the essential office 365 security checklistthe essential office 365 security checklist 10 quick...
TRANSCRIPT
The essential Office 365 security checklist10 quick weekly checks to efficiently manageOffice 365 security.
2
From Snowden to WikiLeaks to the NSA, there’s no shortage of buzzwords to remind us about
security every day. Not a week goes by where we don’t hear about mass hackings, credit card
record thefts or major corporate data breaches caused by human error. Just ask Sony, The Home
Depot, JPMorgan, Chase... the list goes on.
It’s an understatement to say that security is the first thing that must come to mind when we think
about business infrastructure. As many as 85% of all U.S. companies experienced one or more data
breaches in 2013.
of all U.S. companies have experienced one or more data breaches.1
That’s a LOT of sensitive data. In 2010, the cost of a data breach averaged at $7.2 million per incident.
And this number doesn’t even include the cost of indirect revenue losses.
Would you want to deal with a company that’s known for its security breaches? Yeah, me neither.
The lost business caused by a lack of trust in an organization can end up costing billions!
Of course, security also comes to mind for companies using SharePoint and Office 365. For most of
us, these platforms are the brain, lungs and heart of our organizations. We want our content to be
secure and well protected.
But what is Office 365 security? How could you state that your environments are secure
(and believe it)? In this guide, we’ve identified the most important Office 365 security actions
that you can put in motion to immediately protect and secure your environments.
2
1 https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en
3
About Benjamin NiaulinBenjamin Niaulin is an Office Servers and Services
MVP, recognized as one of the Top 25 SharePoint
influencers in 2014 and 2nd for Office 365 in 2015.
Being a Microsoft Certified Trainer since 2008 has
allowed him to become proficient in simplifying complex
technologies, making him an expert in SharePoint &
Office 365 vulgarization. He’s spoken at over 200
conferences around the world.
Follow him on Twitter @bniaulin
About Benjamin Niaulin 3
Chapter one: Establish an inventory of what you have 5
Chapter two: Manage user permissions 7
Chapter three: Manage object permissions 10
Chapter four: Broken inheritance 12
Chapter five: Custom permission levels 14
Chapter six: Edit vs. contribute permission levels 16
Chapter seven: Security auditing 18
Chapter eight: External sharing 20
Chapter nine: The administrator 23
Chapter ten: Mobile devices and synced content 26
Contents
Establish an inventory of what you have
Chapter one
5
FilesObjects
Folders
6
If you don’t know where your data is and who has access to it, how can you secure what you have
in your environments? If you want to properly enforce your security policies and stay compliant,
you’ll need to establish an inventory of what you have. The Microsoft cloud platform is continuously
evolving and empowers people in the organization to create objects and content themselves, so
it’s crucial for you to monitor Office 365 security. Making an inventory of a file share is easy: all you
need to worry about are the folders and files it contains. Office 365, however, encompasses a suite
of objects ranging from SharePoint sites to groups, lists and libraries–plus all the content those
objects contain. You need to know what you have and where you keep it as well as collect additional
information as needed to make better decisions about your content.
Where are your sites? What is their purpose? What templates do they use? Who has access to them?
When’s the last time they were accessed? I could go on for hours–there’s no such thing as too much
information when it comes to your organization’s security. However, you need to be able to use that
information properly.
There are a few different ways to build your Office 365 security
inventory. Trusty PowerShell, in the hands of an admin who’s
comfortable with scripting, is always there to help. You can
use it to build an inventory of your SharePoint sites and,
provided the right cmdlets exist, perform virtually any task
related to SharePoint management. However, in Office 365,
not all the PowerShell cmdlets are available to help you, and
not everyone is comfortable writing these scripts.
6
ShareGate Desktop can help you build not just an inventory, but the right inventory based on what you’re looking to collect. With criteria-based filtering, you can choose what you want to find and collect the results in an Excel spreadsheet.
Manage user permissions
Chapter two
7
88
If I’m given access to information I’m not supposed to have, there’s honestly a good chance I’ll go
look at it anyway. Office 365 user permissions can be difficult to understand if we don’t take the
time to learn how it all works. When first deployed, SharePoint is actually secure, as no one has
access to anything. The fun starts when you grant access to objects.
of all data breaches were caused by human error2
In 2015,
As a general best practice–one that goes back to permissions on file shares–you should never grant
explicit permissions to an individual user. Even if this works, it can cause a lot of problems with your
security in the long run. One of the biggest issues arises when the person to whom access was
granted leaves the company or changes roles and someone else needs to take over.
The powerful search engine in SharePoint, as well as the Office Graph with Delve, can also introduce
a potential for breaches. With file shares, if a user were to be accidentally granted access to something
they didn’t know existed, it would be relatively difficult for them to glean any information about the
object in question. However, today, thanks to content discovery features such as the search engine
and Delve, users automatically have visibility on everything they’ve been granted access to.
8
2 http://www.cybersecuritytrend.com/topics/cyber-security/articles/421821-human-error-to-blame-most-breaches.htm
9
Ideally, users would always be added to SharePoint groups, and permissions would only be applied
to the groups themselves. This keeps user permissions well organized and easily manageable in
theory, but it also means you need to train every user to never click on the Share button and grant
permissions to an individual user. This may be a little difficult.
ShareGate Desktop helps you stay in control while empowering your users to work as efficiently as possible. You can copy permissions and group memberships from one user to another as well as check which permissions a given user has across all your Office 365 SharePoint objects. This way, you can let users click Share and get their work done knowing that when the project is completed or someone changes roles, you’ll have full oversight and control.
Manage object permissions
Chapter three
10
11
Permissions can only be assigned to certain types of objects in SharePoint Online: sites, lists and
libraries, folders, list items and library documents. Though many of us wish it could be done at the
column level or on views, there isn’t the option to do so. One of the difficulties when it comes to
managing Office 365 permissions is the sheer number of objects in your environment. As part of
your governance plan, you’ll have different objects that need to be secured in different ways and
according to different policies in order to maintain compliance. How can we be sure that all HR
tagged documents are secured properly? Unfortunately, it has to be done manually. You can only
imagine, as users author and edit different types of content across Office 365, how chaotic–and,
more to the point, hard to manage–this can get.
The criteria-based search in ShareGate Desktop lets you locate objects based on your organization’s security policies and view almost any information about them, including their permissions. Does everything comply with your governance policies? If not, you can even fix the problem straight from the tool.
Broken inheritance
Chapter four
12
13
Unlike with file shares, in Office 365, when you decide that a child object should have different
permissions than its parent, you need to break the permissions inheritance on it.
Because it’s actually SQL behind the scenes that stores the content, breaking inheritance creates
an impact on how content is stored and retrieved. This then slows your loading performance and
really hurts the user experience.
It also makes it very difficult to figure out who has access to what on a particular object when
inheritance has been broken multiple levels above. Users aren’t typically aware of the impact they
have when they click Share or change permissions. And they shouldn’t need to be–enforcing
permissions should never hinder the usability or performance of a platform.
ShareGate Desktop can show you where permission inheritance is broken in SharePoint and who has access to that particular location. It also gives you the option of inheriting the permission back form the parent. The tool’s built-in reporting capabilities let you easily locate all objects of a given type whose permissions have been changed.
One way to solve this type of issue is to restrict who can change permissions (and thereby break
inheritance). In the past, our governance plan even banned breaking inheritance on anything other
than sites. However, this isn’t always easy to maintain and enforce without having to resort to some
sort of custom development.
14
Custom permission levels
Chapter five
14
15
Creating new and custom permission levels in SharePoint Online is inevitable. Frankly, I wouldn’t do
it any other way. Not every SharePoint is the same, and needs are different from one organization
to the next. Permission levels are granted to a user or group for a specific object. For example, you
could either give Nathalie Full Control permissions to your site, or limit her access to viewing or
editing specific lists and libraries. The few permission levels that are automatically created aren’t
always enough. In many cases, I’ve created a new one similar to Full Control without the right to
create subsites. Essentially, depending on what you need to accomplish, you can create custom
Office 365 permission levels to give the right access to the right people. Although this can be very
useful in making sure too much isn’t granted to users who need only minimal access to an object,
it can also be dangerous. For one, who has the rights to create or edit these permission levels? If
you edit an existing permission level, do you know how many people or objects will be affected, and
how? A single checkbox could be the difference between people being allowed to download a local
copy or not.
