The Pros and Cons of Sharing Content in Office 365
Documents stored in Office 365 are easily shared, both internally and externally. This presents some potential threats and consequences of exposing documents to unauthorized users through the cloud sharing platform.
When documents that contain personally identifiable information (PII), protected healthcare information (PHI) or sensitive information such as intellectual property (IP) or HR content are accessed by unauthorized users, internal or external, the organization is exposed to fines, litigation, damage to IP, the business, and more. In the healthcare and defense industries, the consequences of a breach in security are especially dire.
If you consider that 30% of data breaches are caused by a negligent employee or contractor (human factor) at a cost of $117 per capita, you could face some serious financial penalties if content is accidentally accessed or shared.
Reducing the Risk of Oversharing
Breaching sensitive content can get expensive fast. Prudent companies implement governance policies through their system architectures to manage these risks.
Unfortunately, a good governance policy doesn’t guarantee compliance when it relies on administrators and users observing good practices. Microsoft doesn’t make it any easier with Office 365 updates, which occur monthly, and can change the access rights of internal users.
Keep Sensitive Documents On-premises
Is the cloud any less secure than on premises? Probably not – it depends on your information security team. It’s true that Microsoft, Google and Amazon present more compelling targets for hackers. However, all the major cloud providers also employ large information security teams and systems to mitigate these risks. Companies like Microsoft can bring security resources to bear that all but the largest enterprises are hard pressed to match. And we know that obscurity – keeping information on premises – is not security. Most of the major data breaches of the past year have been perpetrated against on–premises data centers or endpoints.
One option for reducing the risk of oversharing is to prohibit placement of sensitive documents in Office 365. However, even if sensitive documents only reside on premises, users can still download, share and e-mail them. Compliance then relies on users acting in good faith. Users are often unaware of the document’s security classification and might naively share sensitive documents, oblivious that they are in breach of corporate policy.
Implement Controls on Sharing
If you create an Office 365 collaboration site, there are a number of things to help reduce the risk of oversharing:
- Turn off anonymous sharing. If you allow anonymous sharing, you have no security on the site.
- Break the permissions on the collaboration site from the parent site. Otherwise, when a user shares a collaboration site, they share the parent site as well.
- When designing the collaboration site, keep its use specific to one class of external users. When a user enters the site, they know that anything stored there is potentially shared with any authorized user, internal or external.
Expect the Worst
To put it bluntly, if you store sensitive documents in the cloud, you have to expect naïve sharing. That is for example, if a document containing PII is stored in Office 365 (or any other cloud store), then it must be considered vulnerable to inadvertent sharing.
Your governance policy should implement processes that will automatically detect and correct the blunder. To do this, you need to continuously monitor the contents of all documents, their metadata, and the actions of all users. Unless security is applied at the item level and independent of location, any classified or sensitive document remains at risk.
The great news is that these risks can be reduced or eliminated. Our latest whitepaper discusses how organizations can reap the benefits of Office 365 while mitigating security risks associated with storing information outside the corporate firewall. By reading this white paper, organizations can see how to manage content security risks in Office 365 by continuously monitoring content and automatically applying granular controls to limit access to and the distribution of sensitive content.