Why Isn’t Native Office 365 and Azure AD Auditing Good Enough?

The Netwrix 2018 Cloud Security Report shows that cloud technology has captured the attention of more and more companies. 42% of respondents are ready for broader cloud adoption, and half of them plan to store more customer, employee and financial information there in the near future. For many organizations, that means adopting Office 365 and Azure AD. According to Microsoft, there are 120 million active business users of Office 365, and Azure AD is being used to manage the infrastructures of five million organizations worldwide.
One advantage of the cloud is that it makes content sharing very easy. But that’s a downside as well — the risk of unauthorized access topped the list of cloud security concerns in the Netwrix survey; it was named by 69% of respondents. So how is Microsoft helping organizations secure their Office 365 and Azure AD deployments, and what are the limitations of the native tools?

What has Microsoft done to improve the security of Office 365 and Azure AD?

Microsoft has done a lot to help companies with their security efforts in the cloud. It launched the Security and Compliance Center for Office 365 to help users better manage data access. It offers insightful reports, such as Risky Sign-ins, Risk Events and Users at Risk, which highlight users that have been flagged for risk and list their activity. And it also offers Secure Score, a risk assessment tool that advises you about actions you should take to improve your cloud security. In Azure AD, Microsoft is enforcing conditional access policies, and multifactor authentication will soon be the default for all Azure administrators,

Why are default security measures still insufficient?

Despite these security advances, however, there are three significant issues that make many organizations hesitant about relying solely on built-in auditing functionality for security in Office 365 and Azure AD.

Issue #1: Short log retention period

Many compliance standards require companies to store their audit logs far longer than Microsoft can — a maximum of 90 days for Office 365 and 30 days for Azure AD. For example, PCI DSS requires organizations to store logs for one year, while HIPAA requires six years of log retention. GDPR does not specify a particular log retention period but it does require organizations to be able to investigate a breach at any time, and the Ponemon Institute’s 2017 Cost of a Data Breach Study found that it takes an average of 206 days to detect a data breach.
Clearly, Microsoft’s brief log retention periods are insufficient for companies that need to present evidence for compliance or investigate most security incidents, unless they periodically save off the log data manually before it is overwritten — a tedious and error-prone process. Therefore, many organizations look for third-party auditing solutions that offer reliable, automated log collection and cost-effective long-term storage.

Issue #2: No support for hybrid environment

Although Gartner predicts that the public cloud market will witness growth of more than 160% by 2021, on-premises deployments are here to stay for a while. The analyst firm estimates that 72% of companies are pursuing a hybrid approach in 2018, a number that has not changed much from the previous years and is unlikely to change in the near future. As companies choose to migrate to the cloud gradually, they need a way to ensure the security of both their on-premises and cloud-based infrastructures.
Microsoft does offer various reports that help with data access governance and risk assessment in the cloud, but it’s difficult and time consuming to try to integrate those reports with data from on-prem reports and other sources in multiple different formats. To spot active threats and quickly investigate incidents, security professionals need comprehensive analysis across the entire IT infrastructure, so many organizations are looking for third-party solutions that provide one point of access to all audit data across all systems and present data in a unified way.

Issue #3: Usability issues

Although Microsoft is constantly updating and improving Office 365 and Azure AD, some critical usability issues still have not been solved. This includes poor filtering functionality in the audit reports, as well as no ability to sort the report in an order except chronological. Neither Office 365 nor Azure AD provides predefined compliance reports; users have to export the audit data to CSV format and compile the audit report manually in Excel — a dubious pleasure for companies that are already paying a premium to get other features. As a result, organizations start to look for a solution that is more flexible and easier to use.

The native auditing features of Office 365 and Azure AD meet a few basic needs, helping you manage data access and make sure that content sharing accords with security policies. However, the functionality is insufficient for achieving and proving compliance with regulations and industry standards. Short log retention periods, lack of support for hybrid environments and usability issues drive companies to look for third-party solutions that will help them streamline their security and compliance efforts.