As a general rule, don’t directly modify existing permission levels in Office 365 sites. Instead, copy
them and edit the copy to isolate the original and minimize the impact of the operation on existing
automatically created SharePoint objects.
With ShareGate Desktop, you can validate access based on permission levels or use them to create reports to run on your environment. Whether it’s to find everyone, a group or a specific user with Full Control, you’ll be able to stay on top and in control of your Office 365.
Edit vs. contributepermission levels
Chapter six
16
EditContribute
17
This came as a subtle surprise to me when I dove into it. As mentioned above, permission levels
are rights that you grant a user or group to access an object. If you’re used to a previous version of
SharePoint or simply migrating from it, this change may come as a surprise to you as well. When you
create a site in SharePoint, several groups are automatically created and granted access to the site.
One of these groups, Members, was always awarded the Contribute permission level in past versions
of SharePoint. This allowed people within the group to add, modify, and delete content within lists
and libraries. Since SharePoint 2013 and in Office 365, however, Members groups are granted Edit
permissions by default. This is an entirely new permission level that also allows users and groups to
create, change, and delete lists and libraries. This huge shift in power can have immense impact on
your security, especially if you’re migrating or operating on the assumption that things are the same
as they were in the past.
The first step towards mitigating this issue is being aware of its existence. There are a few solutions,
or perhaps workarounds, that can help you ensure users have the right permissions on your objects.
Of course, you can simply delete the Edit permission level. Though not ideal, it definitely solves the
issue. Another way would be to make sure that when sites are created, the Members group has its
permissions changed from Edit to Contribute.
17
With ShareGate Desktop, you can identify any objects that have been granted Edit permissions and make the switch to Contribute if required. This applies to both groups and actual objects to which permissions have already been granted.
18
Security auditing
Chapter seven
18
19
Who accessed this file in the last few days? Not everyone is aware that Office 365 comes with built-
in audit reports that you can run on whichever type of content you wish to audit. Want to know who
viewed a file or deleted an item in your document library? Well now you definitely can.
Office 365 security audits are vital in keeping your environment secure. They allow you to confirm
the existence of ongoing security breaches and take action to stop them. A lot of these breaches
actually stem from people sharing the data they have access to, whether maliciously or mistakenly.
One thing you should know is that due to its significant performance requirements, the audit feature
is disabled by default. This means that if you haven’t enabled it and decide to view the reports
because of a possible breach or simply to inspect, it will be too late. This site collection feature also
needs to be granularly configured for each list and even for each content type.
There aren’t a million ways to get around this; you just need to enable the feature and configure it
where needed. But don’t go audit-crazy either–the sheer volume of information generated by the
reports can really slow down your users’ experience with the platform.
19
However, making sure it’s turned on and properly configured for every single site collection can be a tedious, error-prone process. With ShareGate Desktop, you can make sure Office 365 and SharePoint security audits are enabled where you need them to be and manage them in bulk.
20
External sharing
Chapter eight
20
21
Office 365 introduced the concept of external users to allow content sharing with people outside of
your organization. It’s a highly useful feature, as working with external users is almost a necessity
nowadays. However, it introduces a serious potential security threat if not properly monitored.
Where are these Office 365 external users and what do they have access to, especially months after
they no longer need that access anymore?
employees use cloud apps to share sensitive corporate data outside of the four walls of the organization. 3
The way it all works can be confusing to users, which opens the door to mistakes. When you share
an object with an external user, the email address they provide isn’t necessarily the one that the
access will be granted to; they still need an Office 365 or Microsoft Live account to access the
information. Make sure to read and understand the Definitive guide to Office 365 external sharing
to understand how it works and the impact it has on your own Office 365’s security.
There are multiple perspectives to consider when managing external sharing in Office 365. Which
external users currently have access to your environment? What’s being shared with a given external
user? Which externally shared documents haven’t been accessed in X amount of time?
