Tomas Kracmar
763da003d3
Complete repository of frameworks, playbooks, and assessment resources for cybersecurity consultations focused on antifragile enterprise design. Includes: - Core philosophy and manifest (5 pillars) - 12 modular engagement packages - AI sovereignty and operations frameworks - Zero-budget vulnerability discovery and hardening playbooks - M365 E3 hardening and antifragile project plans - Osquery sovereign discovery platform blueprint - Perimeter scanning capability guide - AI-assisted TVM blueprint for AI-powered adversaries - Vertical specializations: banking, telco, power/utilities - CIS Controls v8 and NIST CSF 2.0 mappings - Risk registers and assessment templates - C-suite conversation guide and business case templates
14 KiB
14 KiB
M365 Project Risk Register
"Most M365 projects fail not because Teams does not work, but because governance was an afterthought and the tenant became an ungovernable monoculture."
This risk register applies the antifragile risk methodology specifically to Microsoft 365 projects—greenfield deployments, tenant modernisations, migrations, and consolidations. It is designed for M365/Azure consultancies to identify, classify, and mitigate project-specific risks before they become tenant-wide liabilities.
M365-Specific Risk Taxonomy
Category 1: Identity and Access Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---|---|---|---|---|---|---|
| M365-001 | Excessive Global Admins | More than 3-5 Global Admins with standing access | T0 | Compromise any admin → full tenant control → data exfiltration / deletion | Reduce to minimum; deploy PIM; use delegated roles | Identity Team |
| M365-002 | No MFA on Admin Accounts | Admin accounts lack multi-factor authentication | T0 | Phish password → direct tenant access → no second factor to stop | Enforce MFA for all admins; hardware tokens for break-glass | Security |
| M365-003 | Legacy Authentication Enabled | Legacy auth protocols allow MFA bypass | T1 | Password spray via IMAP/POP3/SMTP → account access without MFA | Block legacy auth tenant-wide; monitor for attempts | Security |
| M365-004 | Stale Guest Accounts | Former partners/vendors retain guest access indefinitely | T1 | Stale guest → credential compromise → Teams/SharePoint access | Quarterly guest access review; time-bounded invitations | Collaboration Team |
| M365-005 | Unmanaged OAuth Consents | Users granted permissions to unauthorized applications | T1 | Malicious app → mailbox access / data exfiltration / phishing | Disable user consent; admin consent workflow; quarterly audit | Security |
| M365-006 | Shared Mailboxes with Login | Shared mailboxes configured with user passwords and sign-in enabled | T2 | Shared credential compromise → email access → BEC / data theft | Disable sign-in on shared mailboxes; convert to proper delegation | Exchange Team |
| M365-007 | No Conditional Access (E5/P1) | Missing location, device, or risk-based access controls | T1 | Compromised credentials usable from any device, any location | Deploy conditional access: MFA, device compliance, location, risk | Identity Team |
| M365-008 | Hybrid Identity Stuck | AAD Connect configured with no plan to migrate to cloud-native | T1 | AAD Connect compromise → cloud identity manipulation → tenant takeover | Document cloud-native migration path; secure AAD Connect server | Identity Team |
Category 2: Data Governance Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---|---|---|---|---|---|---|
| M365-009 | No Data Classification | Documents and emails stored without sensitivity labels | T1 | Proprietary/confidential data mixed with public data → uncontrolled sharing → leakage | Deploy sensitivity labels (Purview) or manual classification guidance | Compliance |
| M365-010 | Open External Sharing | SharePoint/OneDrive default allows anyone-links or external sharing | T1 | Accidental or malicious public link → data exposure → regulatory fine / reputational damage | Default sharing: internal only; anyone-links disabled; per-site justification | SharePoint Team |
| M365-011 | No Retention Policy | No defined retention for email, Teams, or files; data accumulates indefinitely | T2 | Excessive data → discovery cost → compliance failure → inability to respond to legal hold | Deploy retention policies for all workloads; legal hold procedures | Compliance |
| M365-012 | Teams Channel Sprawl | Uncontrolled team creation; stale teams with sensitive data | T2 | Stale team with external access → forgotten but accessible → data leakage | Governed team creation; expiration policies; access reviews | Collaboration Team |
| M365-013 | OneDrive as Shadow IT | Users store business-critical data in personal OneDrive without backup | T1 | User departure / account deletion → data loss; no organizational recovery | Migrate business data to SharePoint; backup strategy; user education | SharePoint Team |
