Cloud security starts with configuration
The cloud is no longer a future topic for mid-market companies — it is everyday reality. Microsoft 365 alone is used by over one million companies in Germany, and every month more services and data migrate to the cloud. The good news: cloud providers like Microsoft invest billions in the security of their platforms. The less good news: the responsibility for secure configuration lies with you. And this is precisely where the problem lies, because the default settings of Microsoft 365 are optimized for user-friendliness, not maximum security. This topic page shows you how to configure Microsoft 365 and other cloud services to meet the requirements of your ISMS.
Understanding the shared responsibility model
The first step toward secure cloud usage is understanding the shared responsibility model. In simple terms: the cloud provider is responsible for infrastructure security — the physical data centers, the network and the hypervisor layer. You are responsible for everything you do in the cloud: user management, access rights, data backup, configuration and compliance. If an employee enters their password on a phishing site and an attacker gains access to your entire SharePoint as a result, that is not Microsoft's fault.
This model has concrete implications for your ISMS. You must include cloud services in your risk analysis just as you would on-premises systems. You need policies for cloud usage, monitoring processes for suspicious activity, and a clear strategy for data backup — because yes, cloud data needs to be backed up too.
Systematically securing Microsoft 365
Microsoft 365 offers a wealth of security features, but many of them are not activated by default or are not optimally configured. The Microsoft Secure Score is a good starting point for assessing the current security status of your environment. It evaluates your configuration against best practices and gives you concrete recommendations for improvement.
The most important levers are Conditional Access policies in Entra ID (formerly Azure Active Directory), which control access based on conditions such as location, device health and risk level. On top of that, multi-factor authentication should ideally be enabled for all users, and Microsoft Defender for Business protects endpoints, emails and identities.
Securing individual services
Each Microsoft 365 service has its own security settings and challenges. Exchange Online needs a well-thought-out anti-phishing configuration, SPF, DKIM and DMARC records, and a policy for external forwarding. SharePoint and OneDrive require a clean permissions concept and rules for external sharing so that confidential documents are not accidentally shared with the entire world. Teams has become the central communications platform and therefore deserves special attention regarding guest access, file sharing and app permissions.
Our article series walks you through the most important security settings service by service. Each article contains concrete configuration recommendations that you can implement directly in your Admin Center.
Device management with Intune
A secure cloud environment is of little use if the devices accessing it are insecure. Microsoft Intune enables centralized management of Windows PCs, Macs, iOS and Android devices. You can enforce security policies, block outdated devices from access, and remotely wipe corporate data in the event of loss or theft. For organizations already using Microsoft 365 Business Premium or E3/E5, Intune is included in the license and is thus the obvious solution for mobile device management.
Cloud backup: your responsibility
A common misconception is: "Our data is in the cloud, so it is automatically backed up." This is not true. Microsoft guarantees infrastructure availability, but not a backup of your data in the traditional sense. If an employee accidentally or intentionally deletes emails or files, they are permanently lost after the retention period expires. Our article on cloud backup for Microsoft 365 shows you which backup solutions exist and how to set up a backup strategy for your cloud data.
