We often find SMBs are unaware of the Shared Responsibility Matrix for Microsoft 365®, which outlines responsibilities that Microsoft owns and responsibilities the customer owns.
As many MSPs know, this gap in knowledge can be detrimental to the security and recoverability of a customer’s Microsoft 365 environment, but we—the MSP community—often fall short of educating the customer about the true risks and skills needed to close those gaps.
A challenge for many MSPs and customers alike can surface in areas where both Microsoft and the client hold a level of responsibility to ensure the security and recoverability of customer information, such as accounts, data, etc.
To enhance the overall security posture of Microsoft 365 environments, MSPs must proactively educate their customers on the Shared Responsibility Matrix and collaborate closely with them to implement robust security measures.
What is the Shared Responsibility Matrix for Microsoft 365?
The Shared Responsibility Matrix for Microsoft 365 outlines the division of responsibilities between Microsoft and customers in ensuring the security and recoverability of data within the Microsoft 365 environment. Microsoft is responsible for securing the underlying infrastructure, such as servers and data centers, while customers are tasked with managing critical areas like account creation, security configurations, and user access control.
Microsoft 365 security: understanding the shared responsibility
While Microsoft is responsible for the underlying infrastructure and identity platform, they are not responsible for incorrect or improper security deployment that results in a breach. It’s the customer or the MSP’s responsibility to implement and manage the cybersecurity features that control authentication and access to data.
Some examples include:
By recognizing and fulfilling their role in this shared responsibility model, organizations can strengthen their overall security posture and better protect their data from potential threats.
Microsoft 365 recovery: who owns the responsibility?
While recovery falls under the customer's responsibility according to the Microsoft Shared Responsibility Matrix, there is often confusion regarding Microsoft's role in data recovery. Many customers and even some MSPs believe that Microsoft is responsible for data recovery.
Microsoft is clear that while they provide version history and data resiliency—the ability to recover a file—they are not traditional backups.
Here are some key considerations to close the gap and enhance data management practices:
Conclusion
Identifying the responsibilities on each end is the first step to ensuring the security and recoverability of information. MSPs who manage their customer’s environments may struggle to keep up with changes to the Microsoft 365 platform, and managing those changes across every tenant can be extremely challenging.
Some recommendations to simplify the process and add efficiency while ensuring consistency across tenants include:
- Recurring security assessments
- Best practice implementation templates
- Specific compliance assessments (NIST, HIPAA, GDPR, etc.)
- Microsoft Secure Score monitoring
- Streamlined remediation approach
While each of these bullets will help with consistency and efficiency, considering all of them as part of a centralized SaaS security platform can holistically change the approach and profitability of MSP services that include Microsoft 365.
Explore ConnectWise SaaS Security, the most powerful application to manage and monetize Microsft 365 security.
