Our Blog

where we write about the things we love



Staying secure after migrating to the cloud

Many customers are unclear on how security concerns change once you move to a public cloud environment. Even firms whose job it is to conduct security testing do not always recognise or fully understand how to secure public cloud environments.

Staying secure after migrating to the cloud

For the past 12 years, I have been helping customer migrate their IT workloads to different public cloud platforms. Some of them have completed the transition to the extent that they no longer require a traditional data centre. Others have migrated selected workloads and now operate in a hybrid environment. In both cases, it is very common for customers to consider cloud security as an afterthought. 

These are the typical questions that I am asked:

  • Where does the cloud providers sphere of responsibility end vs. the customer’s responsibility?
  • What are the available options to secure a cloud environment?
  • Should I be concerned if I am still running with the cloud provider’s default security settings?
  • Do I still need to continue paying for my 3rd party security solution that was critical when I operated on-premises?

In this blog I want to help explain some of the key differences between securing cloud workloads vs. on-prem workloads. This will help to frame your thinking about where to focus in keeping your cloud environment secure


One of the most significant changes to consider once you are running in a public cloud is the issue of identity. By definition, cloud identities can be accessed from anywhere. There is no longer a need to be physically connected to a corporate network in order to authenticate. This provides an enormous benefit because it means that your users can work from anywhere. But it also introduces a risk that an attacker can access your accounts without ever setting foot in your office.

Some customers have responded to this threat by restricting access to the IP address range of the corporate network. This can improve security, but it undermines the value of allowing your employees to work from anywhere. A better approach is to use modern technologies available to mitigate the risk of unauthorized access to your accounts. The reality is that the concept of a network perimeter is no longer relevant in a public cloud environment. Rather than focusing on securing your network perimeter, focus on securing your identities instead.

Multi-Factor Authentication (MFA)

Turning on MFA for an organization is one of the key solutions to secure your cloud identities. Many customers have resisted enabling MFA because they are concerned about the end user experience. The good news is that Microsoft has invested heavily in this area over the past few years. They provide multiple MFA experiences so each user and organization can choose a method that works for them. MFA includes:

  • An automated phone call
  • A text message
  • A one-time code
  • A notification via a mobile app

Intergen successfully enabled MFA for all employees a few years ago. Since then, we have helped companies of all sizes and industries construct MFA policies. In addition to helping implement the technology, Intergen can help with the change management aspects of turning on MFA to ensure high rates of adoption. This should be considered the very first action towards improving your security posture in a cloud or hybrid-based environment.

Azure AD Identity Protection (AADIP)

Not every authentication carries the same level of risk. For example, a user signing in from a known corporate device from the internal network does not have the same level of risk as a user signing in from a personal device from overseas. Unfortunately, most organisations would treat both authentications exactly the same. AADIP can calculate the potential risk of each sign in using an adaptive machine learning algorithm and heuristics. If something unusual or suspicious is detected, AADIP can require additional security measures before allowing the user to authenticate.

Intune and Conditional Access

Most organizations have policies about who can access what information and under what conditions. For example, you may allow a user to access corporate data from their mobile phone if the phone complies with the organisation’s security policy. But how can you actually enforce these policies across the organisation? Microsoft Intune is a cloud-based solution that provides both device and application management. More importantly, Intune allows you to configure what are called conditional access policies for your cloud-based workloads such as Office 365. Unless your device and applications meet the conditions of the policy, you will not be able to access corporate data. The strength of this solution is that it natively works out of the box with Microsoft’s other cloud platforms.

Azure Information Protection (AIP)

Most traditional security systems are designed to secure information based upon where it resides in the organisation. Once the information is removed from that location and shared externally, the security mechanisms in place are no longer in effect.

AIP embeds the security and permission into the document itself. This can include email, office documents, or even 3rd party documents such as PDF files, CAD drawings, and other corporate data files. Because the security is attached to the document, an organisation can be confident that the security will be consistently enforced, regardless of where the document is sent. For example, what if a user accidentally (or deliberately) forwards an email with sensitive information to bob.smith@example.com? If the email is secured with AIP, Bob will not be able to open it.

