We often find SMBs are unaware of the Shared Responsibility Matrix for solutions like Microsoft 365, which outlines responsibilities that Microsoft owns and responsibilities the Customer owns. As all MSPs know, this gap in knowledge can be detrimental to the security and recoverability of a customers M365 environment, but we (MSP community), often fall short of educating the customer of the true risks and skills needed to close those gaps.
For most MSP’s and customers, it can be obvious that Microsoft would be responsible for securing the underlying infrastructure including things like servers and data centers. While management areas like account creation, security, and managing user access falls on the customers responsibility side.
A challenge for many MSPs and Customers alike can surface in areas where both Microsoft and the Client hold a level of responsibility to ensure the security and recoverability of customer information (accounts, data, etc).
Security
While Microsoft is responsible for the underlying infrastructure and identity platform, they are not responsible for incorrect or improper security deployment that results in a breach. It’s the Customer (or MSPs) responsibility to implement and manage the security features that control authentication and access to data. Some examples include:
- Multi-Factor Authentication (MFA)
- Conditional Access Policies
- Data Loss Prevention
- Identify Protection
- Archiving and eDiscovery
Recovery
While this is clearly in the Customer side as documented by the Microsoft Shared Responsibility Matrix, many Customers, and even some MSPs, believe that Microsoft is responsible for data recovery. Microsoft is clear that while they provide version history and data resiliency (ability to recover a file), they are not traditional backups.
- Data Backup
- Data Retention Policies
- Data Classification
- Compliance Requirements
While identifying the responsibilities on each end is the first step to ensure security and recoverability of information. MSPs who manage their customer’s environments may struggle keeping up with changes to the Microsoft 365 platform and managing those changes across every tenant can be extremely challenging. Some recommendations to simplify the process and add efficiency while ensuring consistency across tenants include:
- Recurring Security Assessments
- Best Practice Implementation Templates
- Specific Compliance Assessment (NIST, HIPAA, GDPR, etc)
- Microsoft Secure Score Monitoring
- Streamlined Remediation Approach
While each of these bullets will help with consistency and efficiency, considering all of them as part of a centralized SaaS Security platform can holistically change the approach, and profitability of MSP services that include Microsoft 365.
