Your Cloud Was Secure Six Months Ago. Is It Still? 

You migrated to Microsoft 365. You set up MFA, you configured your security settings, got everything in order, and moved on. Job done.

Except your environment didn't stop changing the day you went live. New staff joined, old staff left and their accounts weren't always cleaned up promptly. Someone needed access to a SharePoint site for a project, so permissions were adjusted. A new SaaS tool got connected to your Microsoft 365 tenant. A cloud platform update changed a default setting and a consultant was given temporary admin access that never got revoked.

Six months later, your security settings look nothing like what you configured and as in most businesses, nobody has noticed.

This is configuration drift and it's one of the most common, most costly, and least visible security risks facing New Zealand organisations running cloud environments today.

What Is Configuration Drift?

Configuration drift is what happens when a system's current state gradually moves away from its intended, secure state - through a series of small, individually unremarkable changes that accumulate over time into a meaningful security gap.

Think of it like a house that was well-maintained when you moved in. Over time, a window latch stops working properly, a door lock gets stiff, and the smoke alarm battery dies. Each one is a minor issue. Together, they represent a home that's significantly less secure than it was - not because of any single dramatic event, but because of gradual neglect.

Cloud environments work the same way. Every permission change, every new application, every user addition or removal, every platform update creates an opportunity for the environment to drift away from the secure baseline you established. The difference is that in a cloud environment, these changes can happen dozens of times a day across multiple systems simultaneously.

The NCSC's 2025 Cyber Threat Report noted that misconfiguration remains one of the leading causes of cloud security incidents globally. Gartner's analysis of cloud breaches found that through 2025, 99% of cloud security failures were attributable to the customer - not the provider - and the overwhelming majority were traceable to configuration errors. Not sophisticated attacks, not zero-day exploits, simply configurations that drifted from where they needed to be.

The important thing to understand is that drift isn't a sign that something has gone wrong. In most cases, drift is simply the result of a growing and evolving business. New employees join, new applications are introduced, teams need access to different information and cloud platforms release updates. Business priorities change.

The challenge isn't preventing change - change is how businesses grow. The challenge is ensuring your security settings keep pace with that change. That's exactly where drift management comes in.

How Drift Happens in Practice

Understanding how drift accumulates is the first step to managing it. Here are the changes that create drift in Microsoft 365, Azure, and cloud environments every day - often without anyone flagging them as security-relevant.

Staff turnover - When someone leaves the business, their account needs to be disabled, their access removed, their shared mailbox access revoked, and any admin permissions they held cleaned up. In practice, some of these steps get missed - particularly if the departure is sudden or the IT process isn't tightly managed. Former staff accounts with active credentials and broad permissions are a consistent attack vector.

New SaaS applications - A team member finds a tool that solves a problem and signs up using their Microsoft 365 account. The app gets OAuth permissions to access email, calendar, or files. Months later, the tool is no longer used but the permissions remain - an active connection to your environment that nobody's reviewing.

Temporary access that became permanent - A consultant needed admin access for a project. A contractor was given broad SharePoint permissions for a specific task. The project finished, but the access wasn't revoked. These "temporary" elevated permissions are common and rarely audited.

Inconsistent MFA policies - MFA was rolled out to most staff - but a few accounts were excluded because of a legacy system, a user preference, or simply because they were overlooked. Those unprotected accounts are the ones attackers find. In Microsoft environments, these policies are managed through Microsoft Entra ID and when they drift, the gap isn't always visible without specifically auditing the Entra configuration. 

Microsoft platform updates changing defaults - Microsoft pushes updates to 365 and Azure regularly. Occasionally, an update changes a default setting - sometimes in a way that affects your security configuration without any action on your part. Without active monitoring, these changes can go unnoticed.

Shadow IT - Staff adopt tools, services, and applications without IT oversight. Each one represents an integration, a data flow, and a set of permissions that sits outside your managed environment. The NCSC specifically called out shadow IT as a growing risk in the NZ context - and it creates drift by definition, because it expands the attack surface beyond what's been configured or reviewed.

Project implementations - A new system goes live. During the implementation, temporary configurations are put in place - wider permissions, relaxed security settings, test accounts. When the project closes, the cleanup doesn't always happen.

Infrastructure changes - New devices are added to the environment. Azure resources are provisioned. Network configurations are adjusted. Each change has security implications that may not be fully considered at the time.

Why Drift Creates Real Security Risk

Configuration drift isn't just a tidiness problem. It creates concrete, exploitable security gaps - the kind that attackers are specifically looking for.

Expanded attack surface - Every unused account, every excessive permission, every unsecured integration is an additional entry point. Attackers don't need to find the hardest way in - they find the easiest one. Drift creates those easy paths systematically, across your entire environment, over time.

Unauthorised access - Permissions that drift beyond what's necessary for the role create the conditions for both insider threats and external attackers who compromise an account. An account with more access than it needs becomes a significantly more valuable target.

Compliance exposure - Many NZ businesses have compliance obligations - under the Privacy Act 2020, through cyber insurance requirements, or through contractual obligations to clients or partners. Compliance requires maintaining documented, consistent security controls. Drift undermines that consistency, and the gap becomes visible when you most need it not to be - during a breach investigation or an insurance claim.

Reduced visibility - As the environment drifts from its intended configuration, the security controls built on that configuration become less reliable. Monitoring tools that were configured against a known baseline start missing things that have moved outside it.

Ransomware risk - Ransomware operators specifically look for misconfigured environments - excessive permissions, disabled security features, unmonitored accounts - as pathways for lateral movement after initial access. An environment affected by significant drift is substantially easier to move through once an attacker is inside.

Data exposure - SharePoint permissions that have broadened over time, external sharing settings that were adjusted for a project and never reset, cloud storage buckets that drifted to more permissive access controls - these create conditions where sensitive business data is accessible to people who shouldn't have it, or exposed to the internet without anyone realising.

Why an Annual Security Review Isn't Enough

There was a time when a yearly security audit made reasonable sense. Your environment was relatively static, servers sat in a rack, staff used desktop computers in the office and changes happened slowly and deliberately.

That world no longer exists for most NZ businesses.

A Microsoft 365 environment in a business with 50 staff will see hundreds of configuration-relevant changes in a year - user additions and removals, permission adjustments, application connections, policy changes, platform updates. By the time an annual review happens, the environment it's reviewing may look significantly different from the environment that was last audited.

The point isn't that annual reviews are useless - they're valuable as a structured assessment of where you stand. The point is that they can only tell you about drift that has already accumulated, not prevent it from accumulating, and that the gap between reviews is precisely when drift does its damage.

Security incidents don't wait for your annual review window.

What Good Drift Management Looks Like

Drift management is the ongoing process of monitoring, reviewing, and correcting security changes as your environment evolves. Rather than waiting for an annual audit to discover issues months after they occur, drift management identifies security gaps as they emerge and restores configurations to their intended state before they become a problem.

Think of it as continuous maintenance for your cloud environment. Change is inevitable, drift is inevitable. Unmanaged drift is optional.

It's a continuous practice - the ongoing discipline of keeping your environment aligned with its intended secure configuration as it changes - and it works across five connected practices.

A documented security baseline - You can't detect drift without knowing what you're drifting from. A security baseline documents your intended configuration - who has access to what, which security controls are enabled, what policies are in force, what applications are approved and connected. This baseline is the reference point everything else is measured against.

Continuous monitoring - Manual reviews catch drift that has already happened. Continuous monitoring catches it as it happens - alerting on configuration changes, policy modifications, new application connections, and unusual permission changes in real time. For Microsoft 365 environments specifically, this means monitoring the Secure Score, the Entra ID (formerly Azure AD) audit logs, the Exchange security settings, and the SharePoint and OneDrive sharing configurations on an ongoing basis.

Automated alerting on significant changes - Not all configuration changes are equal. Effective drift management prioritises alerts on changes with the highest security impact - MFA policy modifications, admin role assignments, external sharing setting changes, legacy authentication being re-enabled - rather than generating noise around every minor adjustment.

Regular remediation cycles - Identifying drift is only useful if it's addressed. A structured remediation process - reviewing flagged drift, assessing the risk, and correcting configurations back to baseline - needs to happen on a defined cadence. For most environments, monthly is the minimum; for high-risk environments, more frequently.

Security governance at the leadership level - Drift management requires that someone is accountable for the security posture of the environment as it changes over time. This is part of what a vCISO provides - strategic ownership of the security function, including ongoing governance of the cloud environment configuration.

Access reviews - Regular, structured reviews of who has access to what - and whether that access is still appropriate - are one of the most effective controls against permission drift.  In Microsoft 365 environments, Microsoft Entra ID is where user identities, roles, conditional access policies, and guest access are managed. Reviewing Entra regularly - not just when something goes wrong - is where most permission drift gets caught and corrected. Quarterly access reviews for privileged accounts, and annual reviews for all users, are the standard recommended by most security frameworks. 

Signs Your Organisation May Have Drift Issues

Work through this checklist honestly. If several of these are true, your environment has likely accumulated meaningful drift.

• Former staff accounts that may still be active in Microsoft 365 or Azure

• Admin accounts shared between multiple people, or admin access granted without time limits

• MFA not enforced universally - some accounts or applications excluded

• Third-party applications connected to your Microsoft 365 tenant that are no longer actively used

• SharePoint sites or OneDrive folders with external sharing enabled that you haven't reviewed recently

• No documented baseline of your intended security configuration

• Security settings reviewed annually or less frequently

• New SaaS tools adopted by staff without IT involvement or security review

• No automated alerting on configuration changes in Microsoft 365 or Azure

• Legacy authentication protocols (basic auth) still enabled for any accounts

• Conditional access policies that haven't been reviewed since they were set up

• No process for revoking access when staff leave or change roles

If more than three of these apply to your environment, a cloud security assessment is the practical next step - it maps the current state of your environment against security best practice and gives you a clear, prioritised list of what to address.

Frequently Asked Questions About Configuration Drift

What's the difference between configuration drift and a security breach?

A security breach is the outcome. Configuration drift is often what makes it possible. Drift doesn't mean you've been breached - it means your environment has drifted from its intended secure state in ways that increase your exposure. Left unmanaged, drift creates the conditions that make breaches more likely and more severe when they occur.

Does Microsoft 365's built-in security handle this automatically?

Microsoft provides tools - Secure Score, Defender for Cloud Apps, Entra ID monitoring - that give visibility into your configuration. What Microsoft doesn't do is manage your specific configuration decisions, remediate drift when it occurs, or maintain a configuration baseline aligned to your business's specific risk profile. The tools are available; the management of them is the customer's responsibility under the shared responsibility model.

How quickly does drift accumulate?

Faster than most businesses expect. In an actively used Microsoft 365 environment, meaningful configuration drift can accumulate within weeks of a security review. High-change environments - businesses going through growth, implementing new systems, or experiencing staff turnover - can drift significantly within days.

Is drift management only relevant for large organisations?

No - in some ways it's more relevant for SMEs. Larger organisations typically have dedicated security teams monitoring their environment continuously. SMEs often don't, which means drift accumulates undetected for longer. The consequences are proportionally more damaging for a smaller business without the resources to absorb a significant security incident.

What does a cloud security assessment cover?

A cloud security assessment reviews your current Microsoft 365, Azure, and connected application configurations against security best practice and your own documented policies. It identifies configuration gaps, excessive permissions, unsecured integrations, and drift from your intended baseline. The output is a prioritised remediation plan that tells you what to fix first, based on risk - not a generic list of everything that could theoretically be improved.

How often should we review our cloud security configuration?

Continuously, ideally - through automated monitoring that catches significant changes as they happen. At a minimum, a structured review of your full configuration quarterly, with a more comprehensive assessment annually. For environments with active compliance obligations or frequent change, continuous monitoring supported by a managed security service is the appropriate standard.

Is Your Cloud Environment Still Configured the Way You Set It Up?

Most organisations are surprised by how much their environment has changed since it was last reviewed. Staff turnover, new applications, permission changes, platform updates - they accumulate quickly and quietly.

A cloud security assessment with NSP identifies where configuration drift has occurred in your Microsoft 365 and cloud environment, which changes present genuine risk, and what to prioritise first. We'll give you a clear picture of where you stand and a practical plan for getting it back to where it needs to be.

Book your free 30-minute consultation →

Or call us directly: 0508 010 101

Related Reading

• What Happens to Your Data If Your Cloud Provider Goes Down?
• 10 Critical Questions to Ask Your Cloud Provider
• How Secure Cloud Migration Reduces Your Risk of Platform-Based Attacks
• The Security Baseline Every NZ Business Needs Before Buying Cyber Insurance
• Cloud Security - NSP
• Cybersecurity Assessments - NSP
• vCISO Strategy Services - NSP