Partner Login
Tenant Manager Background

The Safety of Data in the Cloud

Written by Hornetsecurity / 19.03.2025 / ,
Home » Blog » The Safety of Data in the Cloud

This article looks at the safety of your business data in the cloud, focusing on the Microsoft cloud ecosystem and the challenges businesses face with security, vendor overdependence, and managing multiple tenants.

It highlights the importance of phishing-resistant MFA methods like Windows Hello for Business, FIDO2 hardware keys, and Passkeys to combat sophisticated attacks. It also emphasizes the need for businesses to implement their own protection strategies under Microsoft’s Shared Responsibility Model.

We also address the difficulties of managing multiple Microsoft 365 environments and the importance of proper management and governance to keep data safe. 

The cloud storage security landscape is evolving

The “cloud” has been here for more than a decade now, but we’ve just started to see businesses either mass-migrating to cloud services or being established as 100% cloud-hosted businesses. Take the storage of business data for example.

10 years ago, most businesses still held some sort of on-premises file server that hosted the organization’s critical data. Now it’s becoming more common to leverage cloud storage for this. SharePoint Online and OneDrive for Business are increasingly becoming the place where data lives and is secured with services like Microsoft Entra. As such the safety of data in the cloud becomes an important discussion, not just in the M365 cloud, but for cloud services in general.

While we’ll focus on Microsoft 365 and the Microsoft cloud ecosystem throughout the Cybersecurity Report, much of what is discussed here applies to other cloud providers as well. 

Cybersecurity Report 2025

Baseline defenses in the Microsoft Cloud have improved over the years, but they are far from perfect. More organizations are making use of newer security features like Multi-Factor Authentication (MFA) and basic email security through services like Exchange Online Protection, but this is often still not enough. Attackers are always evolving and that can be seen clearly in the case of Adversary-in-the-Middle attacks. 

Passkeys and Adversary in the Middle (AitM) Attacks 

Where defenders go, attackers follow. For several years, we here at Hornetsecurity, as well as every other security minded person and company, has advocated for MFA as a more secure replacement for the traditional username + password dance for signing in to systems.

There has been a slow and steady increase in the adoption of various forms of MFA, from SMS text messages to hardware security keys. However, it’s not like the criminals are going to throw up their hands and give up their lucrative “business” and they have adapted instead. 

Their main approach has been to use reverse-proxy-style phishing kits, either open source or “commercial” packages that both help with crafting convincing email lures to trick users into clicking a link, and also sets up proxy services with legitimate looking sign in pages.

When a user clicks the link and is taken to a fake login page to enter their username and password, these credentials are then passed onto the real site (as well as captured by the attacker). When the MFA prompt is then raised, these reverse-proxy toolkits enable the end user enter their MFA code or approve the prompt as usual and it too is passed onto the real sign in page behind the scenes.

Meanwhile the attacker steals the token that the target identity service generated (Entra ID for example) and now the attacker can use it to sign in as the user, thus this method is called Attacker in the Middle (AitM). 

To defeat these more sophisticated attacks, you need a phishing resistant MFA method. These methods are newer and not seeing huge adoption (yet) in the industry. Some examples include Windows Hello for Business, FIDO2 hardware USB keys and most recently Passkeys.

These MFA methods lock the authentication to the legitimate site URL only, so even if the user is tricked into visiting a sign in page that looks legitimate, the technology itself refuses to work because it sees that the site address isn’t matching. 

The problem is that Windows Hello for Business requires specialized hardware (and only works for Windows), while FIDO2 hardware keys are costly which has limited their adoption.

That said, a Passkey uses the same technologies as a FIDO2 key but relies on the security chip in your iPhone or Android phone instead, removing the need for extra hardware. Here, again, adoption has been slow, but more and more services now support it, and if you’re responsible for security at your organization, you should definitely start piloting it today.

We predict that now that Microsoft’s Entra ID, Google Workspace and AWS along with Facebook and many others support Passkeys, adoption will increase dramatically over the next 12 months. 

Vendor Overdependence Concerns Deepen with Regards to Cloud Data Safety 

Vendor Overdependence is the practice of placing many or nearly all core business processes and procedures into the hand of a vendor partner. The problem with the arrangement is if the vendor has issues of some sort (security related or otherwise), then the business suffers as a result. 

We’ve talked at length about the potential vendor overdependence issue that some businesses could face with Microsoft extensively via our Monthly Threat Reports and The Security Swarm Podcast. Needless to say, it’s an issue that persists and is likely to worsen as Microsoft continues to build market share in various areas. 

That all said, there are some new concerns that have come to light over the past year to shine an even brighter light on this issue. In the ongoing series of successful breaches at Microsoft an interesting article surfaced in June 2024. 

In summary, Andrew Harris, who was working at Microsoft at the time, identified a serious flaw in Active Directory Federation Services (AD FS) and tried desperately to get it fixed. His fears were downplayed and as the US federal government was about to sign a multi-billion-dollar deal with Microsoft for their cloud services, the issue was essentially swept under the rug.

After he left Microsoft in 2020, the SolarWinds attack, probably the largest supply chain attack ever, was revealed – and while the focus was on SolarWinds and their compromised Orion product, Russian attackers spread through networks using the ADFS flaw after their initial foothold.

This of course happened long before the Cyber Safety Review Board (CSRB) report, and long before the Secure Future Initiative (SFI) at Microsoft got started in earnest but time will tell if the “new” Microsoft will indeed put security above new features, something that’s a challenge for every commercial company. 

Again, organizations each need to make their own decision when it comes to the matter of vendor overdependence, but taking into account years of varying security concerns at multiple levels, and the fact of where Microsoft’s responsibility ends with regards to your data, the choice becomes clear. 

What is Microsoft Responsible for? 

Many ask: “If Microsoft isn’t taking care of my data and security, what are they really responsible for?” The current stance from Microsoft on this question has not altered in 2024. To fully understand, you must be familiar with Microsoft’s Shared Responsibility Model

The important bit is that the shared responsibility model states, “The Responsibility is always retained by the customer for”: 

  • Information and Data 
  • Devices (Mobiles and PC) 
  • Accounts and Identities 

Essentially, the customer is responsible for securing and protecting their information and data. Microsoft is not. As organizations move to the cloud, they must keep this in mind when protection strategies are implemented. 

Another point worth mentioning is something that we included in our report last year. It’s still coming as a surprise to many existing M365 customers so it’s worth mentioning in the annual report as well. Microsoft changed its long-time stance in 2023 on the use of backup applications with M365. At a Microsoft conference last year, Microsoft announced Microsoft 365 Backup.

A service was shown to provide basic backup capabilities for M365. The important part of this announcement is not the service itself, but the change of Microsoft’s long-time stance of “you don’t need to backup data in M365”. Many in the industry see this as being driven by one of two things: 

  • Microsoft has finally capitulated and now agrees that a focus on data retention alone is NOT enough in M365.
  • Microsoft simply wants a piece of the M365 backup market now that they’ve seen there is a large market for such a service. 

Both options seem likely, with option 2 being bolstered by the fact that they have also released a backup API that vendors can use as well, for a fee. Regardless, the message is clearer than ever. Businesses ARE responsible for the protection of any data that they place within Microsoft Cloud services. 

The Difficulties Posed by Multiple Tenants in the Microsoft Cloud 

As Microsoft’s core cloud services have been out for a decade or more many organizations are finding themselves in a place where they need to manage and maintain multiple Microsoft 365 environments. This could be a business that has conducted several mergers and acquisitions, or maybe you’re a managed services provider (MSP) providing IT services across multiple customers.

In both cases many of these organizations are realizing the difficulties around managing multiple M365 tenants. 

When we talk about the man-power overhead associated with this increased management burden there can be direct ramification on the safety of data in the cloud. As an organization there have most likely been standards defined for security best practices and feature enablement within the M365 environments under management.

Many administrators are finding that enforcing standards and limiting configuration drift / mistakes within multiple disparate M365 tenants is highly difficult. With the nature of cloud services, one misconfiguration can be the difference between a safe organization and a serious data breach. 

Tenant Management is increasingly becoming more important for organizations looking to keep their M365 data safe. While Microsoft does provide a utility called Lighthouse, it has some limitations and many MSPs find it lacking in features and scale. Some software vendors have built solutions to address this management need for MSPs like 365 Multi-Tenant Manager for MSPs by Hornetsecurity.

Proper management and governance is becoming critically important in today’s cloud-first world and leadership teams must be aware of the dangers these challenges pose on the safety of data in the cloud. 

Why Choose 365 Multi-Tenant Manager? 

  • Massive Time Savings: Reduce manual effort significantly with automation, leading to over 2,800 hours saved annually equivalent to 1.47 full-time employees. 
  • Improved Compliance: Maintain compliance and security across all tenants with automated scans and real-time remediation. 
  • Tailored Solutions: Flexibility to create and implement custom policies ensures that every client’s unique requirements are met seamlessly. 

Join the future of tenant management today. Request a demo today and see how 365 Multi-Tenant Manager for MSPs can transform your operations, save time, and enhance security for your clients. 

365 Multi Tenant Manager icon

Key features of 365 Multi-Tenant Manager 

  • Effortless Onboarding: Simplify the addition of new tenants with automatic discovery and onboarding, leveraging Microsoft Partner Center connection. 
  • Comprehensive Governance: Monitor and manage all Microsoft 365 tenants effortlessly with a detailed dashboard, recurring compliance scans, and automatic remediation for non-compliance. 
  • User-Friendly Automation: Utilize wizards that guide service providers through onboarding, configuration, and monitoring, saving time and reducing errors. 
  • Standardized Management: Apply best practice M365 configurations quickly with out-of-the-box templates or customize policies to meet unique customer needs. 
  • Enhanced Efficiency: Save significant time and resources, allowing your team to focus on creating, improving, and selling, rather than manual configuration tasks. 
Preview of the eBook banner MSP Playbook

Unlock the Secrets to Effortless MSP Growth!

Ready to overcome the challenges of scaling your MSP? Download our MSP Playbook and discover proven strategies to streamline onboarding, automate tasks, enhance security, and standardize operations. Don’t let manual processes and compliance stress hold you back—start working smarter today!

Download Your Free Copy Now!

Conclusion 

Data safety in the cloud remains a crucial topic as organizations continue to migrate to cloud services. While Microsoft Cloud’s baseline defenses have improved, they are not foolproof, particularly against evolving threats like Adversary-in-the-Middle (AitM) attacks. Implementing phishing-resistant MFA methods like Passkeys is essential to bolster security. 

However, as cloud adoption grows, so does the challenge of managing multiple tenants, especially for organizations that have undergone mergers or for managed service providers (MSPs). Proper management and governance of these environments are vital to prevent misconfigurations that could lead to data breaches. 

Hornetsecurity’s 365 Multi-Tenant Manager for MSPs offers a robust solution to streamline the management of multiple Microsoft 365 tenants, ensuring consistency. It provides standards and reduces the risk of reduction errors. 

You might also be interested in: