Regardless of where you keep your data, two main security threats remain the same: data loss and data leak (data exposure). There is a common misconception about cloud storage, including Microsoft, and this misconception boils down to the security level they present their customers with.
While the cloud storages (OneDrive in particular) certainly have the baseline security measures like encryption in place, in order for your business files to be bulletproof there, you have to take some actions. No worries, these actions are commonsense knowledge, and most of them don’t require from you some heavy financial investments or knowledge above the IT administrator level.
Here are the must-do things that will enhance the security of your OneDrive for Business files.
4 Steps to Improve the OneDrive for Business Security
Backup your OneDrive files
That may sound unexpected for some of you, but Microsoft actually doesn’t protect your files from loss. More accurately put, OneDrive doesn’t protect you from your permanently deleted data and, in some cases, from being encrypted by ransomware.
If your data was soft-deleted, you could still restore it from the deleted items folder. But if the hard deletion has occurred, unless you have your OneDrive files backed up, there is not much you can do about that. The “hard deletion” occurs in four cases:
- When the user/admin/third party erases files from the deleted files folder;
- When files are deleted automatically due to the end of the preservation period;
- When the user account with all the files is deleted;
- When the files are encrypted with the type of ransomware that doesn’t let you roll back to the earlier versions of the encrypted files.
OneDrive’s Data Loss Protection and Preservation policies, although being better than nothing, won’t work for some cases. For example, if you need to reach the lost data and restore high volumes of it, the DLP and eDiscovery policies won’t be helpful. So to keep your business continuity and avoid downtime, you need to go the extra mile and make sure you back up your OneDrive data. In terms of cost-effectiveness, using a reliable OneDrive backup tool will save you much more money and time in the long run.
Enforce the inbuilt policies
Microsoft offers many in-built policies created to make your experience more convenient and secure. You can use the default settings or tie them to your needs by customizing these policies. In the case of OneDrive, you have five of them to take advantage of:
1. Data Loss Prevention (DLP) policies
2. Preservation policies
3. Audit logs of events
4. eDiscovery policies
5. Alert policies
IT administrators can access and change all those policies from the Microsoft 365 Security and Compliance Center. We also advise you to put your own policies to monitor andsecure data across your domain.
Control user permissions and data sharing
One of the most common security slips organizations administrators and IT specialists are guilty of is overlooking the sharing permissions within the organization. As an environment built on sharable files and folders, OneDerive is more than susceptible to data leaks if this issue is neglected.
Not all data must be shared, or at least not with everyone. There are sensitive data like credit card numbers or personally identifiable information that must be restricted from being shared outside of the organization (and, in some cases, within it). There is also business-critical information aimed to be accessed only by particular users or departments. It is also always better to restrict users from sharing any corporate data outside of the organization domain by disabling external sharing permissions. But this solely depends on your company’s goals.
Global Admins and SharePoint Admins can regulate all the sharing permissions via the OneDrive Admin Center. There are three types of links:
- Shareable — This setting is available only if the external sharing was previously set as “allowed to anyone.” If you set up this setting, anyone with this link can access the content.
- Internal — By using this setting, you make links accessible by users within the organization domain. But if external sharing was previously allowed by the admin, users will have to select the link type every time they share files.
- Direct — The content of these links can only be accessed by the people who were specified as the recipients when the link was created. The direct type of links is often used for guests who will be required to authenticate or when you share information with a group of users.
Restrict the OneDrive Sync Client usage
The Sync client is a very convenient tool used to synchronize OneDrive folders’ documents to multiple devices, making the content available anywhere. But along with this convenience, some troubling security issues arise.
One such issue is when end-users synchronize data on corporate OneDrive with their computers or mobile devices that weren’t approved by the IT department. This may expose your cloud data to security threats like data leaks or malware.
To avoid that scenario, you need to restrict the sync client to computers, laptops, tablets, and mobile devices joined to specific domains and prevent syncing particular types of files. In case you use Microsoft Intune policies, you can enforce the even tighter limitations.
To Sum Up
As you may have witnessed, the amount of data breaches increases proportionally to the spreading cloud technology adoption among businesses. The reason is that companies treat the cloud as a fully self-sufficient environment, which is true only partially. The cloud, including Microsoft services, operates on a shared responsibility model, which suggests that the tenant is responsible for their data integrity and security. In its turn, Microsoft provides you with all the instruments you can customize to make the cloud close to bulletproof.