3 http://www.sailpoint.com/blog/2014/12/2014marketpulsesurvey/
22
ShareGate Desktop gives you that level of control in just a few clicks. Build your own reports using “external user” and “externally shared content” as criteria. You can also run pre-built actions to quickly gain insight on what’s being shared so you can act accordingly.
Though there are basic methods at your disposal for managing external sharing in Office 365, there
isn’t any way to provide actual guidance to ensure complete control of your entire tenant.
23
The administrator
Chapter nine
23
24
Top 5 passwords of
2017 4
1. 1234562. password3. 123456784. qwerty5. 12345
4 http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/
Let’s talk about the administrator for a second–the person who has all the power in your Office 365
environment. That person may very well be you, and you may not want to listen to what I’m about
to say. But I’m sure you’ll agree with me on this: the admin’s role can be a dangerous one when it
comes to matters of security.
While Office 365 admins don’t necessarily have instant access to all created sites and
user-owned OneDrives, they can grant themselves that level of power by enabling and disabling
whichever features they want without leaving a trace. How can you tell what a given admin
account has access to?
In some security breaches, it was the administrator account’s credentials that enabled hackers to
access and steal the information they wanted. You administrator credentials can be stolen and used
to erase any indication that the theft has happened.
The Administrator role is potentially the biggest threat to your Office 365 security.
25
Have you considered using multi-factor authentication to verify the identity of everyone who tries
to access your admin account? Enabling this feature in Office 365 adds an extra layer of security to
every sign-in attempt by sending a unique code to the phone number on record for the administrator
and only granting access if the correct code is entered.
To further reduce security risks, you can also avoid using the admin account altogether. Most
companies have an administrator account that no one uses unless it’s absolutely necessary to
accomplish a certain task. Otherwise, they use their regular account on a daily basis.
ShareGate Desktop lets you build and run reports that inspect and validate what’s shared with administrators and how. You can also take action in bulk to remove permissions if needed according to a criteria-based search.
25
26
Mobile devices and synced content
Chapter ten
26
27
Considering Microsoft’s clear “cloud-first, mobile-first” messaging, we’re inevitably going to see
more and more users access their content from mobile devices. This presents a challenge from a
security perspective since we don’t always have full control over these devices.
About 12,000 laptops are lost every week at U.S. airports alone, or approximately one every 50 seconds.5
Office 365 also introduced the ability to sync offline content with OneDrive for Business, making
it even more difficult to enforce security policies. Combine that with the anytime, anywhere
access that mobile devices enable, and you have yourself a recipe for sleepless nights worrying
about security.
Of course, these features are very important for the organization to be flexible and keep up with the
demands of our workforce today. It allows us to stay competitive, and turning it off globally is out
of the question.
5 https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en
28
There are simple ways to mitigate the risks, such as training users on how to use OneDrive for
Business and how to properly access content from their mobile devices. Mandatory password
protection for all mobile devices can go a long way to help prevent breaches. Microsoft Intune will
also continue to play a big part in securing company devices.
IRM, or information rights management, is already available for Office 365 and allows you to add
an additional layer of security at the document level. For example, it can allow you to prevent
users from printing documents or forwarding emails from their mobile devices. IRM-protected
documents also work if synced with OneDrive for Business, making this a great solution for
enforcing security policies.
ShareGate Desktop can help by showing you which of your Office 365 document libraries have offline syncing enabled and allowing you to manage this setting in bulk. Although offline access in OneDrive for Business can be a very helpful feature, you might want to disable it in certain locations, such as HR libraries containing sensitive employee information.
29
Establish an inventory of all your Office 365 content, including sites, groups, lists and libraries
Verify and manage all user permissions in Office 365
Manage object permissions in your environment and ensure they are compliant with governance policies
Verify and manage broken inheritance
Create custom permission levels for individual users
When sites are created, ensure that permissions for Members groups are changed from Edit to Contribute
Run audit reports regularly
Verify and manage external sharing
Ensure administrator credentials are only given to trusted individuals
Here’s a printable checklist of everything we covered.
Every business will eventually move to the cloud and adapt to it. That’s a fact. ShareGate helps with that. Our products help IT professionals worldwide migrate their business to the cloud, increase cloud adoption while reducing sprawl, and control cloud costs.
sharegate.com