Security in Obscurity

A thought by Jeff Stein
      Securing Microsoft O365: SharePoint Online (Part 3)
      This thought focuses on securing the Microsoft O365 SharePoint Online service, May 2020
    
There are a number of services at your finger tips when leveraging Microsoft O365.
From a collaboration standpoint, SharePoint Online will afford you the ability to work with both internal and external partners. 
When considering to leverage the service, hardening it will be key to ensure the product can be properly while reducing security risk. 
This thought is a part of a multi-part series on securing Microsoft O365 including:
Accessing Services
	  
Exchange Online
	  
SharePoint Online	  
	  
SharePoint OnlineThe SharePoint Online (SPO) service provides you a feature set not only for SharePoint in your Office 365 tenant but also is the service for which OneDrive is built on. 
So whether you want to collaborate in a SPO site or share documents from OneDrive, hardening the SharePoint Online service will be a must.
Access ControlAccess control is configured in SharePoint Online however any conditional access configured will take precedent over access control. 
You can configure access into the SPO service in a few different ways. 
You can allow:

	  1. Full admin access

	  2. Allow limited, web-only access

	  3. Block Access
It should also be noted that the ability to block downloading files from SharePoint or OneDrive is only an option when using SPO with Cloud App Security.
SharingThere are a number of sharing options available in your SPO tenant.
Sharing can be set to either implicit or explicit. 
By default sharing is set to be explicit only for both your internal and external users. 
Additionally you can limit who is allowed to share content from your SPO service.
You can share outside your organization by allowing users to invite and share with authenticated external users. 
If you allow external sharing, any member of your organization will be able to share with any authenticated external user. 
The default permission set will apply when sharing. 
These settings will persist across all Site collections, which are a collection of related SharePoint Sites or subsites by default, but you can modify the settings for each individual site in your tenant.
PermissionsPermissions across the service can be set directly using SharePoint groups. You can then configure permissions of those groups to ensure proper access is granted to a site or document.
IRMIdentify Rights Management or IRM can allow you to control how your document contents are used once they are shared and downloaded by either your internal or external parties. 
You can think of this feature set to be similar to DRM. 
You will enable IRM at the SPO tenant level however the configured for IRM will be done at the library level.
IRM is backed by Azure Rights Management (ARM) which can help you set policies in O365 to encrypt and authorize files.
To take advantage of IRM you will configure an IRM policy and permission descriptions. 
Then determine if you will allow none IRM support files can be loaded into SPO and what limits you want to place on the file such as preventing printing or sharing. 
Finally you will set the required authentication for access to the policy.
An example of a default setup for IRM Policies can be:

	  1. Restrict permissions on the library to download

	  2. Do not allow users to upload documents that do not support IRM

	  3. Blocking viewers from:

	       a. Printing

	       b. Running scripts and screen readers

	  4. Copy downloaded documents
Data ClassificationData Classifications can be configured in SPO using Azure Information Protection (AIP).  
This O365 solution is available starting at the E3 level and allows for the creation of classification labels and policies. 
You can then take those labels and apply them to documents manually which will result in access controls being applied at the file level. 
Even if the file is downloaded from SPO or OneDrive and leaves the direct control of your O365 tenant the AIP protections follow the document for its full lifecycle to ensure the file stays protected.
Data Loss PreventionData Loss Prevention (DLP) is available in a number of O365 services including SharePoint Online. 
You can create policies based on a number of sensitive data types which Microsoft can apply to your data such as GDPR, GLBA or HIPAA. 
Policies are applied by site collector but you can also apply the policies to a full site. 
It is important to know that the lowest level of granularity available is at the site level. 
Policies can therefore not be applied at the file level. 
When content is flagged that match the DLP policy sensitive data type configured (condition), O365 will then take action based upon the policy you have configured. 
Action options are to restrict access, block sharing of content and notify users of violations.
---
To ensure your organization is effectively using SharePoint Online and OneDrive security hardening measures should be taken. 
These measures will enable you to more securely collaborate and share your data both internally and externally to your organization. 
Security control options range from access control to the management and classification of data to ensure you can protect it from data loss.
VIEW NEXT >>

  
    
 

      Tags
    
Security Vulnerabilities DLP
      Malware Policies Email
      Python Splunk Cloud
      O365 PKI Firewall Access Control Vulnerability Management
    

      Topics
    

	  
        
        Thoughts

      

	  
        
        Scripts

      

	  
        
        Published Works

      

	  
        
        Courses

      