Securing and managing multi-tenant Microsoft 365 environments
While cloud computing is certainly a game-changing technology for business, some confusion remains around security. Many business owners don’t realize they’re responsible for cloud security, leaving their IT team scrambling to implement security measures while also managing access and permission, workspace and site creation, and other important duties.
This is particularly difficult for those managing multi-tenant Microsoft 365 environments. In brief, where does the buck stop? With Azure, Microsoft, the multi-tenancy provider (in the case of an MSP), or the individual company? Coby Liang, CTO SaaS Management of the SaaS and data management platform provider AvePoint, joined us recently to talk through companies’ options.
Cloud Security is Your Responsibility
M365 handles huge amounts of business-critical information daily in the form of emails, documents, spreadsheets, and the like that need proper protection to ensure they’re backed up and recoverable.
Many incorrectly assume that cloud providers protect their users’ data and operational integrity as part of the service they offer. The truth is that while the cyber and physical defenses around an Azure data center are formidable, these measures are in place to protect your data from power outages, bad patches, and natural disasters – not from yourself.
If you happen to fall victim to cybercrime, regulatory missteps, or even human error, you could lose data or even revenue as you work to recover. This is why many cloud providers encourage users to invest in a third-party solution that extend these native protections to streamline recovery and ensure business resiliency.
The stakes are even higher for multi-tenancy organizations, such as MSPs or companies that operate in discrete divisions or sections, like companies with international branch offices or businesses that have grown through merger and acquisition. For these types of organizations, security, account management, and oversight are generally thrown together into one large melting pot for local administrators to manage. With admins juggling so much, security can fall to the wayside and environments can be left vulnerable.
Pain Points of Cloud Security for Multi-Tenancy Organization
While access to your collaboration environment can be secured and encrypted (it’s easy enough to add a single sign-on facility or multi-factor authentication, too), there aren’t too many native security features suitable for multi-tenancy organizations. The ethos of M365 is that it’s deployed company-wide with at least the potential for cross-division, multinational working. It’s challenging for administrators to create discrete account spaces for multi-tenancy where data simply has to be kept separate.
In large organizations, data protection and security are highly complex for many more reasons than the possibility of hacking. Sensitive information should only be available, for example, to those given the right privileges. Certain data should only exist in certain locations, and of course, that makes collaboration — or rather, safe collaboration – highly problematic.
That’s just the situation, Coby told us, that gives rise to a new generation of shadow IT: people will use the nearest possible tools to get a cross-departmental job done, regardless of security concerns or data governance.
For MSPs, total data separation is a must-have. Client’s information, working spaces, entire environments must be kept to clearly-demarcated areas. At the same time, the MSP’s administrators need oversight into all of their tenants’ operations and data to get their own insights into operations right across the company.
Delegated Administration Secures Environment and Unburdens Central IT
At the heart of the problems facing multi-campus organizations and MSPs is one of access privilege control. Solutions such as AvePoint’s Elements Platform can layer security systems that, for instance, can close or isolate accounts in just a few seconds while providing a broad suite of management functions over multi-tenancy environments.
In fact, Coby explains the ideal model for privilege policies (and security policies in general) is one of delegation, as this unburdens your global admins of routine, mundane tasks and allows them to focus on securing and controlling your collaboration environment.
“AvePoint can bring a delegation operational model to our clients, which is a major competitive differentiator for us. And when we say delegation, we talk about the two different layers of delegation. First, delegating to the business, regional IT, or key user groups […] on behalf of global IT. You can delegate to the region’s IT but central IT should maintain all the key security compliance settings for [each] tenant. […] Second, delegating directly to users themselves. When a user wants to create a workspace to host a project, do they need to go to the IT team to create one? Self-service helps the business move ahead on projects quickly while allowing IT to focus on more high value activities. And this is where M365 can really help you to maximize your revenue for the organization.”
The Bottom Line
While AvePoint offers this enterprise-grade security and control to businesses of all sizes and industries, the general principles are the same for all organizations.
Coby says, “If you think about a large company like a modern automobile manufacturer, they have so many different brands, and not necessarily all these brands need to have their own tenancy. However, sometimes they have to set up [an isolated tenancy] because one of the brands wants to manage themselves. So that’s a fundamental difference, but the setup is exactly the same. If you think about how we help the MSP or the enterprise […] we basically provide a single dashboard with full transparency across multiple tenants.”
With a powerful and malleable feature set, AvePoint’s platform helps organizations migrate, manage and protect their Microsoft investments.