As organizations adopt Office 365, they often start with Exchange Online and discover that Microsoft bundles OneDrive for free. Companies exploring OneDrive can find themselves facing a number of data security, compliance, and governance questions. Despite the robust security features that are built into OneDrive, high-risk user behavior can still put sensitive data at risk. It’s not uncommon for employees to upload sensitive data to cloud-based file sharing services without fully understanding the risk they are putting the organization in.
Based on anonymized usage data of over 600 enterprises using the Skyhigh CASB, our research has found that 15.8% of files in the cloud contain sensitive data while 9.2% of documents in file sharing services shared externally contain sensitive data. And of shared files, 12.9% are accessible by everyone in the company, which can be risky for certain types of data. The average company stores 6,097 files with “salary” in the file name in file sharing services, and 1,156 files with “password” in the file name.
Since OneDrive is a convenient cloud based storage system for your work-related files, organizations across different industries store and handle data that is highly regulated by a myriad of national and industry regulations. It is not uncommon for schools, hospitals, and healthcare providers to store HIPAA-HITECH regulated customer information in OneDrive. HIPAA has several requirements, in not just how data is stored, but also the physical protection of the workstation that have access to that data, amongst other things. And the fines for mishandling the data can be steep.
Likewise, Microsoft claims Level 1 compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their own billing systems. However, Microsoft cautions that “customers should not use the Office 365 service to transmit or store [cardholder] data for their own use.” This means that organizations should not use OneDrive to store, process, or transmit cardholder data.
It’s important for both users of OneDrive and administrators to follow some basic best practices to keep sensitive data secure while protecting the organization from the potential fallout of a data breach.
Protecting sensitive data in OneDrive
There are certain types of data that require extra care in its protection. These include:
- Personally Identifiable Information (PII) such as social security number
- Personal Health Information (PHI) protected by HIPAA-HITECH
- Financial information protected under PCI-DSS
- Data covered under FISMA and GLBA
Organizations should take the necessary steps to protect sensitive data in OneDrive:
- Encrypt files containing confidential data at rest and in transit
- Do not store PCI-DSS regulated data in any Office 365 products
- Disable external sharing of the most sensitive data so that links to the files can’t be sent to email addresses outside the organization
- Restrict access from off network users by whitelisting trusted networks only
- Apply data loss prevention rules that will prevent files from being accessed by unauthorized users and setup appropriate remediation rules
- Institute just-in-time coaching notifications for users who may inadvertently attempt to share a file outside the organization
- Don’t share files with ‘everyone’ unless absolutely necessary. Instead share with individuals or groups that are authorized to access the files
- Ensure that individuals no longer with the company have their OneDrive access terminated immediately
- For firms with BYOD policies, ensure that all devices connected to OneDrive meet the security and compliance requirements
- Do not store files in OneDrive that contain login/passwords credentials
Any workstation with access to OneDrive containing sensitive data should have the following:
- Secure internet connection that’s not using an open network Wi-Fi
- Up-to-date anti-virus and malware software
- Strong password protected computer
- Mechanism to physically identify individuals accessing workstation (security badge, finger print, etc)
- Other measures such as security cameras or guards
Lastly, the above set of best practices can help prevent some of the most common ways data can be breached or lost. However, if an unauthorized user gets access to a privileged user’s Office 365 account, much of what is listed above will be useless. That’s why one of the first things organizations must do is turn on multi-factor authentication to ensure lost or stolen user credentials can’t be used by unauthorized users to access OneDrive data. At the same time, monitoring the context in which users access OneDrive can help detect anomalous activity such as when a privileged user logs into OneDrive in US and moments later, someone else uses stolen credentials to log into same account from China.