What Do We Need To Know To Migrate Data To Office 365?
The Department of Homeland Security has received numerous reports about security issues resulting during Microsoft Office 365 migrations. The affected organizations did not have a dedicated IT service company with a security team to focus on their security in the Cloud. This led to user and mailbox compromises and vulnerabilities.
This is why you should always refer to your IT services company in the San Francisco Bay Area for Office 365 migrations.
There Have Been A Number Of Security Issues With Office 365 Migrations
Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have used third-party partners to migrate their email services to Office 365.
Due to what they found, the DHS released best practices for businesses that want to migrate their email services to Microsoft Office 365.
If Multi-Factor Authentication Is Disabled You’ll Run A Security Risk
The migrations had disabled multi-factor authentication on administrator accounts, mailbox auditing, and unified audit logs, among other flaws.
The most significant risks were cloud migrations where Multi-Factor Authentication wasn’t enabled. Given that Microsoft Office 365’s Azure Active Directory Global Administrators have the highest level of privileges at the tenant level, this created security vulnerabilities.
DHS reports:
“This is equivalent to the Domain Administrator in an on-premises AD environment… The Azure AD Global Administrator accounts are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users.
MFA is not enabled by default for these accounts…There’s a default conditional access policy available to customers, but the global administrator must explicitly enable this policy in order to enable MFA for these accounts.”
As a result of misconfiguring MFA, the cloud-based accounts could allow a hacker to “to maintain persistence as a customer migrates users to O365” because the cloud nature of the accounts are exposed to the Internet.
If Mailbox Auditing & Unified Logs Are Disabled Security Is At Risk
DHS officials also explained that when mailbox auditing and the unified audit logs are disabled, administrators couldn’t run queries until they manually enable auditing.
DHS explains:
“Misconfigurations can also lead to password sync becoming enabled during the migration process, which allows the creation of Azure Active Directory (AD) identities on-premise or match former identities with on-premise identities.
As a result, the on-premises identities become the authoritative identities in the Cloud.
In order to match identities, the AD identity needs to match certain attributes.
If matched, the Azure AD identity is flagged as on-premises managed…Therefore, it’s possible to create an AD identity that matches an administrator in Azure AD and create an account on-premises with the same username.
One of the authentication options for Azure AD is ‘password sync.’ If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs.”
Microsoft did disable the capability to match administrator accounts in October 2018. However, if administrator account matching was performed before this, then syncing could have been compromised prior to the migration.
Authentication Functions Aren’t Supported By Legacy Protocols
A number of exchange online authentication functions don’t support modern authentication with MFA tools. These include such things as post office protocol (POP3), internet message access protocol (IMAP), and simple mail transport protocol (SMTP) which are still widely used today.
DHS revealed:
“Legacy protocols are used with older email clients, which do not support modern authentication…Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will not be disabled.
This leaves email accounts exposed to the internet with only the username and password as the primary authentication method.
Organizations should inventory users who require the use of a legacy email client and protocols to mitigate this issue… Azure AD Conditional Access policies can help reduce the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce the attack surface for organizations”
DHS also recommended that you establish an enterprise-wide cloud strategy to bolster your infrastructure security before migrating to Office 365 and other cloud services. However, they say that Multi-Factor Authentication is the “best mitigation technique to use to protect against credential theft for Office 365 users.”
Ask Your IT Service Company Experienced In Migrations To Handle Everything For You
Only use a knowledgeable IT services company in the Bay Area that has experience when it comes to migrating Office 365 and other cloud solutions.
Your IT support company can enable unified audit logging, and mailbox auditing for each user, while planning and correctly configuring password sync before migrating them.
They can also disable legacy email protocols if they’re not required, and at least limit them to specific users that require its use.
You Can Help By Doing Some Planning In Advance
If you’re trying to decide whether Microsoft Office 365 is right for you, then migration should be one of your primary concerns.
When it comes to a cloud-based suite like this, migrating to Office 365 from your current IT environment is no small task.
That’s why you should defer to the experts. But here are some things you can do in preparation for your migration.
The best way to achieve this is with an actual meeting with those who are involved in the process. You should talk through a number of key factors both in the migration, such as:
- Why are we choosing to migrate?
- What benefits do we expect to gain from migrating?
- How will our infrastructure change during migration?
- How will the user experience change after migration?
- How will we train staff members on using Microsoft Office 365?
This is an especially vital step because, if you don’t have answers to these questions, then you probably aren’t ready to migrate.
Knowing how to answer these questions means that you can avoid common pitfalls and hit the ground running with your new IT environment.
Furthermore, you’ll want to make sure your entire staff understands what migration means for their work. What kind of downtime will they encounter, what are the benefits they will have access to once it’s complete, etc.?
Make sure you have the following information ready for your IT services company before migration:
List of Users
Keeping careful track of how many users you have and what they need to do will make migration much smoother than it would be otherwise. The last thing you want to do is overlook a user here or there and find they can’t access the system after launch because there weren’t enough licenses or log-ins arranged.
Temporary Passwords
While you sort out the details of your new Microsoft Office 365 environment, it’s smart to work with temporary passwords. That way, it’s easy to test the environment without issuing official credentials and log-in info.
Domain Registrar Information
This is especially important for Microsoft Office 365 migrations; why? Because email is a central facet of Office 365. To ensure seamless changeover between your previous email client and Microsoft Outlook, you’ll need complete information on your domain registrar.
Plan For Your Infrastructure Needs
The new Microsoft Office 365 environment will be built on the foundation that is your infrastructure, so you better make sure it’s up to the task before you start.
Infrastructure-based considerations should include:
Bandwidth: You should assess your bandwidth to zero in on exactly how many concurrent client machines are connected to the network at any one point in time.
In theory, your bandwidth should be able to support at least that many concurrent machines running Microsoft Office 365, which dictates that necessary network segments and connections you’ll need.
Hardware: Migration is an excellent opportunity to take stock of your hardware. For example, in your new environment, will you need a server dedicated to Skype for Business? That depends on how heavily you plan to make use of it.
This is the type of question you need to answer (and do something about) before you migrate, and not after.
Software: As Microsoft Office 365 provides virtually all the software you could possibly use, there isn’t too much to take stock of in your old environment.
However, if you and your staff currently use mail-enabled applications that you’re fond of, or that are so specific to your business and industry that you’ll need them post-migration anyway, then you must make sure they are compatible with Exchange Web Services.
The rest you should leave with your Office 365 Migration Expert in the San Francisco Bay Area. If you need more information, we’re always here to help.
In the meantime, don’t take chances with the security of your data. To stay up to date on this and other IT topics, visit our Business IT News.
