Embed Size (px)
Citation preview
The Essential Office 365 Security Checklist10 quick security checks to do on a weekly basis for an efficient Office 365 security.
An eBook by Sharegate
Snowden, WikiLeaks, NSA: buzzwords that remind us of security everyday. Not a week passes by where we don't hear about individuals being hacked, millions of credit card records being stolen, or seeing a big corporation facing a major security breach because of a human error. Just ask Sony, The Home Depot, Target, JPMorgan Chase... the list goes on, and on.
It's an understatement to say that security is the first thing that must come to mind when we think about business infrastructure. As many as 85% of all U.S. companies have experienced one or more data breaches in 2013.
That's a LOT of sensitive data. In 2010, the cost of a data breach averaged at $7.2 million per incident. And this number doesn't even include the cost of indirect revenue losses. Would you want to deal with a company that you knew were champions of security breaches? Yeah, me neither. The loss of business because of trust issues in a company can cost billions!
Of course, security also comes to mind for companies using SharePoint and Office 365. For most of us, these platforms are the brain, lungs & heart of our companies. We want our content to be secure and well protected.
But what is Office 365 Security? How could you state that your environments are secure (and believe it)? In this guide, we've identified the most important Office 365 security actions that you can put in motion to immediately protect and secure your environments.
ABOUT THE AUTHOR Benjamin Niaulin is an Office Servers and Services MVP, recognized as one of the Top 25 SharePoint influencers in 2014 and 2nd for Office 365 in 2015. Being a Microsoft Certifier Trainer since 2008 has allowed him to become proficient in simplifying complex technologies, making him an expert in SharePoint & Office 365 vulgarization. He's spoken at over 200 conferences around the world.
of all U.S. companies have experienced one or more data breaches.1
1- https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en
Chapter One: Establish an Inventory of What You Have
Chapter Two: Manage User Permissions
Chapter Three: Manage Object Permissions
Chapter Four: Broken Inheritance
Chapter Five: Custom Permission Levels
Chapter Six: Edit vs. Contribute Permission Levels
Chapter Seven: Security Auditing
Chapter Eight: External Sharing
Chapter Nine: The Administrator
Chapter Ten: Mobile Devices and Sync’ed Content
Table of Contents
4
6
9
11
13
15
17
19
22
25
CHAPTER ONE
Establish an Inventory of What You Have
4
If you don't know where your data is and who has access to it, how can you secure what you have in your environments? If you want to properly enforce your security policies and stay compliant, you'll need to establish an inventory of what you have. The Microsoft cloud platform is continuously evolving and empowers people in the organization to create objects and content themselves, so it's crucial for you to monitor Office 365 security.
It's easier to make an inventory of a file share, all we have to worry about is Folders and the Files within. Office 365 however, is a suite of objects. From SharePoint Sites to Groups as well as Lists and Libraries with different kinds of content in each. You need to know what you have, and where you keep it, as well as collect additional information to make better decisions for them.
Where are your Sites? What are they? What templates do they use? Who has access to them? When is the last time someone accessed it? I could go on for hours, there is no such thing as too much information when it comes to your organization's security. However, you need to use it properly.
There's a few ways you can build this inventory in order to tackle your Office 365 security. The admin's trusty PowerShell, if he or she is comfortable with writing script, is always there to help. You can build an inventory of your SharePoint sites and if the commands exist, almost anything to help you manage SharePoint. However, in Office 365 not all the PowerShell commands are there to help you and not everyone is comfortable writing these scripts.
5
Sharegate can help you build not just an inventory, but the right inventory based on what you are looking to collect. With a criteria-based engine, you can choose what you want to find, and collect the results in an Excel file.
CHAPTER TWO
Manage User Permissions
6
If I'm given access to information I'm not supposed to have, there's honestly a good chance I'll go look at it anyway. Office 365 User Permissions can be very difficult to understand if we don't take the time to learn how it all works. When first deployed, SharePoint is actually secure as no one has access to anything. The fun starts when you grant access to objects.
7
of all data breaches were caused by human error.
As a general best practice, one that goes back to permissions on File Shares, you should never grant explicit permissions to an individual user. Even if this works, it can cause a lot of problems with your security in the long run. One of the biggest issues lies when the person granted access leaves the company or changes roles, and someone else needs to take over.
The powerful search engine in SharePoint, as well as the Office Graph with Delve, can also introduce new potential breaches. If you didn't know something existed, but somehow had access to it accidentally, it still would be relatively difficult to know about it with File Shares. However today, using the search engine or Delve to discover content, you can have visibility on everything you have access to.
2
In 2015,
2- http://www.cybersecuritytrend.com/topics/cyber-security/articles/421821-human-error-to-blame-most-breaches.htm
8
Ideally, users are always added to groups, and permissions are only applied to these SharePoint groups. This way, you'll be sure that user permissions are well organized and easily manageable. But then you'd also have to train every user to never click on the Share button and grant permissions to an individual user. This may be a little difficult.
