Formerly, when on-premises applications and email servers were the primary method of collaboration within and between enterprises, IT security organizations invested in data loss prevention (DLP) solutions to prevent the unintended sharing of sensitive data. Today, using cloud-native tools such as OneDrive and SharePoint Online, employees share a significant amount of data with collaborators internally and with external suppliers, distributors, vendors, and customers. Enterprises now need to enforce those same DLP controls across their cloud applications and email. That’s where a CASB comes in to extend security controls to corporate data in Office 365.
Users can share files via Office 365 in three ways: 1) by inviting a user by the recipient’s email, 2) by sending a link, or 3) by configuring the sharing policy to make a document publicly available and searchable. Analyzing the sharing permissions of files in the cloud, Skyhigh has found 28.3% of files are shared with email domains associated with business partners. However, another 6.2% are shared with personal email domains (e.g. gmail.com, yahoo.com), introducing questions about who has access to corporate data. And troublingly, 5.5% of files are shared using links that can be forwarded to anyone and the recipient’s accessing the files cannot be traced, and 2.7% of documents are publicly accessible to anyone on the Internet.
When sharing large volumes of sensitive data is just a few clicks away, it’s easy for employees to mistakenly share files or folders too broadly with external users. It’s also commonplace to type in a recipient’s name and mistakenly select the incorrect individual or a personal email address from the autocomplete suggestions. Employees may also be sharing sensitive data externally, unknowingly violating policies. Depending on your corporate policies, you may have blanket rules about which business partners your organization’s employees can share data with via Office 365. You may also have detailed policies on the type of content that can be shared with business partners.
How Skyhigh helps
Skyhigh provides guardrails to ensure appropriate sharing via content-aware data sharing policies in OneDrive and SharePoint Online that leverage a policy-based framework. Policies can include multiple rules, including whether a file is shared via a link or has external collaborators. Collaboration rules can trigger off the specific permissions assigned for the file or folder including viewer, editor, or owner. Some enterprises have a whitelist of acceptable external collaborators. For example, you may prohibit external sharing by default except with pre-approved business partners known to the organization, or prevent sharing with personal email domains such as those from Gmail or Yahoo! Mail.
In response to a policy violation, Skyhigh can take remedial action to correct the violation. Remediation actions include revoking a shared link and limiting the scope of sharing permissions (e.g. changing editors to viewers) or removing sharing permissions entirely. When content is shared externally, enforcement timing matters. An external user can download a file within seconds of receiving an invite to collaborate. Skyhigh’s approach ensures that collaboration policies are enforced in real-time before the sharing action is fully executed within the Office 365 platform, preventing the unintended disclosure of corporate data outside of policy.
Skyhigh policies can be targeted to specific user groups within the organization based on Active Directory attributes. Skyhigh’s DLP policy framework also supports combining collaboration rules with content-aware rules within a single policy. For example, you may want to allow collaboration with business partners but prevent sensitive intellectual property from being shared. These policies may be configured in Skyhigh’s DLP engine or an on-premises DLP solution such as those from Symantec, EMC RSA, Intel McAfee, and Websense.
How it works: deployment architecture
Collaboration actions users take on files and folders in Office 365 are cloud-centric in nature. Therefore, the only way to gain visibility into these actions and enforce policy controls is via API. Forward and reverse proxy architectures do not support deep collaboration controls for Office 365 because they do not have visibility into the full context of sharing in the cloud and may not have visibility into the content of the file if it is created natively in Word Online, Excel Online, PowerPoint Online, etc.