Document sharing is a common activity among Microsoft 365 users. Misconfigured shares, external and obsolete shares, guest access, inactive users, overly permissive rights: in companies, data shared via collaborative cloud applications raises questions relating to information system security, data protection, integrity and often increase the risk of cyberattacks. M365 solutions therefore offer great flexibility for sharing information both internally and externally, so Microsoft 365 data protection and security are essential.
Indeed, managing access and sharing becomes more complex on cloud and collaborative environments such as Microsoft 365, so how do you identify misconfigured or risky shares, and eliminate dangerous shares for data?
Shared data, what risks does this pose for the information system?
Open shares have always been considered problematic since they pose a risk, in particular, of data leaks. At Forvia (automotive equipment manufacturer), for example, 80% of industrial site compromises are linked to open sharing or uncontrolled access to file servers. And the information system is opened, the traditional perimeter increasingly dissolves.
According to a recent study, 10% of the average company's cloud data is accessible to each employee via SaaS* solutions.
Identifying and reducing the scope of data exposure in the cloud is key. So what is the potential damage if a user is compromised? Where is sensitive data located? How is it shared? Who can access it?
What is a "dangerous" share in M365?
Microsoft 365 link sharing can result in accidental data exposure, when a user sets too broad, inappropriate permissions while sharing. For example, an O365 account user can use the "Copy link" option to share a document with someone. If the link is forwarded to someone else or shared publicly, anyone with the link can edit the document.
Thus content sharing can be considered dangerous, when users share sensitive information with unauthorised people or when permissions are not appropriate or are no longer appropriate.
5 risks posed by misconfigured shares:
- Access to data that cannot be identified (anonymous user, non-nominative link)
- Access to data that cannot be traced (recipients)
- Access that is not suitable and too permissive (authorisation, legitimacy of access to a folder, a sharepoint site), for example a sharing link "to the whole company"
- External access to the company (access without expiration date)
- Authorised external access, which becomes obsolete over time: no precise tracking, expiration
What’s more, one share can hide another. Sharing has technical implications (adding guests, identities, objects, duration in time, etc.)
Each access, each right (sharing link, overly permissive rights, etc.) therefore becomes a potential entry point into digital environments containing strategic data. To minimise the risk, access rights should be regularly reviewed and reduced in the cloud according to the least privilege principle (principle of granting the minimum rights necessary).
How do I stay in control of sharing on Microsoft 365?
8 steps to staying in control of shared data and M365 sharing links
- Set an expiration date for anonymous type links so that guest access is automatically reviewed.
- Restrict external shares (using PowerShell) to prevent a guest from accessing specific groups or block guests from a specific domain.
- Labelling sensitive or confidential data, using Microsoft Purview Information Protection Sensitivity Labels and Azure AD's DLP tool helps define policies to map and identify where the data is located.
- Audit permissions that are overly permissive regularly
- Follow up on data shared with external parties and send reminders to owners to recertify access
- Manage external access by the owner(s) of sharepoint sites, Teams groups (being able to track internal movements, guests over time)
- Launch access and rights review campaigns at company or user group level.
- Set up a remediation plan with the owners of data exposed internally or externally.
One of the main difficulties lies in the fact of not being able to have 100% control over security, compliance and governance policies, in particular due to deviant behaviour, which is often due to human error, poor configuration, poor knowledge of the environment and tools.
Managing shared data on a collaborative and cloud scale
In each app, users can choose settings for shares, view or edit permissions, and grant these permissions to "Anyone with the link", "Specific people" or "Only people in your organisation" (only for professional account users).
What is the user's role in controlling shared data?
How can the user succeed in deleting these misconfigured, potentially dangerous shares, non-legitimate accesses, inappropriate permissions, in a "simple and effective" way on an environment in perpetual motion, and in which the user is almost the "master" of his own management?
After all, isn't the user the key?
Each employee should only be able to access the information they really need for their professional activity. At least that’s the ideal in this collaborative world. When information is shared, the responsibility for its protection is extended or distributed. Each collaborator should be made responsible for the sharing they make of the data, particularly over time, and should be involved in reviewing this sharing.
It is essential to make users aware of any of their shares that are too open, permissive, considered dangerous for the company with the possibility of correcting, modifying these shares.
Data must be at the heart of the security strategy. Traditional security approaches, however, have their limits. This is why security needs to be rethought. Cybersecurity can be collaborative, participatory, and so proactively involve the owners of shared data so as to limit these accidental exposures and the risks posed by shared data.
Auditing shared data and associated permissions
IDECSI has launched DETOX for M365, a device that allows you to audit data that is shared internally and externally within the M365 tenant. The solution displays all the sharing, access and rights links and highlights to the owners any aspects that require correction thanks to MyDataSecurity technology.