Sharegate allows you to empower users to work easily and helps you stay in control. You can copy permissions and group memberships from one user to another, as well as check the permissions someone has across all your Office 365 SharePoint objects. This way, you can let them click on share and get their work done, but when the project is completed or someone changes roles, you have complete knowledge and control.
CHAPTER THREE
Manage Object Permissions
9
There are only specific types of objects on Office 365's SharePoint that can be assigned permissions: Sites, Lists and Libraries, Folders, List Items and Library Documents. Though many of us wish it could be done at the column level or on views, there isn't the option to do so.
The difficult part when you manage Office 365 permissions is that there are so many objects in your environment. As part of your Governance Policies, you'll have different objects that need to be secured differently based on these policies to stay compliant.
How can we be sure that all HR tagged documents are secured properly? Unfortunately, it has to be done manually. You can only imagine, as users use the platform to author and edit content of different types across your Office 365 how chaotic it can become. More importantly, it'll be hard to manage.
10
The criteria-based search in Sharegate allows you to find these objects based on your organization's security policies. Once found, you can choose to display almost any information about them including their permissions. Do they respect your governance policies? And if not, fix them straight from the tool.
CHAPTER FOUR
Broken Inheritance
11
Unlike File Shares, in Office 365 when you decide that an object should have different permissions than the parent object it is inheriting from, you need to break the permissions inheritance on it.
Because it's actually SQL behind the scenes that stores the content, breaking inheritance creates an impact on how content is stored and retrieved. This then slows your loading performance and really hurts the user experience.
It also makes it very difficult to figure out who has access to what on a particular object when inheritance has been broken multiple levels above. Generally, users don't know about the impact they have as they click on the share button or change permissions. And nor should they, enforcing permissions should hinder the usability or performance of their platform.
12
One way to solve these issues is by limiting who can change permissions and thus breaking inheritance. In the past, and through our governance plan, we've even forbiden breaking inheritance on anything other than sites. However, this isn’t always easy to maintain and enforce without some kind of custom development.
Sharegate can show you where permission inheritance has been broken in SharePoint, tell you who has access there, and opt to inherit back from the parent if you choose. With the built-in report, you can find all objects of a specific type that their permissions changed effortlessly.
CHAPTER FIVE
Custom Permission Levels
13
Creating new and custom permission levels in Office 365's SharePoint is inevitable. Frankly, I wouldn't do it any other way. Not every SharePoint is the same, and needs are different from one organization to the next. Permission Levels are what you grant a user or group on a specific object. For example, you can give Nathalie the "Full Control" permission level so that she has access to your site, or limited access, so she can only view or edit specific Lists and Libraries.
The few Permission Levels that are automatically created aren’t always enough. In many cases, I've created a new one similar to Full Control without the right to create subsites. Essentially, depending on what you need to accomplish, you can create any different Office 365 custom permission levels to give the right access to the right people.
Although this can be very useful in making sure too much isn't granted to someone that needs a minimum of access to an object, it can also be dangerous. For one, who has access to create or edit these Permission Levels? If you edit an existing Permission Level, are you aware of the impact it'll have and on how many people or objects? A single checkbox could be the difference in people being allowed to download a copy offline or not.
14
As a general rule, don't modify any existing Permission Levels in Office 365 sites. Instead, copy them and edit the copy to isolate the original and minimize any impact it can have on existing SharePoint objects created automatically.
With Sharegate at your disposal, you can validate access based on permission levels or use them to create reports to run on your environment. Whether it’s to find everyone, a group or a specific user with Full Control - you will now be able to stay knowledgable and in control on your Office 365.
CHAPTER SIX
Edit vs Contribute Permission Levels
15
EDITCONTRIBUTE
This came as a subtle surprise to me when I dove into it. As mentioned above, Permission Levels are rights that you grant a user or group to access an object. If you are experienced with a previous version of SharePoint or simply migrating from it, this change can be quite surprising to you as well.
When you create a Site in SharePoint, a few groups automatically get created and gain access to the site granted them. One of them, Members, has always been granted the Contribute Permission Level in the past versions of SharePoint. This allowed people within the group to add, modify, and delete content within lists and libraries.
Since SharePoint 2013 and on Office 365, they are granted the Edit Permission Level. This is an entirely new Level that allows users and groups granted this power to also create, change, and delete Lists and Libraries. This is a huge shift in power and can have immense impact on your security, especially if you are migrating or assuming it's like it was in the past.
16
The first step to mitigate this problem is by knowing it exists. There are a few solutions, or perhaps workarounds, that can help you ensure users have the right permissions on your objects. Of course, you can simply delete the Edit Permission Level. Though not ideal, it definitely solves the issue. Another way would be to make sure that when Sites are created, the Members Group have their permissions changed from Edit to Contribute.
With Sharegate, you can find any object with the Edit Permission Level assigned to them and switch them to Contribute if required. This can be Groups as well as actual objects granted permission on already.
CHAPTER SEVEN
Security Auditing
17
Who accessed this file in the last few days? Though not everyone is always aware, Office 365's SharePoint comes built-in with Audit Reports to run on the type of content you wish to audit. Want to know who viewed a file or deleted an item in your Document Library? Well now you definitely can.