| M365-014 | Copilot Without Governance | Microsoft 365 Copilot deployed without data governance baseline | T0 | Copilot surfaces sensitive data to unauthorized users → internal data breach | Deploy sensitivity labels BEFORE Copilot; conditional access; user training | Security / Compliance |
| M365-015 | eDiscovery Unprepared | No eDiscovery processes, legal hold capability, or retention for litigation | T2 | Litigation → inability to produce documents → adverse inference / sanctions | eDiscovery training; retention hold procedures; Purview eDiscovery licensing | Legal / Compliance |
Category 3: Security and Threat Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---|---|---|---|---|---|---|
| M365-016 | Business Email Compromise (BEC) | Executive mailbox compromised; fraudulent payment instructions sent | T1 | Phish executive → mailbox control → invoice fraud / wire transfer | Impersonation protection; mailbox auditing; MFA; financial process verification | Security |
| M365-017 | EOP Misconfiguration | Basic Exchange Online Protection not tuned for client's threat profile | T1 | Phishing email reaches inbox → user compromise → lateral movement | Tune anti-phishing, anti-malware, anti-spam; impersonation protection | Security |
| M365-018 | No Audit Logging | Unified Audit Log disabled or unmonitored | T1 | Incident occurs → no forensic evidence → cannot determine scope or contain | Enable UAL immediately; forward to SIEM; 90-day minimum retention | Security |
| M365-019 | Device Unmanaged | Corporate devices accessing M365 without MDM or compliance policy | T1 | Compromised personal device → M365 access → data exfiltration | Intune enrollment; conditional access requiring compliance | Endpoint Team |
| M365-020 | No Backup Beyond Native | Reliance on recycle bin and soft delete as "backup" | T1 | Ransomware / malicious admin / sync error → data loss → no recovery | Third-party immutable backup; quarterly recovery testing | Backup Team |
Category 4: AI and Emerging Technology Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---|---|---|---|---|---|---|
| M365-021 | Shadow AI via M365 Apps | Employees paste proprietary data into Copilot, Bing, or third-party AI through browser | T0 | Proprietary data → public AI model → competitive intelligence loss | Deploy Azure OpenAI bridge; DLP policies blocking AI uploads; user education | Security |
| M365-022 | Copilot Data Overexposure | Copilot synthesizes and surfaces data the user should not have access to | T1 | Overpermissioned user → Copilot reveals sensitive synthesis → internal breach | Zero-trust permissions review; sensitivity labels; just-in-time access | Security |
| M365-023 | AI-Generated Misinformation | Users make business decisions based on unverified AI-generated content | T2 | AI hallucination → bad decision → financial loss / compliance failure | Human-in-the-loop for critical decisions; source attribution requirements; user training | Compliance |
| M365-024 | No AI Governance Policy | Organization has no policy for approved AI tools, data handling, or vendor evaluation | T1 | Uncontrolled AI adoption → data leakage → regulatory / legal exposure | AI governance framework; approved tool list; data classification for AI inputs | Security / Legal |
Category 5: Project and Organizational Risks
| Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner |
|---|---|---|---|---|---|---|
| M365-025 | Tenant as Monoculture | All data, identity, and collaboration in one tenant with no exit architecture | T0 | Tenant compromise / lockout / vendor change → total organizational paralysis | Domain ownership by client; data portability architecture; documented tenant exit | Architecture |
| M365-026 | Scope Creep Without Governance | Workloads deployed incrementally without security review | T2 | New app/service → unmapped risk → incident | Governance gate before new workload; security review checklist | Project Manager |
| M365-027 | Insufficient Admin Training | Client team lacks skills to operate and secure the tenant post-handover | T2 | Misconfiguration → vulnerability → incident | Structured training program; runbook documentation; knowledge transfer sessions | Training |
| M365-028 | Power Platform Shadow IT | Citizen developers create apps and flows with ungoverned data access | T1 | Unmanaged flow → external data sharing / credential exposure → breach | DLP policies; environment governance; citizen developer training | Power Platform Team |
| M365-029 | Migration Data Loss | Legacy data lost or corrupted during migration to M365 | T1 | Corrupted migration → missing records → compliance / operational failure | Pre-migration backup; validation sampling; rollback plan | Migration Team |
| M365-030 | Vendor Lock-in via Add-ons | Heavy reliance on third-party M365 add-ins that create dependency | T2 | Add-on vendor discontinues / changes terms → workflow collapse | Evaluate add-ons for portability; maintain native fallback; contractual exit clauses | Procurement |
Risk Scoring for M365 Projects
Probability Scale
| Score | Definition | M365 Example |
|---|---|---|
| 1 | Rare (< 1% annually) | Total Azure region failure |
| 2 | Unlikely (1-10%) | Major zero-day in Exchange Online |
| 3 | Possible (10-50%) | Successful phishing campaign against users |
| 4 | Likely (50-90%) | Stale guest account remains accessible |
| 5 | Almost certain (> 90%) | Shadow AI usage if no sanctioned alternative |
Impact Scale
| Score | Definition | M365 Example |
|---|---|---|
| 1 | Negligible | Minor inconvenience; no data loss |
| 2 | Minor | Single user/service affected; recoverable in hours |
| 3 | Moderate | Departmental impact; recoverable in days; potential compliance notice |
| 4 | Major | Organizational impact; recoverable in weeks; regulatory fine likely |
| 5 | Catastrophic | Existential threat; business termination possible; criminal liability |
M365-Specific Convexity Assessment
| Convexity | Definition | M365 Example |
|---|---|---|
| Extreme | €0 control prevents €500K+ loss | Enabling MFA (free in E3) prevents total tenant compromise |
| High | Small labor investment prevents major incident | Quarterly guest access review prevents data breach via stale account |
| Moderate | Moderate investment prevents significant loss | Third-party backup prevents data loss from ransomware |
| Low | Investment comparable to potential loss | Advanced threat protection add-on vs. basic EOP |
Project Phase Risk Gates
Greenfield Deployment Gates
| Phase | Gate | Risk Closure Requirement |
|---|---|---|
| Architecture | Go/No-Go before provisioning | M365-025 (tenant monoculture) assessed and mitigated; M365-030 (add-on lock-in) evaluated |
| Foundation | Go/No-Go before user onboarding | M365-001 (excessive admins), M365-002 (no MFA), M365-018 (no audit) closed |
| Workload Rollout | Go/No-Go per workload | M365-009 (no classification), M365-010 (open sharing), M365-028 (Power Platform) addressed |
| Go-Live | Go/No-Go before production | M365-016 (BEC), M365-017 (EOP), M365-020 (no backup) mitigated; M365-027 (training) completed |
| 30-Day Post | Review | M365-021 (shadow AI) inventoried; M365-024 (AI governance) drafted |
Modernisation Gates
| Phase | Gate | Risk Closure Requirement |
|---|---|---|
| Audit | Complete before changes | All 30 risks assessed; T0 and T1 risks prioritized |
| Kill Chain Closure | Day 30 checkpoint | All T0 risks closed or accepted with board sign-off |
| Governance Deployment | Day 60 checkpoint | All T1 identity and data risks closed |
| Sovereignty | Day 90 checkpoint | M365-021 (shadow AI) mitigated via sanctioned alternative; M365-020 (backup) tested |
| Antifragility | Day 180 checkpoint | Automated monitoring for M365-003, M365-005, M365-010; quarterly review cadence established |
The M365 Risk Dashboard (For Steering Committee)
M365 PROJECT RISK DASHBOARD — [Client] — [Date]
T0 RISKS (Existential)
├─ Open: [X] ├─ In Progress: [X] └─ Closed: [X]
├─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
└─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
T1 RISKS (Major)
├─ Open: [X] ├─ In Progress: [X] └─ Closed: [X]
├─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
└─ [Risk ID] [Name] — Owner: [Name] — Target: [Date]
IDENTITY & ACCESS [████░░░░░░] [X]% mitigated
DATA GOVERNANCE [██████░░░░] [X]% mitigated
SECURITY & THREATS [█████░░░░░] [X]% mitigated
AI & EMERGING TECH [███░░░░░░░] [X]% mitigated
PROJECT & ORGANIZATIONAL [███████░░░] [X]% mitigated
TOP 3 RISKS REQUIRING ESCALATION
1. [Risk ID] — [Reason for escalation]
2. [Risk ID] — [Reason for escalation]
3. [Risk ID] — [Reason for escalation]
RECOMMENDATION: [Proceed / Pause / Escalate]
Integration With Project Deliverables
| Deliverable | Risk Register Integration |
|---|---|
| Project charter | Include T0 risk identification as success criterion |
| Architecture document | Map each design decision to risk mitigation |
| Configuration baselines | Reference risk IDs in change justification |
| Test plan | Include recovery drills for M365-020; penetration testing for M365-016 |
| Training plan | Address M365-027; include AI governance for M365-024 |
| Handover document | Transfer risk ownership to client team with review cadence |
For the general antifragile risk register methodology, see Antifragile Risk Register. For the M365 antifragile project playbook, see M365 Antifragile Project.