Microsoft 365 and Google Workspace security: 12 steps to protect your data

Cloud productivity suites such as Microsoft 365 and Google Workspace have become the digital backbone for millions of businesses around the world. It’s no longer just email and word processing. They are integrated ecosystems where all communication takes place (Teams, Meet), collaboration on documents (SharePoint, Google Drive), and the most valuable data, from financial strategies to intellectual property, is stored. These platforms have become the de facto “digital headquarters” of the modern organization. This centralization of data, while extremely convenient, also makes it an extremely attractive and consolidated target for cybercriminals.

Many business leaders mistakenly assume that since they are using the services of technology giants such as Microsoft or Google, security is provided “automatically.” This is a dangerous myth. In the SaaS model, there is a principle of shared responsibility. The provider is responsible for the security of the platform, but you, as the customer, are fully responsible for securely configuring your environment and protecting your data on that platform. The default configuration is merely a starting point, often optimized for ease of use rather than maximum security. Turning it into a secure fortress requires conscious and proactive measures.

Why is the default configuration of Microsoft 365 and Google Workspace insufficient?

Vendors such as Microsoft and Google face a fundamental dilemma: they must balance security with usability for millions of very different customers, from small businesses to global corporations. As a result, the default configuration of their services is often a compromise to make deployment as simple as possible and minimize problems for end users. Unfortunately, what is convenient is rarely the most secure.

For example, many advanced security features, such as conditional access and advanced phishing protection, are not enabled by default or require additional configuration. Default file sharing policies may be too permissive, and logging and auditing mechanisms insufficiently detailed. Most importantly, key security features, like multi-factor authentication (MFA), have not been enforced on users for years, leaving the “door” protected only by a password.

Relying on the default configuration is like buying an advanced home alarm system and using it only in basic mode, without activating motion sensors or notifications to your phone. The system has great potential, but to fully exploit it and provide real security, it needs to be consciously configured and “hardened” (hardening) according to best practices.

What role does mandatory multi-factor authentication (MFA) play, and why is it absolutely crucial?

If you were to implement just one single security feature for your M365 or Google Workspace environment, it should be mandatory multi-factor authentication (MFA) for all users, with no exceptions. MFA is an identity verification method that requires users to provide at least two independent pieces of evidence that they are who they say they are. Most commonly, it is a combination of “something you know” (password) with “something you have” (phone with authentication app, dongle) or “something you are” (fingerprint, facial scan).

MFA is so critically important because it neutralizes the biggest and most common threat: password theft. Passwords, even the most complex ones, are inherently weak security. They can be guessed, cracked or, most commonly, phished. If access to an account is protected only by a password, its seizure by an attacker is only a matter of time.

Enabling MFA completely changes this dynamic. Even if an attacker manages to steal an employee’s password, without physical access to the employee’s secondary component (e.g., phone), he won’t be able to log into the account. According to Microsoft, enabling MFA blocks more than 99.9% of attacks based on credential compromise. This is the simplest and most effective step that can be taken to drastically improve security.

What are Conditional Access policies in Azure AD and how to use them?

Conditional Access is the heart and brain of the security mechanisms in the Microsoft 365 environment (based on Azure AD / Entra ID). It is a framework that allows you to create granular, automated access policies based on the principle of “if…. then…”. Instead of making a simple, binary “let in/lock out” decision based only on a password, Conditional Access analyzes the entire context of a login attempt in real time.

Conditional access policy consists of two main parts: conditions (signals) and access control (decisions). The system collects signals such as:

• The user and its group: is it a regular employee or an administrator?
• Location: Is the login coming from a known, trusted location (e.g., an office), or from an unusual country?
• Device: Is it a company-managed, policy-compliant device or a private, unknown laptop?
• Application: Is the user trying to access a sensitive ERP system or a less important application?
• Real-time risk: Has the system detected anomalies indicating that the account may have been taken over?

Based on these signals, a policy can make a decision, such as “IF an administrator tries to log in from outside the Azure portal, THEN require MFA authentication and limit the session to 1 hour.” This provides tremendous opportunities to create intelligent, risk-based rules that enhance security without overly inconveniencing users.

How to protect email from advanced phishing and malware?

Email still remains the main vector of attacks on organizations. Therefore, “hardening” email security is one of the most important tasks. Both Microsoft 365 (with Defender for Office 365) and Google Workspace (with advanced security features) offer powerful mechanisms that go far beyond traditional spam filters.

The key mechanisms to enable and configure are:

• Protect against advanced phishing: Enable policies that use machine learning to detect attempts to impersonate executives (impersonation) or well-known brands (spoofing).
• Safe Links: This real-time, click-by-click feature checks each link in an email message for malicious content. If the link leads to a known phishing or malware site, the user is blocked and informed of the threat.
• Safe Attachments: Each attachment, before it reaches the user’s inbox, is automatically opened and analyzed in a secure, isolated environment (sandbox). This allows detection of new, unknown threats (zero-day malware) that would evade traditional virus scanners.

In addition, it is crucial to properly configure SPF, DKIM and DMARC records for the company domain. These email authentication mechanisms make it drastically more difficult for criminals to impersonate email addresses in a company’s own domain.

How do you protect data in OneDrive, SharePoint and Google Drive from leakage (DLP)?

Storing and collaborating on files in services such as OneDrive, SharePoint or Google Drive is extremely convenient, but it also poses a huge risk of accidental or intentional data leakage. One wrong click by an employee sharing a confidential folder with “anyone with a link” can lead to disaster.

Data Loss Prevention (DLP) policies must be implemented to prevent this. DLP mechanisms built into the M365 and Google Workspace platforms allow you to automatically identify, monitor and protect sensitive data. The process consists of two steps. First, the administrator defines what is “sensitive data.” He or she can do this by choosing from hundreds of predefined templates (e.g., “PESEL numbers,” “credit card data,” “ICD-10 codes”) or by creating his or her own custom definitions based on keywords or regular expressions.

Then, policies are created that specify what should happen when the system detects such a data. A DLP policy might, for example:

• Block the ability to share a file containing personal information outside the organization.
• Display a notification to educational users when they try to email a document with sensitive financial data.
• Automatically encrypt documents marked “Confidential.”
• Alert the security department when a large number of sensitive data files are downloaded to an unmanaged device.

How can nFlo help you audit and harden your cloud environment?

At nFlo, we have deep, hands-on knowledge of configuring and securing Microsoft 365 and Google Workspace platforms. We understand that their vast capabilities can be overwhelming, and finding all the key security settings in the maze of options is a huge challenge. We act as an expert and guide to help you turn your default configuration into a true secure fortress.

Our fundamental service is a comprehensive security audit of your M365 or Google Workspace environment. Our team of certified professionals performs a detailed analysis of more than a hundred key configuration points of your environment (tenant). We compare your current setup with globally recognized standards (such as CIS Benchmarks) and industry best practices. The result of the audit is a detailed report that not only identifies identified gaps and configuration errors, but also provides a precise, prioritized list of remediation recommendations.

We don’t leave our clients with the report alone. We actively support them in the hardening process, helping them implement recommendations – from configuring conditional access policies and DLP rules, to “hardening” email security, to optimizing administrative roles. For organizations that want continuous oversight, we offer managed cloud security services, where our 24/7 SOC team monitors alerts generated by the platform and responds to incidents in real time.