OneDrive
OneDrive for Business Security
Document Management Security in the cloud are big topics of conversation these days. We come across a lot of organizations and competing products all claiming to be the best when it comes to document security in the cloud. The purpose of this blog is to provide a real-world overview of using OneDrive for Business instead of a separate, stand-alone product, especially if you are already using Office 365. In the event you looked at this product two years ago and crossed it off your list, it is critical to know that the security features of OneDrive for Business has been drastically increased since that time.
There are obvious business advantages to OneDrive for Business over essentially every other tool out there – most notably there is no additional cost for current Office 365 subscribers and the integration with a whole suite of other products you are probably using – or intend to use. Why authenticate to, and integrate with, a whole new product when you already own one if it does the job. Your administrators generally already know how to manage the platform and will not need to learn a new product.
Let’s cut to the chase and run down the major security elements you may not be aware of currently in OneDrive for Business and Office 365. My goal was to cut through all various features to get to something concise and readable, but with links to more detailed functionality where applicable.
Microsoft Stance
First and foremost, Microsoft has stated that this is YOUR data, not theirs. It is not open and available for data mining or access by their personnel. They have taken great pride and effort in putting together a plan that will allow their customers to store their data with confidence. For more information, visit the Microsoft Trust Center: https://www.microsoft.com/en-us/trustcenter/
Based on the efforts to obtain validation for their investment in security, Office 365 has obtained independent verifications for the following:
- ISO 27001
- ISO 27018
- SSAE 16
- EU Model Clauses
- HIPAA Business Associate Agreement (BAA) with all customers
- FISMA
Data Protection
Files are encrypted at both the Disk Level (using Bitlocker Drive Encryption) and file level. The specifics are available via this (and many) posts from Tim Rains – Director of Security at Microsoft:
Tim also discusses the specifics of the security during transit and synchronization
Microsoft also has features in place to perform the following:
- Port scanning and remediation
- Perimeter vulnerability scanning
- Operating system security patching
- Network-level distributed denial-of-service (DDoS) detection and prevention
- Multi-factor authentication
Management Security Features
There are a myriad of features designed to allow for usability and flexibility in how to implement and secure the storage and collaboration of data in OneDrive for Business and Office 365. The key is to create a governance plan to understand your specific policies and then convert those policies into a technical implementation. Below are some examples of the security features in Office 365 / OneDrive for Business.
- OneDrive for Business file synchronization can be configured to work only on domain-joined PCs. It can also be configured to only synchronize to PCs that are members of administrator specified Windows domains.
- Block synchronization altogether
- Block certain file types from synchronizing
- Limit external sharing permissions for specific users
- Manage specific domain allowances for external sharing
- Time limit allowances for anonymous link access/sharing
- Separate sharing capabilities and rules for OneDrive for Business vs. SharePoint
- Site -> Library -> Folder -> Item level permissions
- Ability for users and admins to very quickly see who has access to a folder or document
- Create & Manage data retention policies for OneDrive or SharePoint sites
- Extremely detail-specific activity alerts for targeted actions for all or specified users.
- Administrative Permission Segregation
- Default & Custom Sensitive Information Types to be included in polices
- Unusual Sign-In Activity Detections
Mobile Device Management
The ability to manage devices, and specifically mobile devices in the BYOD world continues to improve for OneDrive for Business and related functionality, below is a sampling of the supported security features
- Conditional Access based on network location
- Restrict apps that don’t support modern authentication
- Multifactor and additional device security: PIN / remote wipe, etc.
- Block downloading files in apps
- Block screenshots
- Block copying, printing, backing up
- Require app passcode
- Block file access in non-OneDrive apps
- Encrypt data on the device
- More progressive sign-in timelines
- Manage activities after a device has been offline
DLP
Define Data Loss Prevention policies based on default or custom data information classification. Be alerted immediately to breaches in DLP policies. There is a default Dashboard showing recently policy matches (infractions) and false positives to help you refine your policies and information types. Policies are relatively simple to create, can be set to include or exclude certain users, and each policy can contain any number of extensively defined rules based on information types. You can choose severity, actions, notification, and exclusions.
Azure Rights Management
Information Rights Management has transformed to Azure Rights Management and can be added to OneDrive for Business or SharePoint document libraries individually. This technology allows the security to follow the document after it leaves the cloud instead of just securing it while it lives there.
Documents emailed outside your organization cannot be opened without actively authenticating against your Azure Active Directory to obtain current rights to that document. There are granular settings allowing specific users a limited time window for documents sent to them, and integration with Exchange for email encryption is supported as well.
https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms
eDiscovery
eDiscovery in Office 365 allows you to create “cases” and create holds on specific data based on search criteria that may be defined via legal action. This search and hold capability spans SharePoint, OneDrive, Mailboxes, Public Folders, and can be locked down in its current state and exported for legal discovery purposes.
Auditing / Reporting
Office 365 support full auditing for almost all actions taken on OneDrive for Business files. The list is activities that can be audited is very large, but I’ve highlighted some of the main or interesting actions below to give you an idea of how much depth is in these capabilities:
Activities:
- Files & Pages: Accessed, Viewed, Modified, Deleted, Moved, Checked out, etc.
- Folder changes
- Sharing & Access Requests: Created, Accepted, Denied, Used Anonymous, etc.
- Monitor Synchronization Attempts & Activities
- Site Administration and Permission Activities
- Over 350+ event types in total can audited
Can Be Refined to:
- Person or People Based auditing if desired
- Date Ranges Supported
- Specific sites or locations
Hope this information helps! If you have any questions, fill out the form below and we will be in touch to answer any questions or help with any issues.