Digital Sobriety: A Priority for Employees and Businesses
Lire l'article[NEW] MYDATAMANAGEMENT TO CLEAN UP YOUR OBSOLETE, UNUSED AND VOLUMINOUS DATA
-
Solutions
Solutions
Effective response to six major challenges in data security
-
Products
#1 user-interacting platform for detection
Discover the platform -
Resources
Best practices to improve Microsoft Teams security
Download the infographicOur resources
Check out our useful resources for improving data protection
Microsoft 365
To master Microsoft 365 security, it is important to have an overview of the key elements that make up the tenant (users, resources, groups, configurations, etc.) in order to manage risks related to shared data, such as the risk of overexposure of data or non-compliance of access.
This article analyses the different groups and sharing types in Microsoft 365 and offers recommendations to reduce the associated risks. In an environment where data is frequently shared, configuring groups and sharing types in Microsoft 365 is essential to avoid the risk of overexposure.
Using the IDECSI platform, we will highlight key indicators to follow to identify potential risks to correct on OneDrive, Teams and SharePoint.
On the program:
Monitoring public and private groups
There are several group configurations in Microsoft 365 that have specificities and, depending on the configuration of your Teams or SharePoint, this has a direct impact on the access and rights granted to different users:
Public groups
These groups are accessible to all users in the organisation and are typically created or linked to a Teams or SharePoint. They can pose a high risk if sensitive information is shared without adequate controls. It is important to note that users can not only join the group without special permission, but also access the content of the site, which is read-only for all internals. Public groups in Microsoft 365 should be closely monitored to avoid overexposure of data. A regular review of permissions is recommended to ensure that only necessary people have access.
Although private groups are less exposed, they are not free of risks. Proactive management of permissions and shares is necessary to maintain security.
→ Monitoring private and public groups helps identify problem areas such as Microsoft 365 groups with no owners or composed of external users.
M365 Groups without owner
Groups without owners can become points of vulnerability. It is important to designate owners for each group to ensure ongoing governance of access and sharing. For tenants with an Azure AD P1 license, it is possible to enable a feature to promote active users to owners.
Groups with sensitive information
It is essential to identify groups containing sensitive information and ensure that only authorised users have access to them. Using privacy labels can help classify, map, and protect this data. However, some customers prefer to avoid this option as it might highlight externals with Member (or internal) type accounts.
M365 Groups with guests
Adding external guests to M365 groups should be strictly controlled. Guests should have limited permissions and their access should be reviewed regularly.
Monitoring anonymous and company-wide sharing links
Anonymous sharing links allow anyone to access a file or folder without prior authentication. For example, in your OneDrive and SharePoint, you may have quickly shared files you were working on, without realising that it was an anonymous share. While this may be very "convenient" in some contexts, such as tenders, these links pose significant risks to data security and integrity:
- It is important to set up regular access and permission reviews with data owners so that they remove obsolete links, which are no longer useful, in favour of links to specific groups or people.
- If the data is classified with confidentiality labels as with Microsoft Purview (C3 – Confidential, C4 – Secret…), it is recommended to evaluate the number of active sharing links, in order to carry out verification and remediation actions by the owner or directly by the monitoring teams.
→ Monitoring sharing links, and particularly anonymous sharing, makes it possible to identify risky sharing on confidential and classified files:
- remove anonymous links that are no longer needed and replace them with secure links that require authentication
- educate your users so that they favour secure sharing links such as to specific people or at least "company link"
Monitoring external and group sharing links
External sharing links are specifically created to provide access to users outside of your organisation. This is often necessary when you collaborate with partners, consultants, or other third parties who use their work email to work with you.
Group sharing links allow multiple users to access data through their membership in a specific group. This can pose risks if users should not or no longer have access to this data.
→ Monitoring external and group sharing links is essential because over time, people's roles and organisations may change, but they can still grant access rights to the data initially shared. By regularly monitoring these links and adjusting permissions based on current needs, you can minimise risk and reduce illegitimate, non-compliant access.
Microsoft 365 Monitoring with IDECSI
IDECSI has set up Business Intelligence accessible via dashboards to monitor the key indicators of the Microsoft 365 tenant (resources, groups, users, etc.) and have the level ofdata exposure based on access, rights, shares and configurations.
With the platform's metadata collection, BI allows you to gain an overview of potential risks such as anonymous and external shares, groups without owners, users with multiple points of attention, in order to take proactive remediation measures to secure your information such as access and share review campaigns with the relevant data owners.
Example of the general status of Microsoft 365 groups: their owners, members, guests, and properties.
Example of the status of anonymous shares on classified files.
With IDECSI, it becomes easy to audit the tenant regularly and launch corrective measures with data managers via rights review campaigns. Each employee can access and view the risks on their data and correct them directly to strengthen the security of OneDrive, Teams, Sharepoint. Monitoring of rights review campaigns is also available from the BI: number of remediations, action per user, etc. in order to monitor the effectiveness of the campaign and relaunch if necessary.
Having good visibility into user usage and behaviours regarding data stored and shared in Microsoft 365 applications allows IT and Digital Workplace teams to adjust policy and awareness efforts by reminding them of good governance and security practices to adopt. IT teams can identify and prevent data breach risks and non-compliance issues, while empowering users as data stewards.
By adopting these best practices and using the right tools, you can strengthen data security in your organisation and better manage the data lifecycle in Microsoft 365.
Recent articles
Best practices to improve Microsoft Teams security
Our articles
These articles may
interest you
Data protection, let's discuss your project?
