[NEW] DETOX to get rid of M365 risky sharing and data accessLire l'article
19 December 2023
For this 23rd edition of the Cybersecurity event, Les Assises in Monaco, IDECSI invited two of its clients to speak at its conference on data protection and how to master Data Access and Sharing in Microsoft 365 and collaborative tools.
Our guests of honour were:
The agenda for this conference covers:
This conference focuses on the governance of access, rights and sharing of information, with a focus on the M365 environment and pursuing two main objectives:
→ to stay in control of the M365 environment, which is evolving and very dynamic;
→ to prevent unauthorised, malicious, obsolete or usurped access and sharing from compromising the security and confidentiality of our data.
As a reminder, companies have to tackle six major challenges around Data Protection:
The potential consequences and risks to be covered include: excessively open sharing (thus exposing data to unauthorised persons), poor control of guests accessing information assets, a non-respected access life cycle (which makes rights obsolete or unnecessary).
Identity theft is a serious risk, as it allows an attacker to pose as a legitimate user. Also, a data leak can compromise the confidentiality and integrity of information, while a compliance problem exposes you to sanctions or prosecution.
Finally, the overexposure of sensitive data and the compromise of rights by malicious or illegitimate parties increases the risk of theft or espionage, which can result in harm to our organisation.
These were the factors that prompted Action Logement and BPCE-IT to choose the MyDataSecurity solution from IDECSI to master data access and file sharing.
BPCE-IT is a key player in the BPCE Group, which ensures the proper functioning of IT services for customers and employees of the Banques Populaires and Caisses d'Epargne (>110,000 employees). The Valkyrie programme aims to strengthen the group's cybersecurity, particularly in terms of data protection on the M365 platform.
Deployment of the MyDataSecurity solution responds to the challenges linked to the exponential growth of collaborative use and the volume of data on the M365 tenant, as well as the risk of data leaks. In fact, the group has more than 150,000 Sharepoints, more than 100,000 Teams and the number of external shares is constantly rising.
→ To do this, the BPCE group's IT EIG wishes to simply launch and manage sharing review campaigns by involving the managers of the data concerned (owners of OneDrive, owners of Teams/SharePoint), including reminder and escalation mechanisms.
→ A communications plan has also been launched to present and inform employees about the approach. The group's employees now benefit from a tool which informs them of the focal points for their data (extensive sharing of the 'company link' type, external sharing), particularly the most sensitive aspects, thanks to the integration of the BPCE-IT classification model to directly correct access rights from an interactive user-friendly interface.
Users were enthusiastic and engaged in the rights review processes and sharing on their personal dashboard.
The solution was deployed gradually to reach more than 20,000 users in 2023. SAAS mode makes it very easy to activate the platform. Vincent Rey highlights in particular:
The tool thus makes it possible to reduce the risk of exposure of data shared from M365 and to promote the adoption of best practices in terms of governance and information security for the group.
Vincent REY, BPCE-IT during the IDECSI Conference, Les Assises, October 2023, Monaco
For Jean-Paul Joanany, CISO at Action Logement, empowering users is essential for the management and governance of access to data on M365.
The group, a major player in social and intermediate housing in France, manages a portfolio of more than 1 million housing units. The Action Logement Service division is a financing company which processes large amounts of sensitive data (personal and financial data), which is subject to fraud. The objective is therefore twofold: to secure the resources of each user, to reassure them and to make them responsible: who accesses what?
On the one hand, there are difficulties with M365 administration, according to Jean-Paul Joanany, to properly manage M365 roles, associated rights. On the other hand, there is a real lack of user ownership over the management of rights / sharing of their data, which leads to a significant increase in risks (illegitimate, malicious operations, information leaks, unauthorised access, incorrect settings, etc.).
→ And as Jean-Paul Joanany likes to remind us: cybersecurity is everyone's business, we need to know how to provide users with the right tools so that they can participate in this governance, to confront them with their responsibilities.
With IDECSI, Action Logement users are informed of important events requiring verification on their M365 account and shared spaces (Teams): new user, new device, new share, synchronisation, rights, etc.
For Action Logement, the IDECSI solution made it possible to:
Jean-Paul Joanany, Action Logement, during the IDECSI Conference, Les Assises, October 2023, Monaco
Read feedback from previous years:
Subscribe to our newsletter and receive new contents every month