News

Office 365 Now Offers Security Scores and Assesses Risk

Microsoft has unveiled a new Secure Score feature for Office 365, enabling organizations to score their Office 365 security postures based on what settings are applied to their accounts, data and devices.

The Secure Score feature, announced Friday in advance of this week's RSA security conference in San Francisco, is designed to help organizations assess how their Office 365 security controls rank based on their own and other compliance requirements.

Secure Score aims to encourage habits that will ensure better security by helping Office 365 administrators discover all the security features and best practices available. However, if widely adopted, the feature could have other implications since the data will be matched against all other Office 365 customers, allowing outside regulators and insurance underwriters to assess an organization's risk profile.

Initially, only global administrators will have access to Secure Score. However, Microsoft said it plans to let them delegate it to other domain admins over time. The tool doesn't require any configuration, according to a four-minute video presentation by Brandon Koeller, principal Office 365 program manager lead at Microsoft.

Each organization's score is calculated based on controls available in Office 365 versus what a specific customer has set up, Koeller explained. The tool gives points based on the total number of controls implemented, including partial ones. In Koeller's demo, the total score was 93 points based on a total potential score of 243. Customers can also see how they rank against others, though Koeller pointed out that "there are millions of organizations of all type sizes and sophistication that are included in that calculation."

The service also shows a target score based on using every control available, even those not available to a specific administrator. At the same time, administrators need to balance user impact to ensure controls don't hamper productivity or, worse, tempt employees into looking for ways to circumvent them altogether, Koeller noted.

"It is important not to encourage shadow IT by being too restrictive but to encourage the right behavior," he said.

To find that balance, clicking on the Secure Score's "learn more" button will render a remediation pane that describes the intent of each control and its potential impact on users.

Using the tool's Score Analyzer feature, administrators can create reports over time and import data to a .CSV or .PDF file. In addition to providing impact analyses, Secure Score offers suggestions to improve security while also emphasizing controls with the lowest end-user impact.

One interesting implication of Secure Score could affect organizations that must adhere to industry and government regulations, as well as those who have cybersecurity insurance.

"Secure Score can play an important role in a holistic security strategy, which encompasses how an organization strengthens its risk controls, mitigates potential losses and offsets some of the risk," noted Alym Rayani, director of Microsoft's Office Security and Compliance team, in a blog post announcing the service.

According to Rayani, The Hartford is one insurer considering using Secure Score's metrics for conducting risk assessment. Commenting on that in Rayani's post, Tom Kang, head of cyber insurance at The Hartford, said: "We believe aligning the solutions between security and insurance can make a real difference. By encouraging the use of an innovative security analytics tool like Office 365 Secure Score and making it a part of the underwriting process, businesses have more information to make risk-based decisions around privacy and security, potentially reducing their exposure to loss."

Rayani also said the Office 365 Threat Intelligence service is now available for private preview and is scheduled for general availability later this quarter. In addition, he announced the Office 365 Advanced Data Governance preview, which he said uses machine learning to help assess data retention compliance and determine risks. It is also scheduled for general release later this quarter.

Global Office 365 administrators can access the Secure Score service here

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.

Featured

  • Azure AD B2B Now Officially Supports Google IDs

    A feature that lets users of the Google identity and access service use their personal log-in IDs with Microsoft's Azure Active Directory B2B service is now generally available.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • Microsoft, Salesforce Ink Deal Around Azure Cloud and Teams

    As part of a new partnership, CRM service provider Salesforce will leverage certain Microsoft Azure services, as well as Microsoft Teams, for services to customers.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.