Despite significant improvements in cloud security in recent years, IT professionals are still cautious about storing and processing sensitive data in the cloud. We still hear of security breaches caused by misconfigured storage containers, insecure interfaces and APIs, user account hijacking, and more.
The lack of visibility, combined with the ability for employees to easily share data with people outside of the organization makes security professionals nervous. At the end of the day, even if the cloud service provider has the best firewalls and intrusion prevention systems that money can buy, you are still storing your sensitive data on a server managed by a third party that is directly accessible from the public Internet. All of these issues are relevant when using SharePoint Online.
How Good is SharePoint Online Security?
SharePoint Online is a part of the Microsoft Office 365 suite. In this case, we are trusting Microsoft to secure their servers and protect our data from malicious outsiders. And let’s face it, a lot of hackers would love to breach Microsoft’s servers, even it’s just for fun.
Of course, we can rest assured that Microsoft will secure their data centers with the latest and greatest security technologies, and will no doubt employ the most competent security professionals available. After all, were they to suffer a serious data breach, this could damage their reputation, which will, in turn, lead to a loss of revenue, and perhaps even a fall in their share price.
In some cases, keeping an organization’s data secure is probably more important to Microsoft than it is for the organizations using their services. However, there’s one thing which we must bear in mind, and that is, it’s not Microsoft’s responsibility to protect our data from insider threats! It’s up to us to ensure that we take the necessary steps to protect our sensitive data from unauthorized access and use.
5 SharePoint Online Security Best Practices
Below are 5 tips to help you manage your SharePoint Online Security.
1. Sharing sensitive data with third-parties
Prior to SharePoint 2013, sharing your SharePoint Online content with third parties was an arduous process, as you had to add each individual user to your Identify Access Management (IAM) system – usually Active Directory. This process has been significantly improved in later versions of Office 365, and now includes additional methods for sharing content with third parties. There is now the option to grant anonymous access to specific documents via a guest link, although a Microsoft Office 365 ID (also known as a Live ID) is required to view the sites or documents. Previously, Microsoft placed a limit on the number of external users that can have access to your Office 365 environment, however, this limit has now been removed.
2. Manage group permissions in SharePoint Online
Anyone familiar with Role-Based Access Control (RBAC) understands that managing permissions for groups (or roles) are significantly easier and less error-prone than managing permissions on a per-user basis. For example, if certain sites or documents need to be shared with the sales department, you could set up a “Sales” group, which will have access to those sites/documents. To grant access to a given resource, you simply assign users to the relevant groups, and remove them from the groups when you want to revoke access. Within Azure AD and your on-premise Active Directory environment, you can assign AD groups to SharePoint groups, which means that any changes made to group memberships will be automatically applied to your SharePoint groups. You will need to ensure that you have the necessary processes in place to ensure that all permissions/group membership changes are carried out consistently.
3. The Office 365 Trust Center
Microsoft is fully aware of the security concerns that many IT professionals have when it comes to storing and processing sensitive data in the cloud. In response to these concerns, they introduced the Office 365 Trust Center, which provides in-depth information relating to all areas of security, privacy, and compliance. All Office 365 users should spend time reading through the documentation in order to better protect their network and data.
4. Discover and classify SharePoint content
Regardless of the platform, you are using, data classification plays an important role in keeping your data secure. Knowing exactly what data you have and where it is located will make it a lot easier to apply the appropriate security controls and enforce privacy, retention, and confidentiality policies. Classifying your data will make searches faster and more effective and help to ensure compliance with data protection regulations such as the GDPR, CCPA, HIPAA, and more. Data classification will help you determine what data you actually need to store, thus simplifying the process of removing ROT (Redundant, Obsolete, and Trivial) data. SharePoint Online provides data classification tools that work by applying sensitivity labels to content and publishing the labels along with a policy that details how data classified under those labels should be treated. It also allows for automatic labeling, which can be applied to content both at rest and in use. Since we can’t assume that employees will always assign labels correctly, automatic labeling is the preferred choice for many organizations. However, the automatic labeling process tends to be prone to errors due to the lack of precision, and you can only apply labels to Office documents. Another option would be to use a third-party DCAP (Data-Centric Audit & Protection) solution which can aggregate event data from multiple cloud platforms (including your on-premise environment) and display a summary of the results via a single console. A third-party solution will not only deliver more accurate results, but will also classify a wider range of data types and formats, and even classify data in accordance with the specific data privacy regulations that are relevant to your industry.
5. Monitor SharePoint files and folders for suspicious activity
As mentioned previously, regardless of how robust Microsoft’s security posture is, they cannot protect us from our own employees, who, as we know, present the greatest threat to our sensitive data. As such, it is imperative that we know exactly who is making what changes to our SharePoint content, and when. Again, Office 365 provides a wide range of user activity reports in the admin center which can give us information about all SharePoint files and folder activity. As with the built-in data classification tools provided by Office 365, the native auditing capabilities have drawbacks and limitations when compared to a dedicated third-party solution. This is especially true if we are using multiple cloud platforms and on-premise environments. Third-party SharePoint online auditing solutions take event auditing to the next level by using machine learning algorithms to determine typical usage patterns, which can be tested against in order to detect and respond to anomalous activity. They can even respond to events that match a pre-defined threshold condition, such as multiple failed login attempts or bulk file encryption. As before, a third-party solution will provide a set of pre-defined reports out-of-the-box which are customized to meet the demands of the data privacy regulations that are relevant to our industry.
Even if Microsoft’s security protocols are second-to-none, it’s ultimately up to us to ensure that we have carefully reviewed all Office 365/SharePoint security settings, classified and cleaned up our data repositories, restricted access to sensitive data on a need-to-have basis, and continuously monitor all file and folder activity in SharePoint Online.