[Conference] How to master Data Access and Sharing in Microsoft 365

For this 23rd edition of the Cybersecurity event, Les Assises in Monaco, IDECSI invited two of its clients to speak at its conference on data protection and how to master Data Access and Sharing in Microsoft 365 and collaborative tools. 

Our guests of honour were: 

• Vincent Rey, Deputy Manager Leader and Head of data protection solutions at BPCE IT, managed IT services & technologies in Groupe BPCE, the 2nd largest banking group in France, pursues a full range of banking and insurance activities.

• Jean-Paul Joanany, CISO at Action Logement, a leading player in social and intermediate housing in France with more than one million properties.            

The agenda for this conference covers:

• Objectives and major challenges of Microsoft 365 Data protection

• How IDECSI helped BPCE-IT reducing the risk of data exposure

• Action Logement: making users responsible for file sharing

Objectives and major challenges of Microsoft 365 Data Protection

This conference focuses on the governance of access, rights and sharing of information, with a focus on the M365 environment and pursuing two main objectives:

→ to stay in control of the M365 environment, which is evolving and very dynamic;
→ to prevent unauthorised, malicious, obsolete or usurped access and sharing from compromising the security and confidentiality of our data. 

As a reminder, companies have to tackle six major challenges around Data Protection: 

• Users are often administrators of their own data, allowing them to create and share freely.
• Sharing, particularly external sharing, must be better monitored and controlled.
• The volume of data on M365 is growing exponentially, making it difficult to manage and monitor.
• Users are not security experts, which can lead to poor adoption of best practices.
• M365 is constantly evolving, which requires optimal configuration adapted to needs.
• The security of users and sensitive data is enhanced by the complexity and diversity of data sources.

The potential consequences and risks to be covered include: excessively open sharing (thus exposing data to unauthorised persons), poor control of guests accessing information assets, a non-respected access life cycle (which makes rights obsolete or unnecessary). 

Identity theft is a serious risk, as it allows an attacker to pose as a legitimate user. Also, a data leak can compromise the confidentiality and integrity of information, while a compliance problem exposes you to sanctions or prosecution.

Finally, the overexposure of sensitive data and the compromise of rights by malicious or illegitimate parties increases the risk of theft or espionage, which can result in harm to our organisation.

These were the factors that prompted Action Logement and BPCE-IT to choose the MyDataSecurity solution from IDECSI to master data access and file sharing.  

BPCE-IT: reduce the risk of data exposure on Microsoft 365

BPCE-IT is a key player in the BPCE Group, which ensures the proper functioning of IT services for customers and employees of the Banques Populaires and Caisses d'Epargne (>110,000 employees). The Valkyrie programme aims to strengthen the group's cybersecurity, particularly in terms of data protection on the M365 platform.  

Deployment of the MyDataSecurity solution responds to the challenges linked to the exponential growth of collaborative use and the volume of data on the M365 tenant, as well as the risk of data leaks. In fact, the group has more than 150,000 Sharepoints, more than 100,000 Teams and the number of external shares is constantly rising.  

→ To do this, the BPCE group's IT EIG wishes to simply launch and manage sharing review campaigns by involving the managers of the data concerned (owners of OneDrive, owners of Teams/SharePoint), including reminder and escalation mechanisms.

→ A communications plan has also been launched to present and inform employees about the approach. The group's employees now benefit from a tool which informs them of the focal points for their data (extensive sharing of the 'company link' type, external sharing), particularly the most sensitive aspects, thanks to the integration of the BPCE-IT classification model to directly correct access rights from an interactive user-friendly interface. 

Users were enthusiastic and engaged in the rights review processes and sharing on their personal dashboard.  

The solution was deployed gradually to reach more than 20,000 users in 2023. SAAS mode makes it very easy to activate the platform. Vincent Rey highlights in particular: 

• the adaptability of IDECSI in response to technical and security requirements due to the scale of BPCE's O365 tenant (adapted sizing on the SaaS) 
• the implementation of a hybrid architecture meeting Group security constraints (LEM on-premise) 

• the customisation of interfaces for BPCE (graphic charter, SSO, URLs) 

The tool thus makes it possible to reduce the risk of exposure of data shared from M365 and to promote the adoption of best practices in terms of governance and information security for the group. 

Vincent REY, BPCE-IT during the IDECSI Conference, Les Assises, October 2023, Monaco

Action Logement: making users responsible for M365 shares

For Jean-Paul Joanany, CISO at Action Logement, empowering users is essential for the management and governance of access to data on M365. 

The group, a major player in social and intermediate housing in France, manages a portfolio of more than 1 million housing units. The Action Logement Service division is a financing company which processes large amounts of sensitive data (personal and financial data), which is subject to fraud. The objective is therefore twofold: to secure the resources of each user, to reassure them and to make them responsible: who accesses what? 

On the one hand, there are difficulties with M365 administration, according to Jean-Paul Joanany, to properly manage M365 roles, associated rights. On the other hand, there is a real lack of user ownership over the management of rights / sharing of their data, which leads to a significant increase in risks (illegitimate, malicious operations, information leaks, unauthorised access, incorrect settings, etc.).

→ And as Jean-Paul Joanany likes to remind us: cybersecurity is everyone's business, we need to know how to provide users with the right tools so that they can participate in this governance, to confront them with their responsibilities.

With IDECSI, Action Logement users are informed of important events requiring verification on their M365 account and shared spaces (Teams): new user, new device, new share, synchronisation, rights, etc.  

For Action Logement, the IDECSI solution made it possible to:

• increase the visibility of the CISO, the actions put in place; 
• improve interaction and communication with users; 
• reduce risk on M365; 
• identify cases of fraud and notify users in the event of malicious operations. 

Jean-Paul Joanany, Action Logement, during the IDECSI Conference, Les Assises, October 2023, Monaco

Read feedback from previous years:

The 2022 Conference: Feedback from L'Oréal on M365 Data Protection