Much has been written about the rapid pace at which enterprises are adopting Microsoft Office 365. Of equal significance is that customers trust Microsoft with their most sensitive information, evidenced by the fact that 17.1% of files in OneDrive and SharePoint Online contain sensitive data such as payment, health, or personally identifiable information. While the misconception that the cloud is less secure than traditional on-premises IT deployments is wavering as enterprise-grade platforms like Office 365 develop a track record, the cloud’s shared responsibility model still requires both the customer and the cloud provider to take steps to ensure that sensitive data isn’t exposed to unauthorized third parties.
The shared responsibility model was on full display recently when researchers discovered that Microsoft customers were inadvertently exposing sensitive files, passwords, and health data publicly on the internet through Office 365’s Docs.com, which defaults to being publicly accessible. In this instance, the responsibility for ensuring that data publicly accessible via Docs.com adheres to corporate policies falls to the customer. In a statement, Microsoft reiterated this sentiment, “As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com.”
Definitive Guide to Office 365 Security
Learn common security pitfalls enterprises encounter in Office 365 deployments and detailed best practices for making the most of Microsoft’s built-in security capabilities.Download Now
While incidents like the above will likely continue, Microsoft’s core commitment to its share of responsibility will remain the same—namely, ensuring that it delivers a cloud platform (hardware and software) that is free of vulnerabilities and protected from intrusions that could lead to data loss. The customer is entrusted with the responsibility of ensuring compliance with internal policies and external regulations and that employees utilize Office 365 in a safe and secure manner. There are two primary data loss prevention (DLP) scenarios enterprises frequently look to achieve in their Office 365 environments:
- Preventing inappropriate or noncompliant file sharing with unauthorized third parties outside the enterprise
- Preventing regulated or high-value data from being uploaded to Office 365 against internal policies or external regulations
The above scenarios are unique to the cloud, and require a holistic approach to cloud DLP that goes well beyond traditional on-premises DLP solutions, or the DLP controls provided by Microsoft. Complicating things further is the fact that Office 365 consists of several cloud applications (Exchange Online, SharePoint Online, OneDrive, etc.), each requiring a different approach to preventing data from being accessed by unauthorized parties. Below are some recommendations and best practices when thinking about the best approach to take for Office 365 DLP.
1) Inventory existing policies and define cloud policies
Organizations looking to apply DLP policies to Office 365 likely have some form of DLP for their on-premises systems, such as email and endpoint devices. The first thing to do is examine the policies and the remediation actions and identify the ones that will also apply to Office 365. This exercise ensures that data in Office 365 will be protected to the same degree as on-premises systems and reveal any policies gaps—new policies needed for Office 365.
Organizations should also define the types of sensitive data that are permitted to be uploaded to Office 365 and those that aren’t, as well as types of sensitive data that can be shared externally and with whom. They should also develop a system to map sensitive data against relevant internal policies and external regulations, which would inform the type of security solution required.
2) Understand what types of sensitive data are being uploaded to Office 365
If Office 365 has already been deployed, as a first step enterprise should audit how the service is being used and what data is being stored in the platform. No action is needed during this phase; instead the focus should be on getting granular visibility into the types of sensitive data that users are uploading to Office 365. This process can take the form of scanning data stored at rest in OneDrive, SharePoint Online, and Exchange Online mailboxes.
The types of sensitive data to look may include:
- Social Security numbers
- Credit card numbers
- Health records and other personal health information (PHI)
- Account numbers
- Spreadsheets with IP addresses
- Files that contain user passwords
- Outlook offline files (PST, MSG)
- Draft press releases
- Source code
3) Gain visibility into collaboration
Cloud services like Office 365 make collaboration simple and efficient, which increases the risk of inadvertently sharing data inappropriately. As a first step, it’s important for IT security to understand how employees are collaborating using Office 365. IT security should know how many files containing sensitive data are being shared with internal employees, how many with external partners, how many with personal email accounts (e.g. Gmail, Yahoo! Mail), and how many using anonymous links that can be forwarded to anyone. This step will then enable the security team to educate employees on secure collaboration and enforce policies.
4) Prevent sensitive data from being shared with unauthorized third parties
Microsoft has developed a robust set of APIs for Office 365 that enables real-time policy enforcement that covers all users and devices. Depending on your policy, when a violation occurs, possible remediation actions may include:
- Coach users on the acceptable collaboration policy
- Notify an administrator for further investigation
- Revoke a shared link to prevent anonymous sharing
- Curtail sharing permissions (e.g. change from edit to view)
- Restrict sharing to whitelisted email domains only
5) Prevent high-value data from being uploaded to or stored in Office 365
There are certain types of sensitive data that based on your organization’s compliance or security posture are not permitted to be stored in Office 365. A pharmaceutical company that spends billions of dollars on R&D, or a government contractor in charge of developing military equipment may want to protect their core intellectual property from ever being uploaded to Office 365. A healthcare provider may want to prevent patient records from being uploaded.
Depending on your policies, you may need to identify high-value data using a combination of:
- Pattern matching (e.g. Social Security numbers, credit card numbers)
- Keyword matching (e.g. “confidential”, “passwords”, “salaries”)
- Document fingerprinting (e.g. tax form templates, HIPAA compliance forms, patent form templates, employee information forms used by HR)
- Structured data exact match (e.g. all database fields containing customer PII)
- Predefined set of dictionary terms (e.g. names of pharmaceutical drugs)
Possible automated/manual remediation actions may include
- Quarantine file and replace with tombstone
- Permanently delete file
- Block file upload
- Coach users with just-in-time tips
- Notify administrator via email for further investigation
6) Enforce consistent DLP policies across cloud services
It is recommended that enterprises enforce a consistent set of policies and remediation actions across Office 365 and all other cloud service providers. Utilizing a unified DLP policy engine, incident reporting, and remediation workflow will drive greater operational efficiency. Enforcing the same policies across all services will also prevent policy enforcement gaps from emerging between cloud services. Lastly, a unified DLP policy engine allows a reviewer to focus on high-priority policy violations, and more readily identify potential false positives.