Microsoft Launches Office 365 Secure Score
Microsoft on Friday announced that Office 365 Secure Score API, the company's security analytics tool aimed at evaluating data risk levels in the cloud service, is now available for commercial Office 365 users.
The new tool, which was announced at Ignite 2016 and has been in preview since August of last year, monitors 77 different factors in Office 365, including user behaviors and security settings, to provide a base security score. Then the preliminary results are evaluated on a point-by-point basis to see what steps an organization is doing to mitigate risk. The higher the final score, the more secure Office 365 is. The data can then be used to pinpoint trouble areas, and suggestions on raising an organization's security score are provided.
"The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time," wrote Brandon Koeller, principal program manager lead at Microsoft, in a blog post last year. "Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan."
Along with evaluating an organization's Office 365 readiness based off of Microsoft-specific criteria, the score can also be compared with the 85 million other commercial Office 365 users. The Wall Street Journal also noted that Hartford Financial Services Group Inc. (The Hartford) is the first major insurance firm that will take the score generated from the tool in consideration when setting corporate insurance rates, though it did point out that no money between Harford and Microsoft was exchanged for the score integration.
"We believe aligning the solutions between security and insurance can make a real difference," commented Tom Kang, head of cyber insurance at The Hartford, in Friday's announcement. "By encouraging the use of an innovative security analytics tool like Office 365 Secure Score and making it a part of the underwriting process, businesses have more information to make risk-based decisions around privacy and security, potentially reducing their exposure to loss."
Office 365 Secure Score's API is integrated into Microsoft Graph and requires a few steps to set up. First, organizations must choose between Service-to-Service Authentication model (allowing automated access across a network) or the OAuth model (providing access on a case-by-case basis, controlled by the network administrator). Next, the application must be registered and added to the network Azure Active Directory, which Microsoft has detailed how to do this here.
Once those steps are complete and based on which model is chosen, network admins will need to run a specific PowerShell code, provided in the link above, to retrieve the last nine days of results from the Office 365 Secure Store API, which can be retrieved by logging into the Office 365 Secure Score portal with the global administrator account.
Along with announcing the general availability of Office 365 Secure Score, Microsoft said that Office 365 Threat Intelligence service, which monitors an Office 365 ecosystem for security threats, is now in private preview.