actions. These actions can help improve your security. If you implement some of these actions, they will be measured and your score will start to go up over time.
In the 'Take Action, Improve Your Score' section there is a sliding scale. From Current Score all the way up to Max score, you can set the slider. Then a given set of actions is correspondingly listed that you would need to implement to achieve this score.
This animated Gif shows the different levels of security selected and the number of actions it would take to accomplish this:
The set of actions vary, here are some examples
- Enable MFA for all Tenant Admins
- Enable MFA for all Users
- IRM protections applied to documents
- Enable Data Loss Prevention policies
- Set strong outbound spam policy
In the Score Analyzer dashboard , you can further investigate details with your Secure Score over time (7 days, 30 days, 3 months). This has graphs and a list of actions, those completed and ones incomplete.
Improving your Secure Score
Secure Score isn't a passive service, it can be used to directly affect change in a tenant. In this example, Enable MFA for all Tenant Admins action would enable MFA control for admins.
You can see how this control is scored:
To reiterate, these actions implement a control that mitigates threats. These threats are split into these categories
- Account Breach
- Elevation of Privilege
- Data Exfiltration
Microsoft have talked about having all controls with a two-click remediation in future versions. Launch goes to the multi-factor authentication portal for enabled MFA on users.
Office 365 Secure Score Closing Thoughts
Secure Score is useful service. It brings together many elements of Office 365 security under the one roof for the first time. Already Office 365 Secure Score shows a lot of promise, it will be interesting to see how it develops while in the preview.
Microsoft have big plans for Office 365 Secure Score:
Over the coming months you will see us continue to add new controls, new measurements, and improvements to the remediation experiences.
There is a Microsoft Ignite session that will be worth checking out - Learn about Office 365 Secure Score: actionable security analytics. Also, you can discuss this new service on the Office 365 Network in this thread.
Since the Microsoft Secure Score team is specifically asking for feedback on the thread mentioned above, I thought I'd get a bit more specific.
I'd like to see notifications, so the tool proactively informs admins of any significant changes:
- When the score goes up but more importantly when it goes down
- What's changed that has affected the score
- When there are changes to controls, how they are measured or added
- Notifications in the portal as well as by email
- Emails similar to the current Azure Cloud App Discovery Reports and Azure AD Identity Protection Weekly Digest emails
I'd like to see Secure Score intergrated with the Office 365 Security & Compliance portal, which I assume is a given. If any changes are initiated from Secure Score, I'd like to see auditing capabilities. This may fit into the existing Search & investigation section and Audit log search option.
This should show what change an admin made and when it happened. This has to be specific, in case a change has to be rolled back.
Scores have to be meaningful and take into account measures already in place on the tenant. For Secure Score to be credible, it has to be accurate and truly reflect the state of the tenant. As new Office 365 features are rolled out, Secure Score needs to have day 0 support measurements for them.
That's all the feedback I have for now. I'll update this section, as I have used Secure Score more and the service develops.