Is health check of online services worth it?
Is health check of online services worth it?
Yes, it is. And yes, twice more. The principle of the so-called shared responsibility during the operation and use of online services in the cloud is still unnoticed by many users. What to imagine in the case of such a check? Is this an audit? Certification? Ensuring compliance with the standard?
You may be wondering why the heck to check the health of the service that Microsoft operates on behalf of me? After all, all marketing materials say it's worry-free. Yes. It could be so. But I haven't encountered that yet. Forgotten security risks, outdated settings, non-functional hybrid components and other problems can reappear after the years and add an exceptional worry.
The so-called Health Check is certainly known to people outside the IT department. And for the local environment, many can even picture it. It checks the status of the server and the operating system, the application itself, disk parameters, RAM or CPU usage, configuration according to recommendations and documentation, verifies compliance with standards or legislation such as GDPR or Act on Cyber Security, service availability, backups or response parameters and much more.
Overall, it tries to detect potential problems that could have a negative impact on the operation of the service itself. And it suggests removing them. Unlike regular supervision, this is a one-off activity, which often goes much deeper. You can probably visualize it for such an Exchange Server too. Database replication status, disk space ... already popping up in your mind almost just like that.
However, you have, after all, moved to Exchange Online in Office 365, today Microsoft 365. And that is where Microsoft handles the databases. So, what is to be controlled? This is when the model of shared responsibility comes into play. While Microsoft is taking over the technology operation, you have much more time for the service itself. The service you offer to your users.
So, you can fully focus on issues such as:
- Do we really get the most out of Microsoft 365 online services while we pay for them?
- Don't we pay too much unnecessarily?
- Don't we buy licenses twice unnecessarily because we haven't read the license terms?
- Is the environment secured against today's sophisticated attacks?
- Haven't we forgotten about important measures such as MFA, MDM or DLP?
- Didn't we make a mistake in the configuration that gives an opportunity to attackers?
- Are our services really accessible to our users?
- Won't it all stop working because we forgot to update Azure AD Connect?
- Don't we have a problem with live video streaming in Microsoft Teams due to slow internet?
- Haven't we missed a configuration that will make life easier for us or our users?
- What do we tell the auditor when he comes and questions about our backup and recovery strategies?
- Have we not forgotten about the legislative requirements for the protection of personal data?
- Did we set it all up correctly?
- And many more…
A properly performed health check of online services can help answer also other questions than these. And such are quite fundamental issues at times. And this doesn't have to take long weeks, documentation reading and invoicing for millions.
I often encounter two extreme conditions when using online services. Everything turns off. Everything is allowed. Unfortunately, the first leads to the fact that organizations and users do not actually take any advantage of the cloud world. The IT department only got rid of the worry about an old burden and the users' interface for web access to mail has been altered. The second extreme leads to the fact that the users, without rules, will gradually start using the services hastily and chaotically. Without proper security, this often results in data leakage and compromising of the organization. On top of that, something organized is hardly built from such a sandpit full of private sandcakes. The right path is in the middle. Give the users properly set up and secure tools to help them in their work. Give them the necessary freedom in clearly defined boundaries.
It is similar with the technical settings themselves. The initial set up suits everyone, but it carries risks. It places relatively no demands on the new knowledge of IT staff, who for many years cared only about their servers and upgraded the operating system once every five years. Or even later. It is open to productivity like other online services. Is this right? Shouldn't IT staff lead by example and know services better than the users? They follow changes and news; they know what their users need. Or, on the contrary, they know too much. They know this better than the users themselves. The Legal Department insists on approving a ten-page document just to sync mail to a mobile phone. They debate whether it is correct to have an e-mail in the format firstname.lastname for months because of the GDPR. And the company is chasing a missed train that has been boarded by the competitors. And that is what you don't want.
You want to be sure of the set up, data security and environment, ensure independent check of the online tenant during the takeover of the company, certification, audit, verification of the work of the IT department, have a basis for DPIA or ISO certification. All of this can be achieved by a properly performed Health Check. And as a result of this, you can save a lot of money and help the users. You can reassure the security manager and ensure maximization of the investments.
Can automated tools deliver this? Yes, they also can. However, often without the necessary context. Although they deliver a beautiful MFA number of 7 % of administrators, 16 % have blocked access to MFA bypassing protocols. And what else? Can you interpret the data? You know how to get these indicators to 100%. The tool usually can't do that. I don't deny, it is useful. As a control mechanism. Easily repeatable. But not complex. Just like a thorough health check. Consider it.