How to reduce the risk of shared data in Microsoft 365Lire l'article
22 February 2023
Microsoft 365 allows users to share documents or invite people outside the organization into collaboration groups. These external users are by default named guests in the Microsoft 365 environment.
This ease of external collaboration drives the need for improved access and sharing management in Microsoft 365.
Only 64% of IT teams have a way to control sharing with people outside the company – Microsoft 365 study from 2021.
However, managing external access and the data lifecycle is essential to ensuring data security: detecting external sharing links, making sure they are compliant and correcting them if necessary.
In this context, administrators or security teams have a role to play.
Firstly, it is not recommended to close shares with external parties, as this can lead to the rise of shadow IT solutions.
However, setting up guests and external shares by administrators remains an important and proactive approach to mitigating vulnerabilities, even when a patch is not yet available. This will enable the application of protective barriers to secure the company’s content.
Instead of disabling guest access to the tenant, Microsoft 365 administrators can restrict them. Via PowerShell, they can prevent a guest from accessing specific groups or block guests from a specific domain.
The identities of external guests can be impersonated. Implementing multi-factor authentication allows the user’s identity to be verified on another device and reduces the risk of compromise.
For an enhanced identity policy, in addition to multi-factor authentication, you can enable a session timeout. Guests will need to log in regularly to access their account. This verifies the security of the device and the identity of the accessor.
Using privacy labels from Microsoft Purview Information Protection and the Azure AD DLP tool, policies can be defined to track and control sensitive data.
IDECSI completes Microsoft’s offer by integrating Purview’s classification labels and by proposing an advanced monitoring platform to supervise and be alerted in case of overexposure or compromise.
Improve access management for your sensitive data with IDECSI
In Microsoft 365, share management is done through share links, of which there are several: Anonymous (everyone), Whole Company, Specific User.
In this case, where anonymous sharing is still allowed, admin teams can set up additional settings to reduce the risks.
When a user decides to share a document or folder via OneDrive or SharePoint, the Anonymous link applies by default, when active in the organization.
If the user does not change the default link, he will unintentionally create an anonymous link that can be accessed by anyone without the need for authentication.
Administrators can set the default link to “Whole Company” or “Specific Person”.
Some data stored on SharePoint, Microsoft Teams or OneDrive will be kept.
By imposing an expiration date for Anonymous links, guest access will be automatically reviewed without user intervention. This prevents unexpected accesses over time and unwanted changes.
There are several possible permissions for Microsoft share links: edit, read, download.
By default, links are set to “Edit” but admin teams can push a read-only permission by default. Thus, guests will not be able to modify the content of the shared document.
The best practice for managing external shares is still user awareness.
Users are now the administrators of their resources. Moreover, the creation of a share starts with them via the creation of a share link, the creation of a teams team or a SharePoint site.
This is why, today, employee awareness of security issues is essential to prevent the risk of data leakage.
Enabling external shares carries risks (data leakage, no control over shares, illegitimacy of sharing over time). It is recommended that governance rules be put in place to reduce these risks.
Visibility is the core of this governance strategy. Native Microsoft and third-party solutions exist to understand how data is used and to monitor access.
Following the audit of the environment, it is possible to apply an access rights review strategy. Access review over time ensures that the rights granted to users are consistent with an organization’s security policy and the user’s activity.
Azure AD Access Reviews is Microsoft’s tool for tracking and managing internal group membership and therefore access. By launching access review campaigns, it is possible to send notifications to Teams or SharePoint group owners to validate members.
Azure AD Access Reviews allows you to involve users in access reviews and ensure regular review of access made to resources.
Following the launch of the campaign, the owners of the Teams / SharePoint groups will receive an email with the group to be checked. The verification will be carried out at member level only and will not affect shared channels.
Permissions or sharing links made outside of a Teams team (on SharePoint for example) will not be part of the recertification campaign.
This tool is only offered in the Azure AD P2 license (included in the Microsoft E5 license).
IDECSI has developed a recertification tool, which completes the Microsoft offer by addressing all Microsoft 365 collaborative tools, regardless of the license level.
To do this, security teams and administrators have a solution to quickly launch audits and quickly see at-risk shares (external, anonymous) and overexposure of data on the tenant.
Administrators can then launch automated and programmable rights review campaigns:
Customized reports are then available on the platform to analyze the results of ongoing campaigns (tracking requests, validations, planning).
The user has a security dashboard to set up governance over his data and a review of the shares from a single portal, named MyDataSecurity.
In the context of a campaign, users will also receive a notification to recertify all permissions and will be able to apply automatic troubleshooting.
Subscribe to our newsletter and receive new contents every month