A security baseline for your company

  • 28 augustus 2023
  • 8 min leestijd

There are so many different blogs about a security baseline. This is not just another one, this one is specifically for those who really want to be secure. This first blog is focussing on all of the different parts of a solid security baseline for your entire infrastructure and cloud. This blog also only focusses on the Microsoft Cloud and other products of theirs.

What is a security baseline?

Well, as far as Cloud Agent is concerned, it’s a least minimum security measure for any business making use of certain services like Microsoft 365, Azure and other Microsoft services. The security baseline, which is implemented by Cloud Agent for our customers, is mainly for security-consious organizations in which – for example – standard users don’t have any administrative rights. In many cases the baseline is in line with the recommendations from Microsoft.

Because every company, even non-business related accounts, face security threats. However, the types of security threats that are of most concern differ from one organisation to another. That’s why this blog focusses on the bare minimum that is applicable for any company.

The security baseline

Because this blog is just a simple overview of the security baseline implemented by Cloud Agent, it will not go into much detail in this blog. However, the points discussed in this blog will be further expanded on in seperate blogs which will be linked here.

A password policy

A password policy has been discussed many time on so many blogs, this blog will not go into detail. The point to get across is to at least have a password policy. Even though Cloud Agent encourages our customers to make use of at least a strong password with a authenticator as a second step (Multi-Factor Authentication) and not to make use of a SMS or Voice for the second step, Cloud Agent does recommend to make use of passwordless authentication. The following picture illustrates the many different ways to authenticate.

Basic Authentication or Legacy Authentication

Basic Authentication, also known as Legacy Authentication is a way of authentication that does not support Multi-Factor Authentication. Meaning, it does not support the user to perform a second step after providing the username and password to login.

You might understand why this is a great way for malicious people to hack an account, because after acquiring the victim’s password there will be no need to also get a hold of the victim’s second step authentication method like his or her phone.

Cloud Agent never allows this usage except in really monitored exceptions like for example a legacy application. The problem however is that starting from the 1st of October 2022 Basic Auth will be disabled for all Microsoft 365 tenants, meaning the companies still making use of this method will have no other choice but to mitigate and/or migrate to a better solution – which is Modern Authentication.

Multi-factor Authentication (MFA)

It goes without mention these days that MFA should at least be enabled for all users without exception, well there are exceptions but this will be explained in detail in a more detailed and dedicated post.

Up-to-date operating system

Virtual Machines, Desktops, Laptops, no matter what kind of device it is there needs to be a policy in place to make sure the OS is up to date with the Critical and Security updates.

In most cases Cloud Agent manages the devices using Intune with a RMM tool to support it. The Modern Workplace provided by Cloud Agent has default policies to enable patchmanagement. The additional RMM tool makes sure that every other (virtual) machine is getting their updates on a regular basis.

Bring Your Own Device (BYOD) policies

Just about everyone has a personal device, like a smartphone and a laptop, which (in many cases) is also used for business purposes. For example, employees have Microsoft Teams installed on their own device to be able to chat and/or call with co-workers. Or simply have Outlook configured on their phone. A huge issue used to be to convince the employees to manage their personal devices if it’s being used for business purposes. The main reason has always been that the user does not know what the IT department can see on their device.

A great alternative, a real must have these days, is to make use of App Protection Policies provided by Microsoft Endpoint Manager (also known as Intune). It protects the corporate data even if the app contains both corporate and personal data, which is the almost always the case.

Cloud Agent makes sure that a few default policies are in place when a user wants to make use of their own personal device to access company data. The policy protects the data by encrypting it, protecting it with a PIN and removes the company data from the phone when needed. These policies makes sure that your company data is secure on a device not known and/or managed by the company and makes a clear destinction between personal and company data.

Protecting your devices, account and data

Devices, owned by our customers make have to be protected. Cloud Agent makes use of Microsoft Defender to protect devices and to quickly act on any threats by monitoring them proactively.

This subject will be discussed in a more detailed post.

To conclude

This subject is vast and can contain many pages but we chose not to do that and give an overview of the bare minimum that needs to be in place.

To summarize;

  • You want to have all users enabled for MFA;
  • You do not want to allow Legacy Authentication;
  • You want to protect your data, your mails, your account and devices;
  • Operating Systems need to have the monthly Security and Critical updates applied;
  • Corporate data on personal devices need to be protected.