As you probably already know, Microsoft Office 365 enables employees (and other relevant stakeholders) to effortlessly collaborate on projects, and allows them to collectively share, edit and comment on documents in a harmonized manner. As they say, with great power comes great responsibility, but of course, this is not something we can count on. The reality is that employees are often unaware of who they sharing documents with, and whether those documents contain sensitive information. Over time, as users haphazardly throw unrestricted links around and download files to their devices, we find ourselves in a situation where keeping track of who has access to our sensitive data is pretty much impossible.
File Sharing Systems in Microsoft Office 365
Office 365 relies on two seamlessly integrated platforms for sharing files; SharePoint Online and OneDrive. SharePoint Online provides an interface for sharing files, whereas OneDrive is used for storing the data itself. Both platforms use Exchange Online for sharing information via email, and Azure AD for Identity Access Management (IAM).
How to Share Files in Office 365
To share files in Office 365 you can simply type in the name of the person(s) you want to share the files with, allow editing if required, click “Copy Link”, and then send the link to whoever you choose. It’s also worth noting that administrators have the option to block downloads, which is a good idea if you don’t want multiple copies of the file spread across multiple locations.
Office 365 gives you the option to share files both internally and externally:
How to Share File Internally: When sharing files internally, all you need to do is save the files to your SharePoint folder, and then share the auto-generated link with the relevant parties.
How to Share Files Externally: The same is true for sharing files externally, although administrators must ensure that they have carefully reviewed the sharing options before allowing external sharing. For example, SharePoint administrators have the ability to prevent users from sharing documents externally, which is often a wise choice given how easy it is for group owners to grant guest access to SharePoint sites and Teams conversations. Administrators can either restrict access to SharePoint content via Azure AD, enable guest access, or share content with any user authenticated to any Office 365 or Microsoft account.
Best Practices for Microsoft 365 File Sharing
Microsoft 365’s external sharing capabilities allow users to collaborate with individuals outside of their organization without requiring them to have an approved account. SharePoint Online and OneDrive are the two file sharing systems in Office 365. They work together to provide the complete file sharing functionality. OneDrive serves as the storage while SharePoint acts as the interface. A link to a document stored in OneDrive actually points to SharePoint Online. Users have the option to share entire teams, channels, sites, or individual files. However, sharing and collaborating within Office 365 can have unintended consequences, as users may not fully understand what they are sharing and with whom. This can result in a disorganized system with unrestricted access to sensitive data. Below are some of the most notable best practices for sharing files in OneDrive and SharePoint.
1. Enable Multi-Factor Authentication
Multi-factor authentication (MFA) plays a crucial role in enhancing the security of file shares in Office 365, providing an additional layer of protection against unauthorized access. By requiring multiple forms of identification to access the file shares, MFA effectively guards against password compromise and phishing attacks. With MFA enabled, users are prompted to provide an additional authentication factor such as a fingerprint scan, a unique code sent to their mobile device, or a hardware token, ensuring that only authorized individuals with physical possession or knowledge of the authentication factors can gain entry.
2. Enforce Least Privileged Access to Office 365 Data
The principle of least privilege (PoLP) emphasizes that users should be given only the necessary access to perform their job functions, thus enhancing the security of your data. To achieve this, it is recommended to organize user accounts into groups based on their job functions, such as IT, HR, Finance, Dev, etc. These groups should be granted permissions to access data in Office 365, instead of individual user accounts. In addition, it is important to assign a Group Owner for each group. This individual will be responsible for approving new group members and regularly auditing the group. Limited Access or View Only permissions should not be used. Instead, non-members should request access from a group member according to file sharing rules. Furthermore, it is advisable to create separate Public SharePoint sites for public-facing documents. It is important to keep these Public sites separate from your Team sites to maintain proper organization and security.
3. Classify Sensitive Data Stored in Office 365
It is crucially important that you discover and classify any personally identifiable information (PII), protected health information (PHI), intellectual property, and any other types of sensitive data in order to keep it secure. Once you have appropriately labeled your data, you can verify that their access permissions align with the Principle of Least Privilege. Labelling data will also help security tools identify the data as sensitive and handle it accordingly. For instance, such tools can automatically encrypt sensitive files and enforce policies to prevent downloads to unmanaged devices.
