The Cloud Is Not Automatically Secure
Moving to the cloud does not mean your data is automatically protected. Cloud providers like Microsoft secure their infrastructure â the data centres, the physical servers, the network. But securing your data, your users, and your configuration is your responsibility. This is the shared responsibility model, and many SMEs do not understand where the provider’s responsibility ends and theirs begins.
A misconfigured cloud environment can be more exposed than an on-premises server sitting behind a firewall.
The Shared Responsibility Model
Microsoft, Google, and AWS are responsible for physical security, network infrastructure, hypervisor and platform security, and service availability. Your business is responsible for identity and access management, data classification and protection, device security, application configuration, and user behaviour.
If an employee’s account is compromised because they used a weak password with no MFA, that is not Microsoft’s problem. If sensitive data is shared externally because SharePoint permissions were misconfigured, that is not the cloud provider’s fault.
Identity Is the New Perimeter
In a cloud environment, the traditional network perimeter â firewalls protecting a physical office â matters less. Identity is what controls access. Securing identities means enforcing multi-factor authentication on every account without exception, using conditional access policies to control when and how users can sign in, implementing privileged identity management so admin accounts are only elevated when needed, and monitoring sign-in activity for anomalous behaviour such as logins from unusual locations or impossible travel.
Data Protection
Know where your data is, what it contains, and who can access it. Microsoft 365 provides tools for this, but they require configuration. Sensitivity labels classify documents by confidentiality level and enforce protection rules. Data Loss Prevention policies detect and block sharing of sensitive information such as tax file numbers, credit card details, or client records. Information Rights Management prevents documents from being forwarded, printed, or copied outside your organisation. Retention policies ensure data is kept for the required period and deleted when it should be.
Secure Configuration
Default settings in cloud platforms are designed for ease of use, not maximum security. Review and harden your configuration. Disable legacy authentication protocols that bypass MFA. Restrict external sharing in SharePoint and OneDrive to approved domains or authenticated users. Enable audit logging across all services. Configure mailbox auditing and alert on suspicious email rules. Review and restrict application consent â users should not be able to grant third-party applications access to company data without approval.
Device Security
Cloud data is accessed from devices. If those devices are unmanaged or compromised, your cloud security is undermined. Use Microsoft Intune or a similar mobile device management solution to enforce device compliance â require encryption, up-to-date operating systems, and endpoint protection before granting access to cloud resources. Conditional access policies can block or limit access from non-compliant devices.
Backup Your Cloud Data
Microsoft 365 retains deleted data for a limited period, but it is not a backup service. Accidental deletion, malicious deletion by a compromised account, or ransomware that encrypts cloud-synced files can result in permanent data loss. Use a third-party cloud backup solution that provides independent copies of your Exchange, SharePoint, OneDrive, and Teams data with point-in-time recovery.
Regular Security Reviews
Cloud environments change constantly â new users, new applications, changed settings. Conduct a security review of your cloud configuration at least quarterly. Microsoft Secure Score provides a useful baseline, but do not rely on it alone. A qualified IT provider should review access controls, sharing settings, conditional access policies, and compliance configuration regularly.
Get Your Cloud Secured
If your business has moved to the cloud but has not secured it properly, you may be more exposed than you realise. Contact TechAssist for a cloud security assessment and remediation plan.
