The Shared Responsibility Model for Microsoft 365

Microsoft has a well-defined and published shared responsibility model. However, most organisations still do not realise that it even exists – and, more importantly, what their obligations actually are.

Everyone has heard of Microsoft, and most likely, every reader here will have heard of Microsoft 365 (given that it has been adopted by over 2 million companies worldwide), but how many of these 2 million organisations have heard of, read, or fully understood the accompanying Shared Responsibility Model? If you fall into one of these categories, this article is for you.

The Microsoft 365 shared responsibility model includes aspects like physical infrastructure (Microsoft’s responsibility) and user access (the customer’s responsibility). However, it might surprise you to know that many organisations and individuals are still unaware of their full obligations under this Model – and this is especially true of areas where both Microsoft and the customer hold levels of responsibility (data, for example).

As CTO of an managed IT, cyber security, and Microsoft business solutions provider, I believe there’s more that could be done by MSPs to make these shared responsibilities clear to everyone.

A closer look at the Shared Responsibility Model for Microsoft 365

As touched upon, The Shared Responsibility Model is a framework developed by Microsoft to outline the security responsibilities of both Microsoft and the customer when using Microsoft cloud services, such as Microsoft 365. There are multiple shared responsibility matrices developed by Microsoft (and, indeed, other cloud providers such as AWS), each tailored to different services and deployment models, e.g., different cloud services such as SaaS, PaaS, and IaaS.

Under the M365 Security and Recovery Model, Microsoft operate the cloud infrastructure, ensuring physical security, network protection, and the overall availability of the services. However, as part of the cloud service agreement, customers are responsible for securing and managing the data they store within these environments, including data protection measures such as data backups and the application of best practice configurations.

In essence, Microsoft’s shared responsibility model shifts the onus of data protection and security management to the users of its services, with clear lines drawn about what Microsoft’s responsibility is and what the customer’s responsibility is.

Here’s how it works: 

MICROSOFT SHARED RESPONSIBILITY MODEL

The overlooked responsibility gap

One of the significant challenges with the Shared Responsibility Model is the fact that many organisations and individuals fail to fully understand the division of responsibility. It’s easy to fall into the trap of assuming that Microsoft handles everything, from security to data restoration – and, as seen above, this isn’t the case.

Unfortunately, it’s this knowledge gap that leads to misconfigurations, inadequate security practices, and unaddressed vulnerabilities that can ultimately jeopardise data security and cause issues. For instance, we can see that Microsoft is not responsible for incorrect or improper security deployments that result in a breach; in other words, it’s on you (or your service provider) to implement data-level security, e.g., robust identity and access management (IAM), encryption, and regular audits.

Another critical area where this gap often rears its ugly head is recovery, which, as we can clearly see above, falls to the customer. Microsoft may provide some level of backup in the form of recycle bins or data held on retention policies, but it’s up to the customer to implement a robust 365 backup solution to guarantee that their data is secured and recoverable in the event of a data loss event.

Unfortunately, in a typical ransomware attack, one of the first activities undertaken by the malicious actor would be to empty aforesaid recycle bins and remove the retention policies – as they obviously don’t want you to have a simple recovery method to circumvent their financial extortion attempt. Having your data secure and immutable (a feature not offered within Microsoft 365) is a key safeguard to avoid potential catastrophic business impact.

The risks of misunderstanding The Shared Responsibility Model

The risks of not understanding the Shared Responsibility Model are significant. After all, when organisations fail to clearly understand, define, and fulfil their role in cloud security, they face several potential risks:

• Data loss: Without understanding the full scope of their responsibilities, companies might not set up proper Microsoft 365 backup solutions or retention policies. This could lead to critical data being lost or irretrievably damaged during a system outage or cyber-attack.
• Non-compliance: Many industries, e.g., financial and pharmaceutical, have strict regulations surrounding data protection. If your organisation is unaware of its role in data protection and retention, you could face non-compliance with regulations such as GDPR, HIPAA, or PCI-DSS. These regulations often require businesses to have strong data protection mechanisms in place, and failure to meet these requirements can lead to massive fines.
• Cyber security vulnerabilities: Remember, Microsoft secures its infrastructure, but you are still responsible for your organisation’s security practices, including user access controls, multi-factor authentication (MFA), and monitoring for potential threats. Neglecting to properly secure user accounts or failing to apply updates can leave the business vulnerable to attacks like phishing or ransomware.
• Business disruption: An overlooked aspect of the shared responsibility model is business continuity. If your organisation doesn’t have the proper data recovery protocols in place or doesn’t regularly back up data, a security incident or accidental deletion could result in significant downtime, causing operational disruption and loss of revenue. Find out more about planning for disaster recovery here.
• Loss of customer trust: If data is lost or exposed due to misconfigurations or a failure to follow the Shared Responsibility Model, the reputational damage can be severe. Customers expect organisations to take proactive measures to protect their data, and failing to do so can lead to reputational damage.

What can organisations do?

To mitigate the risks associated with the Shared Responsibility Model, organisations need to take several steps:

• Educate employees: First and foremost, businesses need to ensure that their IT staff and decision-makers fully understand the shared responsibility model. This means understanding, not just what Microsoft does, but also what they must do to secure and protect their data within Microsoft 365.
• Implement proper security configurations: From robust authentication measures to Zero Trust architecture and conditional access and role-based access controls (RBAC), it’s vital for organisations to configure their Microsoft 365 environment to prevent unauthorised access and mitigate threats. Additionally, these configurations must be regularly reviewed and updated as security best practices evolve.
• Backup data and configure retention policies: Ensure a Microsoft 365 approved backup toolset is used to protect and store your data backups, in addition to data retention policies and a clear data security model.
• Monitor and respond to threats: The responsibility doesn’t end with configuration. Continuous monitoring and responding to security incidents is necessary to identify breaches before they can have a serious impact on your cloud environment. Leveraging Microsoft’s security solutions, such as Microsoft Defender and Sentinel, in conjunction with third-party security tools or service providers, can help proactively detect and address threats.
• Review and update regularly: The landscape of cloud security is constantly changing. It’s essential for organisations to regularly review and update their security and recovery practices, ensuring these are always in line with the latest best practices and compliance requirements.

Final word

The Shared Responsibility Model is a crucial but often misunderstood aspect of Microsoft 365 – but never forget, the ultimate responsibility for data protection, recovery, and security lies with you, Microsoft’s customer.

Organisations that fail to fully understand their obligations under the Shared Responsibility Model put themselves at risk for data loss, security breaches, regulatory violations, and loss of customer trust. However, by taking time to educate staff, configure services correctly, and implement strong backup and recovery strategies – possibly in tandem with a trusted service provider – it’s possible to close the responsibility gap and safeguard data in the cloud.

Just remember, it is Microsoft’s service to maintain, and your data that you need to protect.

To find out how Littlefish can help secure your place in a safer digital future by safeguarding your Microsoft 365 environment, please get in touch with our friendly team using the button on this page.