4. Prevent Downloads to Unmanaged Devices
It is important to ensure that your data remains within your organization’s control. One method to achieve this is by prohibiting any data downloads to devices that are not managed by your IT team. However, if you have the necessary authorization, it is permissible to view the data through a browser on an unmanaged system, but only with the link and consent from the Group Owner.
5. Restrict and Monitor External Sharing
In Office 365, users have the ability to create sharing links, which they can send to others to access the same document. However, caution must be exercised as these links can be stolen or abused to gain unauthorized access to files or folders. To ensure the safety of your data, there are certain measures you should take. Firstly, you should prevent users from creating folder-sharing links that grant access to multiple files, whether internally or externally. If a user needs to access files owned by another group, they should request access from the Group Owner. External sharing should only be allowed for non-sensitive files. If sensitive files need to be shared with third parties, they should be added as Guests in your Azure AD, and their access should be carefully controlled. As these guests are listed in the Group membership, the Group Owners can regularly audit the list and remove any unnecessary users. Moreover, it is recommended to set an expiration period for all user-created links, typically ranging from a few days to a week. While this may require users to generate multiple links for collaborating on a file, it helps prevent the number of links to your data from endlessly growing. By allowing these links to naturally expire, the risk of unauthorized access can be significantly reduced.
6. Monitor Office 365 for Unauthorized Activities
You can ensure the protection of Office 365 by actively monitoring for any potential breaches or unauthorized activities that may be conducted by both internal and external parties. The Lepide Data Security Platform is designed to monitor Office 365 (and other platforms), safeguarding your data stored in OneDrive, SharePoint sites, Teams, and Exchange Online. It can help you keep track of changes in file and folder activity, modifications to group memberships, administrative actions, and more. Additionally, you can classify your Office 365 data in accordance with GDPR, CCPA, HIPAA, and other data privacy regulations. It can help to establish a workflow that allows for the approval, denial, and management of data access, ultimately granting the true custodianship of data to Group Owners. Lepide also creates user behavior profiles to detect any abnormal activities within Office 365, providing early warning signs of potential insider or external threats.
6. Monitor Office 365 for Unauthorized Activities
You can ensure the protection of Office 365 by actively monitoring for any potential breaches or unauthorized activities that may be conducted by both internal and external parties. The Lepide Data Security Platform is designed to monitor Office 365 (and other platforms), safeguarding your data stored in OneDrive, SharePoint sites, Teams, and Exchange Online. It can help you keep track of changes in file and folder activity, modifications to group memberships, administrative actions, and more. Additionally, you can classify your Office 365 data in accordance with GDPR, CCPA, HIPAA, and other data privacy regulations. It can help to establish a workflow that allows for the approval, denial, and management of data access, ultimately granting the true custodianship of data to Group Owners. Lepide also creates user behavior profiles to detect any abnormal activities within Office 365, providing early warning signs of potential insider or external threats.
How Lepide Helps Secure Microsoft 365
Lepide Data Security Platform is a comprehensive solution designed to enhance data security within Microsoft 365 environments.
Lepide provides real-time monitoring and alerting capabilities. It continuously monitors user and administrator activities within Microsoft 365, detecting and alerting on any unusual or potentially malicious behavior. This proactive approach helps identify potential security threats and enables prompt responses to mitigate risks.
The platform also assists in enforcing data access policies and permissions. It allows administrators to define granular access controls through detailed permissions reports, ensuring that only authorized individuals can access specific data or perform certain actions within Microsoft 365. This helps prevent unauthorized access and potential data breaches.
Lepide Data Security Platform automatically identifies and classifies sensitive data across Microsoft 365, such as personally identifiable information (PII) or financial data. With accurate classification, organizations can better protect and manage their sensitive data, implementing appropriate security measures based on the data’s sensitivity.
Lepide also helps organizations demonstrate adherence to regulatory requirements like GDPR, HIPAA, or SOX by providing detailed reports and audit trails, showcasing compliance efforts within the Microsoft 365 environment.
If you’d like to see how Lepide can help you secure your Microsoft 365 environment, schedule a demo with one of engineers.