Best of 2018: Microsoft OneDrive: The Good, the Bad, and the Ugly
As we close out 2018, we at Security Boulevard wanted to highlight the five most popular articles of the year. Following is the second in our weeklong series of the Best of 2018.
By offering OneDrive for Business to Office 365 subscribers for free, Microsoft creates a compelling and sticky offer. Each OneDrive user receives a terabyte of free storage space, and the platform’s tight integration with Office and Outlook makes content creation and file sharing simple.
OneDrive, however, fails to provide IT with adequate visibility into the files users access and share. This limitation hinders an organization’s ability to oversee and control its content, including knowing who’s accessing sensitive information and with whom they’re sharing it.
Visibility into an organization’s file activity is imperative for governance and demonstrating compliance with the myriad laws and regulations designed to protect customer, patient or citizen privacy, such as the EU’s General Data Protection Regulation (GDPR), HIPAA and the new California Consumer Privacy Act. Organizations put records containing personally identifiable information (PII) at risk of unauthorized access when they store this data in the cloud or share it with partners beyond the enterprise firewall.
Ultimately, IT must ensure secure file sharing and governance without creating obstacles for employees using OneDrive. But if CISOs don’t know what’s happening in OneDrive, they’re hesitant to let employees use it.
Do not confuse security with compliance. OneDrive has key security features, including data encryption of files in transit and at rest, and two-factor authentication. This is good. But while Office 365 offers an additional security layer (i.e., data encryption), these features alone don’t ensure your data is handled by or shared with only authorized users. This is bad. And, if CISOs lack visibility into file activity, the data is hardly secure. This is ugly.
To condemn Microsoft is to miss the point. Microsoft makes great products that significantly enhance a person’s ability to get work done. While Microsoft takes security and compliance seriously, the primary focus is on productivity.
Like other public cloud storage platforms, OneDrive lacks key controls that prevent users from uploading sensitive data and sharing it externally. Recent research by McAfee’s Skyhigh Networks highlight the risk this limitation presents:
- Two percent of documents in file sharing services shared externally contain sensitive data.
- Of all shared files, 12.9 percent are accessible by everyone in the organization.
- The average company stores 6,097 files with “salary” in the file name, and 1,156 files with “password” in the file name.
Cloud platforms such as OneDrive provide efficient data storage, accessible to anyone with an internet connection. Ironically, this accessibility is OneDrive’s biggest disadvantage. Without the proper security and compliance controls, which includes knowing who’s accessing and sharing data in OneDrive, that data is available to literally anyone with an internet connection. As a result, months may pass before an organization realizes its data has been compromised.
While it is possible for O365 administrators to determine how users share files stored in OneDrive outside the organization, it entails a cumbersome, multi-step process that requires collecting audit log data, filtering by specific parameters and exporting the results to a CSV file for analysis. Some CISOs may decide to forbid employees from sharing files in OneDrive. Not only is that both draconian and wasteful, since OneDrive is included in O365, it serves to chase employees into the proverbial arms of insecure shadow IT products such as Dropbox or Google Drive.
Instead, organizations must look at complementary solutions that provide critical compliance capabilities. A secure file sharing and governance platform that integrates with OneDrive and other cloud-based repositories to monitor, scan and log the files entering and leaving the organization while allowing users to get their work done provides great value for CISOs. To strike this balance, a secure file sharing and governance platform must provide:
- Visibility: A detailed view into who is sending what to whom, when and where provides critical transparency into what information is leaving the organization and whether or not the activity is authorized. CISOs also use this information to spot anomalies in volume, location, domain, user, source and scan results.
- Logging and Reporting: By capturing all file activity, CISOs and their security teams drill down to the actionable details, including users, timestamps, and IP addresses so they make decisions based on facts, not hunches. This information must be logged, auditable and reportable to enable compliance.
- Granular access permissions: Exercise complete control over who can access sensitive content. Create authenticated view-only permissions or view with a watermark for less-trusted external recipients and download or edit privileges for more-trusted users. Also, set expiration dates to prevent access to data once a project is complete.
- Integration with security infrastructure: Leverage existing investments in advanced threat prevention (ATP) and data loss prevention (DLP) to ensure all incoming files are scanned for zero-day attacks and outgoing files are scanned for sensitive data. Also, ensure all file activity is logged and stored in the organization’s SIEM solution for advanced analysis.
- Centralized administrative controls: Assign the right file access privileges to the right user by setting policies in role-based user profiles, delegating file access to trusted users, and restricting external user capabilities to minimize security risks. Administrators also manage storage capacity and folder ownership and apply all these and other granular policies to all devices.
OneDrive isn’t going anywhere. Rather than prevent employees from using it, CISOs are better served making OneDrive safer and more compliant with their internal policies and external regulations. With the proper governance controls applied to OneDrive, CISOs now have this option.
— Bob Ertl
