Aug 12 2016
- last edited on
May 24 2021
Microsoft is pleased to announce the preview availability of a new security analytics service called the Office 365 Secure Score. The Secure Score is a security analytics tool that will help you understand what you have done to reduce the risk to your data in Office 365, and show you what you can do to further reduce that risk. We think of it as a credit score for security. Our approach to this experience was very simple. First, we created a full inventory of all the security configurations and behaviors that our customers can do to mitigate risks to their data in Office 365 (there are about 77 total things that we identified). Then, we evaluated the extent to which each of those controls mitigated a specific set of risks and awarded the control some points. More points means a more effective control for that risk. Lastly, we measure the extent to which your service has adopted the recommended controls, add up your points, and present it as a single score.
The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time. Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.
The Office 365 Secure Score is a preview experience, so you may find issues, and you will note that not all of the controls are being measured. Please share any issues on the Office Network Group for Security. You can access the Secure Score at https://securescore.office.com.
The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted controls which can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.
Your Secure Score Summary
The first, most important piece of the Secure Score experience is the Score Summary. This panel gives you your current Secure Score, and the total number of points that are available to you, given your subscription level, the date that your score was measured, as well as a simple pie chart of your score. The denominator of your score is not intended to be a goal number to achieve. The full set of controls includes several that are very aggressive and will potentially have an adverse impact on your users’ productivity. Your goal should be to optimize your action to take every possible risk mitigating action while preserving your users’ productivity.
As mentioned, the Office 365 Secure Score is in a preview release. Over the coming months you will see us continue to add new controls, new measurements, and improvements to the remediation experiences. If you like what you see, please share with your network. If you see something we can improve, please share it with us on the Office Network Group for Security. We’re looking forward to seeing your scores go up, and making the Secure Score experience as useful, simple, and easy as it can be.
Aug 12 2016 12:23 PM
Wasn't it in Preview already? Or was that Private? Cause the links were publicly accessible and I've even showcased it on a local user group session... whoops? :)
Anyway, the idea is awesome, the tool was lacking some stuff last time I tried it though. Will give it a spin over the weekend and report back :)
Aug 12 2016 03:53 PM
Yep, it was in an alpha preview and was based on a manual collection of data via powershell. The new site is a non-alpha preview, and the collection is all automated. We've done a lot of work to refine the consumption experience, and have around 30 controls' worth of data collection automated. Goal is to have all 77 controls automatically collected, and to have all controls with a two-click remediation. Feedback is greatly appreciated!
Aug 14 2016 06:27 AM
Would be great if this tool was integrated in the Office 365 partner-site, so we can check the health of all our Office 365 customers in a single overview!
Aug 14 2016 12:28 PM
Well, I do miss the PowerShell bit - always good to know what exactly a tool is doing. In this regard I do think you should update the consent part, for example make sure that the publisher is listed as Microsoft, and provide a clear explanation why you need the type of permissions ("write directory data" can be a hard sell to some organizations as it can easily be taken out of context).
Other that that - it's cool. Obviously needs some more work, lots of UI glitches, lots of missing/inactive controls, but overall I like it. A "rescan" button might be handy? Also some sort of filter/template per industry or per security standard, so that people can easily check where they stand in terms of meeting compliance for their particular needs.
Will do a more detailed review/blog post in the next days and send some additional feedback your way. Lots has changed in the service since the last time I spammed firstname.lastname@example.org :)
Aug 15 2016 08:13 PM
I'd like to see alerting for score changes. If I do the work to improve security, and then another global admin undoes some of that work maliciously or through error, being notified of a score change would be useful. It would also be helpful to be notified of new items when they are added to the tool.
Just to clarify, the [Not Scored] items such as reviewing reports, is the intention to score them eventually? E.g. if I click through that item and review the report, does Secure Score see that and add points to the score?
Also will Secure Score facilitate the regular reviews? E.g. by emailing/notifying me when a review item is due for another review? Or will I need to self-maintain that via a calendar item or similar mechanism?
Aug 16 2016 10:20 AM
Thanks for the suggestion! Adding it to the list.
Aug 16 2016 10:27 AM
Aug 16 2016 06:33 PM
Aug 22 2016 11:58 AM
Thanks for the feedback. That is definitely our intention. API access is on the docket for the near future.
Aug 23 2016 02:06 AM
I have been impressed with Secure Score, I think it has a lot of potential, already it seems very useful. Incidentally, I have put some feedback in a post on my blog -
Aug 25 2016 05:40 AM
Aug 25 2016 10:40 AM
Sorry for the trouble. The most likely cause is that the acocunt you are using has not been assigned the global administrator role. The Secure Score requires that privilege level at the moment.
Aug 25 2016 10:43 AM
Thanks for the reply, however I'm using my account and I am a global administrator.
Sep 01 2016 02:02 PM
Was looking at my admins, and notice I have a Dirsync Admin, how do I setup the Dirysync admin with MFA?
I also have an admin my vendor setup as the initial admin, and said we did not need to use this but it had to be there MFA, is this true?
Sep 01 2016 11:10 PM
Newer versions of AADConnect support MFA, using a GA account with MFA enabled should not be a problem.
Sep 02 2016 12:21 PM
Vasil's got it right. I should also note that the Secure Score gives MFA credit to organizations that have MFA enabled in dirsync'ed on-prem directories, so long as the federated directory configuration includes the 'SupportsMFA' flag in AAD.
Sep 15 2016 04:35 AM
I assume that this will also eventually be at least linked from the Security & Compliance portal so everything is in one place?
Sep 15 2016 11:19 AM
Thanks for the feedback. It is our intention to integrate the experience into the Security and Compliance Center once we can prove that the concept is an effective way to drive improvements to customer risk postures. Please let your peers know about the Score, and let us know if you have any feedback about the experience.
Sep 16 2016 12:39 AM
Could I suggest integration with OMS, Security and Audit. Maybe also for alerting?