Over the past year, while working with many different clients, the topic of Security within Office 365 comes up. Specifically, an area of interest is the Secure Score. I have often had clients say that they do not need any specific security solutions as they have a great Secure Score. I got thinking about the Secure Score and why it gives us/clients a warm fuzzy feeling inside. I then remembered presenting at a conference a few years ago and telling everyone that to make the CIO happy with an On-premises SharePoint setup, make sure to clear the errors that show up in Central Administration, due to health analyzer rules. I also said if they could not fix them because they were “Microsoft features,” then disable and remove them….joking of course. Then it hit me, that is the problem. Just as disabling and removing the errors for the CIO, the Secure Score is simply an arbitrary number that makes everyone feel happy. I must clarify at this point that, there is a lot more involved in getting a Secure Score than just hiding a few errors. The logic behind the Secure Score comes from a Microsoft Baseline template that validates your Office 365 Tenant directly to it, allowing it to generate a Score based on that.
What types of checks does the Secure Score do?
Office 365 is a large platform with many features and services. Secure Score taps into Microsoft Graph, which uses sets of REST-based APIs to collect information from multiple endpoints, such as Exchange, SharePoint, and Microsoft Teams. The retrieved data gets validated against the baseline Microsoft template, and then outputs not only the score but also a series of tasks that can increase the score.
So, is the Secure Score worth anything?
The number itself, at least for me, means nothing. It is just a number, calculated from information that I as a Tenant Administrator can see and should also now. Now if you are asking me is having a high score means you don’t need anything else to protect Office 365, then I will politely let you know of your activity when it comes to Security. My personal view is that the Secure Score should go together with your regular Security Program and not replace it. Just because you move to the cloud does not negate the need for Security platforms and controls.
What types of tasks should I expect?
When accessing the Secure Score page, underneath the score, you will find the breakdown of actions that “should” be completed. These are recommended based on the current configuration, and then what makes up the baseline template provided by Microsoft.
A common task that always shows up in “Enable MFA for all global admins.”
Of course, a great recommendation, one that I highly recommend to ALL clients. For me, however, what I like is the classification of the action, along with “User Impact” and “Implementation Cost.”
Should I pay attention to the Secure Score?
Yes, Yes and Yes again. Of course, you should.
Should I ignore all other Security practices because I have a great Score?
No, No and No again. The Secure Score mechanism is a great tool, notice the wording there, “a great tool” nothing else, and is not meant to be the final security control you ever implement for your organization. Though it is good, you need to look at other Microsoft and maybe 3rd Party tools, processes, and practices that will help create a great Security Posture for your organization.