When speaking about IT or cybersecurity, I often come across the strategy/vision or visibility challenge—what comes first? It is almost a chicken or egg question and, while I believe we can develop the vision for IT/cybersecurity without the visibility into current environment, the question becomes: Can we “sell” that vision to decision-makers? I work with small and medium-size businesses (SMBs), organizations often highly dependent on third-party vendors supporting their IT operations. Keep in mind, an SMB could be a US$4 million to US$50 million organization with 100 to 700 employees.
My opinions and experience are heavily biased toward Microsoft offerings because of my familiarity with its products and because of the vendor’s offering of functionality, security and compliance maturity. And, in my opinion, maturity matters when it comes to productivity, integration, governance, risk and compliance.
After completing a number of risk assessments; incorporating vulnerability and policy compliance scans; and detecting mostly unpatched systems, Exchange, data center server’s and endpoints’ configuration issues, I often recommended Office 365 as a solution for SMBs to at least strengthen their communications. The idea is that after email adoption, these organizations will move toward adopting cloud storage for users’ and groups’ files (OneDrive for Business and SharePoint) to eliminate or significantly reduce ransomware exposure, and improve the overall resiliency of the organization. These organizations were 100% Microsoft shops and my vision was that they can build better IT and cybersecurity strategy around solid a cloud solution, with baked-in security and compliance features (structure). Also, this approach allows SMBs to reduce the on-premise IT footprint and increases overall security and compliance at reasonable and affordable costs. Unfortunately, most of the decision-makers do not have the expertise to understand all of this, and most do not buy into the cloud idea just because it is a strategy that makes sense; especially when their managed service providers (MSPs) do not support it either.
And that is where visibility becomes indispensable. Visibility is one of my favorite security terms and I use it quite frequently. Sometimes, I like to connect visibility with situational awareness, because that is what visibility is—understanding what is happening in your environment, in your systems. I may not have all safeguards (I wish for) in place, but when I have good visibility, I can sleep well. However, in the context of this conversation, visibility is key to explaining traditional approaches, weaknesses and building arguments for cloud-first or cloud-only strategies.
A short 7 or 8 years ago, when I mentioned the cloud in meetings with security professionals, people were…skeptical: “…So, using another organization’s computers to process our data means better security?” Yes, because in the SMB space, there are no budgets for more security tools or more security personnel, and SMBs cannot afford the on-premises security in which large organizations can invest. This is especially true for security around a user’s communications and collaboration, which, by the way, are notorious entry points for ransomware and other system’s compromises or data loss. Software as a service (SaaS) solutions offer much better security if used and configured properly. Cloud security is not just about better prevention features but mostly about better visibility into which users in the organization are being targeted by phishing attacks, who is oversharing, which devices are at risk, which patches are missing, and who is making mistakes and exhibiting risky behaviors.
During one of the assessments, the MSP was participating in the interview and I already knew what the organization’s pain points were because I had seen initial scan results. So I asked: “What do you think about Office 365?” and the response was, “Oh, I do not like it, I do not like it at all!” Most MSPs, just like many other organizations, suffer from lack of talent and updated skill sets; they want to do what they know best or what their staff can support, and they are afraid of losing control. The MSP marketplace is also highly competitive, which results in many MSPs switching remote monitoring tools almost every year—after the free offer or introductory pricing for specific products expire. It is not uncommon to find 3-4 different monitoring agents (inactive, leftovers) on devices. All this contributes to weak visibility in on-premises environments, weak incident, Indicators of Attack (IoA) and Indicator of compromise (IoC) detection, nearly non-existent audit log or content search capabilities (e-discovery), and overall higher risk.
Cloud is not a miracle cure, but when skillfully used, a Microsoft 365 environment can address many visibility shortcomings. And better visibility can be used to better explain the cloud vision and how cloud strategy will benefit the productivity, compliance and resilience of the organization.
Robert Brzezinski, CISA, CISM, Azure Sec Eng, CHPS, M365 Sec Admin
Focuses on cloud productivity and cybersecurity technologies. As a certified Microsoft 365 Security Administrator and Azure Security Engineer, he specializes in Microsoft Cloud technologies like Microsoft 365 (including Office 365) and Azure security tools. He helps organizations understand and take full advantage of Microsoft security architecture to effectively and efficiently protect their organizations and users; to streamline and automate IT operations, integrate security across different environments (on-prem, Azure and other clouds, e.g. AWS); improve and de-duplicate security, compliance and auditing efforts; and put better cybersecurity, compliance and IT strategy in place.