The Challenges of Securing Data in Office 365 and SharePoint
Every business has its own reasons for migrating to the cloud. Sometimes, it’s easy to forget that goal when you get bogged down in the transition, but it’s important to keep it in mind along the way or the benefits might get compromised or lost as you tackle individual projects. Businesses want to focus on things that drive their bottom line rather than maintaining servers and learning about new technologies that aren’t in their areas of strength.
Users are demanding new technologies and flexibility, which is in direct conflict with data security concepts. Employees and partners want to do their jobs more effectively and collaboratively, and they will encourage the business to keep up. If the IT group doesn’t keep up, employees will adopt them on their own, which pokes holes in corporate security and usually costs more in the long run.
So, it’s a balancing act, and every business will find a different sweet spot between too much security and too much flexibility. The trick in developing the data security policies for your company is to discover that place where employees can collaborate without excessive risk, but also to limit certain behaviors when necessary.
Traditional DLP in SharePoint doesn’t work in the cloud
Traditional approaches to data loss prevention look at data security as a perimeter problem. Businesses have spent so much time building user permissions and access on the corporate SharePoint libraries, and it’s tempting to just apply that to the same approach when moving data to the cloud. The files inherit the security settings of the library or folder, which lets people collaborate as a team on an entire collection of data. If you’re concerned about security, just encrypt them at rest and that should be OK, right?
That might work if it were just the data moving to the cloud, but remember that balance of security and flexibility? Users are now able to access that data from many different cloud services, devices and locations. This is the problem. If you try to secure the use of data through an additional application on the client device, then you have to manage those devices and you have to train your users in how to use those secure applications.
When all of this becomes too restrictive, the users will find ways to bypass your security. They’ll email the file to their contractor or move a bunch of files to Dropbox. Or they’ll store the file on their device that they lose somewhere.
Data cannot be separated from user services
Here is why users and data simply cannot be separated anymore. Let’s take email as an example.
Usually, businesses start by developing plans to migrate the company to Office 365 applications and services. The first thing most companies will do is identify which services should move to Office 365, and the easiest application to start with is Exchange Online because it has the least impact to users and it works well in hybrid environments. Almost any next step has a larger impact on the end users and how they do their jobs. Consequently, most businesses start with the applications, specifically Exchange email.
That’s good, but how do you make sure they’re behaving securely if everyone can now access their email and data through the cloud from any device? Do you allow them to use their own devices that are not managed by your company? Forrester Research conducted their Technographics study earlier this year and said, quote: “Every company we spoke with for this report said they are planning to offer BYOD to more employees across the globe.” This is because one of the reasons for migrating is to enable a more flexible and mobile workforce. You want to enable collaboration. Combine this expectation of unmanaged mobile devices with online applications, such as those in Office 365, it’s easy to access data from anywhere. If a business attempts to prevent that easy access by securing each and every user, device, and file, two things happen.
Users find ways to bypass that security because it’s in their way, and administration of that complexity is costly and time consuming. Forrester Research backs this up: In the same Technographics report, Forrester says, “Employee productivity is dependent on access to CRM, collaboration, ERP, and other business apps. If employees can’t securely access what they need to do their jobs, they’ll find an alternative (and likely less secure) method to do so.”
The alternative is restricting users to managed devices and disabling access to email and applications through a browser. But… why were you moving to the cloud again?
Data protection in the cloud
That brings us to the data.
Separating the data from the application changes the problem from data protection to user access. The first step along this path is to classify, locate, and protect all of your data based on compliance with regulations that affect your business such as HIPPA, privacy laws, personal identifiers, etc. Migrate it to the cloud according to the policies your business requires. Evolve the technical strategies and processes as you identify new use cases and employee demands, but do not waver on your data security policy. Data migration can be an enormous task, which is why businesses generally separate it out and let it follow its own schedule.
It’s also why businesses expect to remain in a hybrid environment for some time, leveraging the integration of SharePoint 2016 on premises with Office 365. This means that there is a high probability that your data will reside in some combination of on premises and cloud storage possibly for years to come. You need to determine what type of content your business can permit to be moved to the cloud and if that policy is dependent on the tenancy of the cloud storage. Can one type of data reside in one country but not another? Maybe that doesn’t matter to you. Maybe you want more data on cloud security before you migrate your most sensitive files over there, but for other data, you want to give your users the collaborative capabilities cloud storage can offer.
Regardless of where your data is residing, you need your employees to behave properly and still work efficiently and collaboratively. You will need to balance device security with user flexibility, and every business will have a different sweet spot where users are mobile enough and data is secure enough. To do this, you will need to identify all of the different access routes your users can leverage to use the data. Some will simply be too risky for you, but other methods are necessary to enable your employees to respond better to customers, team members, and third party contractors.
You will also need to identify both the healthy collaboration methods as well as the risky behaviors that should be prevented. Your policy needs to answer questions such as:
- How should users share information?
- How should they behave when they take data outside of your company to work remotely?
- What happens if a device is lost or stolen?
- What data should be permitted to leave the company?
- When it leaves the company, what should happen to that data?
Fundamentally, how are you going to educate your users on how to use these new applications securely? Does data security really come down to user education? Or is there a way to automatically enforce the security policy?
If you want answers, watch our latest webinar where we discuss securing data on premises, on line, and anywhere in between. Get it now.
Want to learn more? Meet us we will be demonstrating our Microsoft solutions next week at the Microsoft Ignite conference (Booth 2030).