Security Best Practices When Migrating On-Prem SharePoint to Office 365

By on Nov 16, 2015

Many companies are still figuring out how they will migrate their sprawling on-premises SharePoint environments to SharePoint Online, Microsoft’s Office 365 equivalent. Even when the content is successfully migrated, these projects can end in disaster if companies fail to apply proper security, compliance, and governance controls to sensitive data. While Microsoft has made significant investments in the security of the Office 365 platform, under a shared responsibility model it’s up to the customer to monitor and prevent high-risk user activity within these applications.

Enterprises using SharePoint Online can end up with hundreds or even thousands of site collections accessed by employees worldwide. Compared with on-premises versions of SharePoint, it’s even easier to provide access to data in SharePoint Online to people outside the company, such as customers, suppliers, or business partners. Not all of the data in SharePoint Online should be shared. McAfee’s (formerly Skyhigh Networks) analysis of over 30 million users across over 600 enterprises that use McAfee CASB, found that 17.4% of documents in OneDrive and SharePoint Online contain sensitive health, personal, payment, or confidential corporate data.

SharePoint Online Security Cheat Sheet

Download to learn about the common security questions you should be able to answer when using or migrating to SharePoint Online, and SharePoint Online security best practices across access control, data loss prevention, and threat protection.

Download Now

Whether you’ve migrated to SharePoint Online, are considering migrating, or are somewhere in between, we’ve compiled seven lessons from successful and failed SharePoint Online projects to help you in your journey to the cloud.

1. Understand where sensitive data is stored and who has access

In the average SharePoint Online deployment, 17.4% of documents contain sensitive data. Broken down by data type, 9.2% contain confidential data, 4.2% contain personal data, 2.2% contain health data, and 1.8% contain payment data. Based on their role at the company, some users should not have access to this information. If sensitive data is stored in certain site collections, it may be more broadly accessible than you’d like it to be. Moreover, some of this data shouldn’t be uploaded to the cloud at all. McAfee found that the average company has a shocking 143 files stored in OneDrive that contain the word “password” in the filename.

2. Audit what sites and data are shared externally and with whom

One of the benefits of Office 365 is the inter-company collaboration it enables. In fact, the average enterprise using Office 365 collaborates with 72 business partners on Office 365, more than any other collaboration platform. Not all of these business partners should have access to sensitive data. While it’s well known that the Target data breach exposed 40 million customer credit cards and ended with the company’s CIO and CEO resigning, what’s less well known is that the breach was caused by a trusted digital connection to a business partner who was compromised.

3. Extend information rights management (IRM) to SharePoint Online

Many companies enforce IRM policies for data in their on-premises SharePoint deployments but are hesitant to apply these policies to data in the cloud. The reason is that they don’t want to host their encryption keys in the cloud or require users to install client software to open every file downloaded from SharePoint. A better approach is to apply IRM policies only to sensitive files as they are downloaded from SharePoint Online, using encryption keys stored on premises. To do this, companies are using cloud access security broker (CASB) solutions to bridge the gap between SharePoint Online and their on-premises Rights Management Server.

4. Analyze user activity for signs of malicious or negligent behavior

Microsoft makes all events users perform in Office 365 available via an Management Activity API. The API provides 162 event types that users perform. It would be impossible to manually review these events for potentially high-risk activity, such as an employee taking large amounts of data before leaving to join a competitor. These raw events can be analyzed within security tools, which make use of machine learning to identify anomalous activity against a background of millions of routine events that make up everyday cloud usage at an enterprise today.

5. Enforce access policies based on the user’s device and location

The workforce is increasingly mobile, and Office 365 enables users to access collaboration tools from anywhere in the world. However, there are situations that could expose corporate data to risk. Consider an employee accessing SharePoint Online from Starbucks using an unmanaged device. If the employee turns around for a brief moment, the laptop could be stolen with corporate data on it. Since the laptop is unmanaged, the company has no way of remotely wiping its contents. In this situation, you may want to restrict download permissions while still allowing the employee to preview items in Office 365 online.

6. Identify when users accounts have been compromised

Our research shows that 76.3% of enterprises experience at least one incident each month where a third-party gains access to a corporate cloud account via a stolen or guessed password. The average company experience 5.1 incidents each month. Using the same Activity Monitoring APIs mentioned above, third-party security solutions can identify unusual login attempts such as a user who normally logs in Cleveland logging in from an untrusted location such as Ukraine, consecutive logins to an account across a geographic distance and time frame that implies impossible travel, or multiple brute force login attempts.

7. Stop administrators accessing excessive amounts of data

Edward Snowden is perhaps the most infamous example of a rogue administrator using their privileged role to exfiltrate data, but a more common occurrence is an administrator accessing sensitive corporate data in order to perform insider trading. That’s why it’s critical to audit administrator activity and permissions to ensure they do not excessively access sensitive data outside of policy or their role at the company. Dormant administrator accounts belonging to former employees can also be closed to reduce the risk of account compromise.

SharePoint Online offers numerous benefits. One critical element of a successful migration to the cloud is ensuring that the company continues to meet its security, compliance, and governance requirements. By planning for security as part of a SharePoint Online project, you can put in place controls that ensure your company receives the full benefit of the cloud without putting your sensitive data at risk.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs