Back to Blog

NIST Cybersecurity Framework for Office 365

With more than a decade long history of businesses adopting cloud computing, less than one-third of the enterprises have a documented cloud strategy as per Gartner's estimation. Despite the increased migration to cloud security, we discussed the top cloud security risks that security experts are afraid of today.

The idea of frameworks in cybersecurity is not a new concept. Frameworks provide a structure for the long-term and also focus on the methodology to implement that structure. This is precisely why we are discussing the importance of the NIST Cybersecurity Framework for the cloud. The following article  discusses NIST CSF's implications on public cloud services like Office 365 using examples. But before unfurling that, let us first strengthen our understanding on NIST Cybersecurity Framework (CSF) and what implication does it have on cloud security.

What is NIST?

The National Institute of Standards and Technology (NIST) developed a Cybersecurity Framework (CSF) in 2014. The framework combines government and private sector organisations' efforts to build globally recognised cybersecurity standards. It researches technologies like identity management and verification, maintenance of system security configurations, automation of access authorisation, besides different access policies.

NIST Cloud Security Guidelines

In the beginning, the NIST framework focused on on-premise infrastructure security best practices. However, today its benefits extend to managing risks in cloud security also.

When we think of applying NIST in the cloud, we visualise the following aspects:

  • Promoting the effective and secure use of the technology by providing technical standards and guidelines
  • Ensuring the confidentiality, integrity, and availability of IT systems
  • Providing a continuous security process to ensure future regulations and compliance requirements

NIST CSF Functions


To create an infallible cloud security strategy for your organisation, the given checklist of NIST functions is a must-follow.


NIST Definition

Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Cloud Implication
Identify the core elements of your cloud and strategise how to secure them.

Challenge Associated
Cloud is virtual and continuously keeps changing its relationship between the entities. Thus, it can be challenging to visualise the elements and deploy a security process.


NIST Definition

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Cloud Implication

Choose third-party security tools and services to protect your cloud infrastructure

Challenge Associated

Easy and instant access permissions increase the risk surface and open the cloud for security vulnerabilities like recent data breaches with S3 buckets.


NIST Definition

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Cloud Implication

Quickly eliminate false alerts and narrow down on the genuinely harmful incidents.

Challenge Associated

The abundance of cloud operations data makes it challenging to detect relevant attacks on time


NIST Definition

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Cloud Implication

Understanding the context of incidents and designing a mitigation strategy accordingly.

Challenge Associated

Comparing and inferring trends from different types of data and assessing their impacts


NIST Definition

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Cloud Implication

Restoring all the systems, including yours and third-party and feeding it back into the security framework.

Challenge Associated

If the platform does not paint an accurate picture of the incidents, recovery results will also be inadequate.

How to Implement NIST Cybersecurity Framework for Cloud Security

NIST offers guidance for each of the four cloud deployment models, namely: Private, Community, Public, and Hybrid. Each model has its own set of cloud solutions that do not fit every model.

Technically the five functions of the NIST Cybersecurity Framework can be grouped according to their implementations. In that scenario, we can say that Prevent, Detect and Recover would be the three core functions of a NIST Framework.

NIST Framework broken down into 3 Core Functions: Prevent, Detect and Recover

Now that we have understood the above division of core functions of NIST CSF, let us visualise what this means for a cloud service like Office365. In the following section, we will go through the main security challenges in Office 365 and how can we break them down into answering the three questions

  1. How do we prevent?
  2. How do we detect?
  3. How do we respond?

Phishing and Malware Threats

How do we Prevent

For preventing this threat, a mail endpoint protection solution is the answer. Go for the likes of Microsoft's Defender (formerly ATP) and Mimecast. Also, consider investing in device endpoint protection like Defender for Endpoint.

How do we Detect

While using Microsoft ATP, check for ATP events while monitoring. Configure alerts on events like TIMailData (for suspicious mail items) and TIUrlClickData (for when someone clicks a suspicious, unsafe link in an email).

How do we Respond

In case malware is suspected, respond by running a deep virus scan on compromised devices. In the case of phishing, reset the password to the compromised account and look for unauthorised entry. You can do this with security audit logs present in the security and compliance centre.

User Account Security

How do we Prevent

Safeguarding a user account requires steps like keeping a solid and unique password for each account, saving all unique passwords in the company's password manager and turning on MFA for every user, or at least your admins.

It would be best if you also considered the access methods each user needs. For example, they might need to run PowerShell commands or access outlook on the web (OWA). Turn off the ones that are not required. This practice can go a long way to reducing the risks in the event of a breach. Lastly, ensure a powerful outbound spam filter policy to prevent malicious external forwarding from breached accounts.

Octiga Mailbox Access Settings

How do we Detect

You can use the audit logs in Security and Compliance Center, Cloud App Security and monitoring & alerting solutions in Octiga here.

Octiga Detect Dashboard

Observe User Login Events from unsafe IP addresses or suspicious locations. For example, monitoring in Octiga lets you configure country "allow" lists and sends you alerts for fraudulent IP address activities.

How do we Respond

Upon suspecting a breached account, instantly restrict the user by resetting their password and removing logged-in sessions. Then check for the risky mailbox rules and remove them.

Octiga Dashboard: Recover

User access, Sharing and Data Loss

How do we Prevent

SharePoint supports Microsoft sharing & collaboration tools like Teams. Implement the concept of SharePoint sites and decide who should have access to each SharePoint site and folder.

To make sure that access is made available to the right people, use privileged access groups. Manage and prevent inadvertent sharing of SharePoint data over external sharing by creating "sharing" areas.   A sharing area is a folder or even site within SharePoint or a Teams Channel in Teams marked explicitly for sharing.

Having employees share only within these areas limits the risk of inadvertently sharing sensitive data from other areas. While it limits flexibility, the security benefits are clear, and it is maintainable from a policy point of view.  

How do we detect

Through an audit, find out who has access to shared locations using MS access reviews. Examine the audit logs for SharePoint page viewed and downloaded events from unusual users or locations. You can consider adding an effective alerting solution along.

How do we respond

Restrict the SharePoint access to leaving employees. Monitor what they download and share. Remove their shared links after they go. In case of a data breach, check the affected SharePoint area for sensitive and personal data to avoid the GDPR breach.


Applying NIST’s cybersecurity framework to improving Office 365 security posture is a great way to organise and guide your cloud cybersecurity efforts. At Octiga, we align our solutions to the functions mentioned earlier.

Octiga's single dashboard gives you complete control of Office 365 security. Scan entire Office 365 instance, highlight issues, implement safe user account access and management, enable safe sharing, restore safe and secure operations using security best practices, and apply easy security baselines within clicks!

Are you looking to disrupt your cloud security with an automated and simple solution? Book a demo with us to enquire about the Office 365 Security Suite today!

More from the Blog

5 reasons why MSPs can’t win the Microsoft 365 security game using Secure Score (and what to do about it)

While Microsoft Secure Score offers a quantifiable assessment of security posture, it has striking limitations. We share five reasons why MSPs need a better tool.

Read Story

Microsoft 365 Breaches - As preventable as they are common

Sash Vasilevski, Octiga co-founder and cyber security expert, explains why stopping unauthorised access to Microsoft 365 is complex, requiring specialist tools, like Octiga.

Read Story

Octiga Announces Benefit Partnership with The ASCII Group

Members of The ASCII Group gain preferential Octiga terms

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.