One of the major challenges in securing documents is properly classifying them. AIP allows for two separate approaches: user classification and rule-based classification. Users can manually classify documents using a familiar interface like Microsoft Office. But organizations can also automatically classify and protect documents based on a series of rules. For example, you can automatically protect all emails sent to and from your CEO and CFO. Or you can automatically protect emails that appear to contain personally identifiable information (PII) such as a government identification number.

Office 365 Advanced Threat Protection (ATP)

Microsoft product naming is sometimes similar across products which can be confusing. For example, Microsoft has three different solutions that contain the name “Advanced Threat Protection”. The Office 365 variant of this solution includes security components that are specifically engineered for Office 365. One component of this solution is designed to protect email by scanning email attachments, providing real-time verification of URLs, and using machine learning to detect phishing. Another component of O365 ATP protects SharePoint Online, OneDrive for Business, and Microsoft Teams from malicious files that contain malware. This is a great solution for protecting your Office 365 environment against security threats. Because it is a native Office 365 service, there are no 3rd party add-ons or complex integrations required.

Microsoft Defender Advanced Threat Protection (ATP)

The other member of the ATP family focuses on securing endpoints, specifically Windows 10, but can also be leveraged for Apple Macs etc. I am sure most of you have used the older Windows Defender which is the anti-virus product built into every copy of Windows 10. What you may not be aware of is the cloud service that sits behind this product to keep your PC protected. Microsoft Defender ATP uses the Intelligent Security Graph to detect threats across millions of Windows devices worldwide.

It uses machine learning and behavioural analytics to identify problems before a breach occurs. Because Windows Defender is built into every copy of Windows 10, there is no software agent to deploy to enable ATP. Defender ATP provides a portal called the Microsoft Defender Security Center to give you visibility into the security of your organisation. This makes it easier to detect and remediate threats as well as configurations that weaken your overall security.

Microsoft Cloud App Security (MCAS)

Cloud App Security allows an IT organization to identify which cloud apps and services are being used in an organisation. It achieves this by connecting with and analysing AAD, Office, OneDrive, SharePoint sign-ins as well as firewall logs. This gives the ability for IT to detect unauthorized use of cloud applications. You can also configure policies to prevent or restrict access to cloud providers and solutions. MCAS can work with a wide range of cloud applications beyond the Microsoft family of products.


Many customers that I speak with agree that using these cloud solutions would be very helpful in improving the security of their cloud workloads. However, one of the major objections is the cost. Many customers believe that the only way to purchase these solutions is via the Microsoft Office 365 or Microsoft 365 E5 license. While I do think there is a lot of benefit for an organization to purchase an E5 license, there are many solutions that are included in the E5 that have nothing to do with security. It is probably overkill to buy an E5 just for the security capabilities.

For those customers who are looking for a security-only offering, Microsoft has a great solution for you. There are two offerings that focus specifically on security:

  • Identity and Threat Protection
  • Information Protection and Compliance

You can read more about Microsoft’s security and compliance offerings for Microsoft 365 here.

It is hard to give generic licensing advice as every customer’s situation is somewhat different. But I would contact your Microsoft reseller and ask them about these new security offerings. If you don’t have a Microsoft reseller that you work with, Intergen will be happy to help.

Security Consulting Offerings

With the number of cloud security options from Microsoft and other vendors, it can be difficult for a customer to know where to start. It is easy to buy yet another security product. But which is the right product for your organisation given your current security posture? This is something that Intergen can assist with.

We have a cybersecurity practice that specialises in the Microsoft cloud solutions discussed in this blog. Moreover, Intergen has worked with both SMB and enterprise customers to help them assess the current security environment. Intergen can help identify the threats to be concerned about and build a roadmap to address and mitigate these threats.

Posted by: Harris Schneiderman, Regional Sales Manager, Seattle | 25 October 2019

Tags: Security, data security

Blog archive

Stay up to date with all insights from the Intergen blog