Common Mistakes Organizations Make with Exchange Online Security Controls

Post Views: 2

The Hidden Dangers Lurking in Your Exchange Online Tenant

Organizations moving to cloud-based email platforms like Microsoft’s Exchange Online believe they’re escaping the burden of security responsibilities, shifting it squarely onto the provider’s shoulders.

A Misconception about Shared Responsibility

This misconception can lead to severe vulnerabilities in the tenant itself. Scott Schnoll, a seasoned expert in Exchange Online security, sheds light on the crucial aspect of shared responsibility in cloud security and the common pitfalls that organizations face when configuring their tenants.

Shared Responsibility in Cloud Security

According to Scott Schnoll, “Microsoft secures the cloud,” he states, “but it’s the organization’s responsibility to manage access and to secure and protect their data, accounts, and endpoints.”

Legacy Protocols Remain a Concern

One area where organizations often struggle is with legacy protocols, such as SMTP AUTH, which, despite being outdated, continues to pose a security risk. Microsoft strongly recommends disabling SMTP AUTH, but its removal is hindered by the widespread reliance on outdated clients and applications that don’t support modern authentication methods. Until this issue is resolved, organizations should remain vigilant and continue to use alternative authentication methods.

Conditional Access and Continuous Monitoring Are Non-Negotiable

Schnoll stresses the importance of Conditional Access and continuous monitoring in maintaining a robust security posture. Conditional Access allows administrators to restrict access to sensitive resources based on specific conditions, such as device compliance or location. Continuous monitoring, however, involves regularly reviewing identity, permissions, control effectiveness, and system activity to ensure that security controls are working as intended.

Auditing Blind Spots Exist

Despite the presence of auditing mechanisms, there are still areas where organizations may struggle to obtain accurate insights. Client-side mailbox access artifacts, delegated access activity, and non-Exchange workloads that attackers abuse may not be fully captured in the audit log. Moreover, accessing a mailbox using a legacy protocol like POP and IMAP generates minimal or sometimes no auditing.

Third-Party Gateways: A Double-Edged Sword

Schnoll suggests that third-party security gateways can add value in certain situations, such as requiring specialized compliance tools or advanced threat-layer diversity. However, for many organizations, using third-party gateways creates duplicate spend and introduces operational complexity, reducing detection accuracy.

In Conclusion

While Microsoft takes care of the cloud, organizations bear the primary responsibility for ensuring the security of their data, identities, and configurations within the Exchange Online tenant. By understanding the shared responsibility model and avoiding common pitfalls, such as relying on legacy protocols and neglecting continuous monitoring, organizations can mitigate risks and maintain a robust security posture.