If you’re moving to the Microsoft cloud, you’re not alone: Office 365 adoption continues to increase, with 180 million monthly active users. But while migrating your data to the cloud offers numerous collaboration and productivity benefits, it can also pose data protection and compliance challenges.
Here are five best practices you can follow to keep your data safe and accessible in Office 365.
Enforce least privileged access to SharePoint Online
Least privilege – ensuring each user only has access to the data they need to do their job – is simple in theory but can be difficult to execute. Start by organising user accounts into groups with similar job functions, and then grant data access permission in Office 365 to these groups. Keep things simple: never allow individual user accounts on access control lists (ACL) in Office 365.
IT is often responsible for making data access changes on behalf of users. It’s inconvenient and adds to their workload. Instead, assign a data owner, or a group owner, as the gatekeeper of each group’s membership (and, in turn, the group’s data access). The group owner can approve new group members and audit the group on a regular basis.
Classify sensitive data in SharePoint Online
You must scan and identify the data that lives in Office 365 for personally identifiable information (PII), data that falls under the constraints of GDPR, and confidential information, such as intellectual property, and other kinds of information that could result in a fine or competitive disadvantage, or put you at risk. After identifying files with sensitive information, ensure they are locked down to least privilege and labeled so your security tools can handle that data appropriately.
Prevent downloads to unmanaged devices
You must keep your team data in-house as much as possible. One way to do this is to prevent downloads to devices that your IT team doesn’t manage. If you have the appropriate authorisation, viewing the data in a browser from an unmanaged system is okay if you have the link and approval of the group owner.
Minimise and audit external sharing
When users create sharing links in Office 365, they might grant anyone with the link permission to access the file. Those links can get stolen, intercepted or potentially brute-forced to allow access to those files, or even folders.
You must prevent users from creating folder-sharing links that access multiple files. If a user must access files owned by another group, they should request access from the Group Owner.
Limit external sharing to only non-sensitive files. If you must share sensitive files with third parties, add them as guests in your Azure AD, and grant them appropriate access that way. Because they are guests and listed in the group membership, group owners will audit the list and remove any extra users when appropriate.
Finally, be sure to set all user-created links to expire. While this means that your users might need to generate mulitple links to collaborate on a file, it also means you effectively and continuously remove risk.
Monitor SharePoint Online
Lastly, monitor Office 365 for data breaches by insiders and outside attackers by tracking file and folder activity, group membership changes, admin activity, and more. Correlate network traffic with monitored data to detect possible cyber-attacks in progress.
Varonis monitors Office 365 to protect your data in the Microsoft Cloud. You can classify your Office 365 data and more to identify your sensitive data. You can build a complete workflow to approve, deny and manage access to your data that makes the group owners the true keepers of their data. Varonis creates individual user behaviour baselines to detect abnormal Office 365 activity that indicates a potential insider or external attack.
By Matt Lock, Technical Director, Varonis UK
Request your data risk assessment today: info.varonis.com/free-risk-assessment