Cloud Security Baseline for Microsoft 365 & Google Workspace 

Moving to Microsoft 365 or Google Workspace is a huge step forward for most businesses. But it is not a set-and-forget solution. 

Simply being “in the cloud” does not mean you are secure. Many breaches today are not caused by lack of technology, but by poor configuration of the basics. 

In this post, we outline the non-negotiable, bare minimum security controls every business should have in place. 

Why This Matters

Most cyber attacks today do not involve complex hacking. They involve: 

• Stolen login credentials 

• Social engineering (e.g. phishing or deepfake impersonation) 

• Poor access controls 

• Unmanaged devices 

If your cloud environment is not properly configured, an attacker does not need to break in — they simply log in. 

Microsoft 365: The Minimum Security Baseline

Many businesses run on Business Standard or Basic without proper security configuration.

 

1. Microsoft 365 Business Premium

This is the foundation. It provides: 

• Microsoft Entra ID P1 (identity security) 

• Conditional Access policies 

• Intune (device management) 

• Microsoft Defender for Business (endpoint protection) 

2. Conditional Access

Conditional Access controls who can access your systems and under what conditions. 

• MFA for all users 

• Block high-risk locations 

• Restrict unmanaged devices 

• Lock down admin accounts 

3. Microsoft Defender for Business

Provides advanced protection: 

• Next-gen antivirus 

• Endpoint detection and response (EDR) 

• Automated threat remediation 

4. Device Management (Intune)

• Enrol and manage devices 

• Enforce security policies 

• Remote wipe capability 

5. Email & Collaboration Protection

• Safe links 

• Safe attachments 

• Phishing protection 

Google Workspace: The Minimum Security Baseline

1. Enforced MFA

Mandatory for all users. 

2. Endpoint Management

• Enforce device security 

• Remote wipe capability 

• Control access by device 

3. Advanced Security Controls

• Restrict file sharing 

• Monitor login activity 

• Control third-party apps 

4. Data Protection

• Prevent accidental data sharing 

• Stop sensitive data leaving the organisation 

5. Visibility & Monitoring

• Monitor logins 

• Track file sharing 

• Review app usage 

The Common Problem

• MFA not enforced 

• No Conditional Access 

• Unmanaged devices 

• Open access environments 

• Weak email protection 

On paper, the business has a cloud platform. In reality, it is exposed. 

Final Thought

Cloud platforms are powerful, but not secure by default. Your security is only as strong as the controls you put in place. 

Next Steps

Explore the right next step for your business: