As you probably already know, Microsoft Office 365 enables employees (and other relevant stakeholders) to effortlessly collaborate on projects, and allows them to collectively share, edit and comment on documents in a harmonized manner. As they say, with great power comes great responsibility, but of course, this is not something we can count on. The reality is that employees are often unaware of who they sharing documents with, and whether those documents contain sensitive information. Over time, as users haphazardly throw unrestricted links around and download files to their devices, we find ourselves in a situation where keeping track of who has access to our sensitive data is pretty much impossible.
Office 365 relies on two seamlessly integrated platforms for sharing files; SharePoint Online and OneDrive. SharePoint Online provides an interface for sharing files, whereas OneDrive is used for storing the data itself. Both platforms use Exchange Online for sharing information via email, and Azure AD for Identity Access Management (IAM).
How to Share Files in Office 365
Office 365 gives you the option to share files both internally and externally. When sharing files internally, all you need to do is save the files to your SharePoint folder, and then share the auto-generated link with the relevant parties.
The same is true for sharing files externally, although administrators must ensure that they have carefully reviewed the sharing options before allowing external sharing. For example, SharePoint administrators have the ability to prevent users from sharing documents externally, which is often a wise choice given how easy it is for group owners to grant guest access to SharePoint sites and Teams conversations. Administrators can either restrict access to SharePoint content via Azure AD, enable guest access, or share content with any user authenticated to any Office 365 or Microsoft account.
To share files in Office 365 you can simply type in the name of the person(s) you want to share the files with, allow editing if required, click “Copy Link”, and then send the link to whoever you choose. It’s also worth noting that administrators have the option to block downloads, which is a good idea if you don’t want multiple copies of the file spread across multiple locations.
Office 365 File Sharing Security Best Practices
Anytime a document containing sensitive data is shared by your employees, it is imperative that you know exactly who shared the document, and are able to determine whether they are authorized to do so. In order to give you the most visibility and control over your O365 content, there are a number of best practices that should be adhered to.
1. Discover and Classify SharePoint Online Content
In a distributed environment such as MS Teams, documents containing private information have a tenancy to get lost, or at least end up somewhere where they don’t belong. That’s why it’s essential that you know exactly what data you have (including any duplicates), and where it is located. You will need a tool that can scan your repositories for sensitive information, such as PII, PHI, and PCI, and classify the data accordingly. Once you have classified your data, it’s a good idea to do some basic housekeeping by removing any data that is no longer relevant, including any duplicates (assuming they are not required).
It is possible to classify content stored in SharePoint Online via the Office 365 Compliance admin center, which involves creating, configuring, and publishing sensitivity labels, which you can assign to your data. Office 365 also allows for automatic labeling, which is the preferred choice for many organizations due to its simplicity.
Automatic labeling is not as accurate as manual labeling, but at least you don’t have to worry about whether your employees will label the content correctly, if at all. Alternatively, you can use a third-party data classification solution, which, as you would expect, will have functionality that is not available with the native classification tools.
Most sophisticated third-party solutions can identify a broader range of data types, such as those covered by HIPAA, GDPR, and GLBA. They can scan repositories across multiple platforms, and even identify sensitive data in images.
2. Enforce “Least Privilege” Access
Now that you know where your sensitive data resides, you will need to ensure that your employees and third parties only have access to the data they absolutely need, and access should be revoked as soon as it is no longer required. In large organizations, as opposed to assigning access rights to each user, it is better to create roles and assign both access rights and users to those roles. Roles might include IT, Finance, HR, Dev, and so on. You should also assign a group owner to each group, who will be responsible for approving new members.
3. Restrict External Sharing
In many cases, users create and share links to folders containing sensitive data, which can be accessed by anyone with the link. This is an obvious security risk as these links are sometimes stolen, sent to the wrong recipients, and in some cases brute-forced by attackers. The first thing you should do is prevent users from sharing links to folders that contain multiple files.
In situations where an employee needs access to files created by another group, they must request access from the owner of that group. If you need to share documents containing sensitive data with a third party, the best approach would be to add them as guest users to your Azure AD, as this will give you more visibility and control over who has access to what data.
The next thing you will need to do is ensure that all user-created links are set to expire after a maximum of one week. Of course, this will mean that your users may have to generate more than one link, however, by allowing links to expire, you won’t need to worry about having lots of links to sensitive data left lying around unaccounted for.
4. Monitor Access to SharePoint Online Content
Monitoring access to sensitive data will not only help to keep your data secure but knowing who has access to your sensitive data is a requirement of many data privacy regulations, such as GDPR, HIPAA, CCPA, and more. Anytime a document containing sensitive data is accessed, shared, modified, or removed, you need to know about it. Office 365 provides an auditing tool that is able to generate more than 500 reports, including reports for Azure AD, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and more. Alternatively, you can use a third-party solution that will also provide real-time alerting, threshold alerting, and generate reports that are customized to meet the requirements of most data privacy regulations.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your Office 365 environment, schedule a demo with one of our engineers or start your free trial today.