Office 365 Security Audit is vital in keeping your environment secure as you need to be able to prove or take action on ongoing security breaches. A lot of these actually come from people that have access to data, that either voluntarily share them with malicious intent or as a human error.
One thing you should know, is that due to the performance needed to enable these Audit Reports the feature is disabled by default. This means that if you decide to view the reports because of a possible breach or simply to inspect, it will be too late. This is a per Site Collection feature that also needs to be granularly configured per List or Library and even by Content Type.
18
There isn't a million possibilities to solve this, you just need to enable the feature and configure it where needed. Remember not to go Audit crazy either, the sheer information generated can really slow down your user's experience with the platform.
However, making sure it's turned on and properly configured in every single Site Collection can be tedious work and prone to human errors. With Sharegate, you can manage your multiple Office 365 and SharePoint Security Audit in bulk by making sure it's turned on where you need it to be.
CHAPTER EIGHT
External Sharing
19
Office 365 introduced External Users to allow you to share content with people outside of your organization. A very useful feature in today's reality, working with External Users is almost a necessity. However, it introduces a very serious potential security threat if not properly monitored. Where are these Office 365 external users and what do they have access to, especially months after they no longer need that access anymore?
20
employees use cloud apps to share sensitive corporate data outside of the four walls of the organization.3
The way it works can be confusing for users and potentially allow them to make a mistake. The email address of a potential external user entered when sharing an object isn't actually to what that object will be granted. You still need an Office 365 or Microsoft Live account to access the information. Make sure to read and understand the definitive guide to Office 365 External Sharing to understand how it works and the impact it has on your own Office 365's security.
There are multiple perspectives to consider when managing External Sharing in your Office 365. What is the list of all External Users currently in your environment? What is currently shared to External Users? What content has been shared with External User "X"? What are the documents still shared to External Users that haven't been accessed in a "X" amount of time?
in
3- http://www.sailpoint.com/blog/2014/12/2014marketpulsesurvey/
21
Though you have basic controls to manage External Sharing in Office 365, there isn't any way to provide actual guidance to ensure complete control of your entire tenant.
Sharegate brings you that control with just a few clicks. Build your own reports using External User and Externally Shared Content as criteria. You can also run pre-built actions to quickly get insight on these as well as take action, thus keeping you in complete control while still enabling your organization
CHAPTER NINE
The Administrator
22
Let's talk about the administrator for a second, the person that has all the power in your Office 365. Ironically, you may be that administrator and probably won't want to listen to what I have to say. But as I am sure you can agree, the administrator's role can be very dangerous when discussing security.
Though the Office 365 administrator doesn't necessarily have instant access to all sites created, or OneDrive's owned by users, he or she can grant themselves that power just as easily. This administrator can turn on and off features that benefit him and leave no trace. How can you show what this administrator account has access to?
In some security breaches, it was the administrator account's credentials that enabled hackers to access and steal the information they wanted. You administrator credentials can be stolen and used to erase any indication that the theft has happened.
The Administrator Role can potentially be the biggest security concern in your Office 365.
23
1- 123456 2- PASSWORD 3- 12345678 4- QWERTY 5- 12345
4Worst Password List
4- http://www.telegraph.co.uk/technology/2016/01/26/most-common-passwords-revealed---and-theyre-ridiculously-easy-to/
24
Have you considered Multi-Factor Authentication for Office 365 to verify the person accessing this account is actually the person intended to use it? Office 365 will validate by calling the registered phone number for the administrator or ask you to validate using a code sent to that phone.
To reduce the risks, you can also make sure you do not work with an admin account. Most companies will have an administrator account that no one uses unless required to elevate their privileges and do something on the platform. Otherwise, they use their regular account on a daily basis.
Also, you can use Sharegate to build and run reports that inspect and validate what is shared to Administrators and how. You can also take action in bulk to remove permissions if needed, based on a criteria-based search.
CHAPTER TEN
Mobile Devices and Sync'ed Content
25
With a message like "Cloud-First, Mobile-First" Microsoft made recently, it's inevitable to see more of our users access their content through different devices. This makes it more difficult from a security perspectives since we don't always control these devices.
26
About 12,000 laptops are lost every week at U.S. airports alone, or approximately one every 50 seconds.5
Office 365 has also introduced the ability to Sync content offline with OneDrive for Business, making it even more difficult for us to enforce our security policies. Combine that with Mobile Devices and access from anywhere, and you have yourself a recipe for sleepless nights worrying about security.
Of course, these features are very important for the organization to be flexible and keep up with the demands of our workforce today. It allows us to stay competitive, and turning it off globally is out of the question.
5- https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en
27
Simple solutions can help you mitigate the risks, like training users to use OneDrive for Business and accessing the content from their mobile devices can go a long way. In fact, making sure that a password is required to unlock their device can already help prevent a breach. Microsoft Intune will continue to play a big part to help protect these company devices.
IRM or Information Rights Management is already available for Office 365 and allows you to add an additional layer of security at the document level. Preventing someone from printing a document or forwarding an email, these are all possible and work when accessed through Mobile Devices. IRM protected documents also work if Sync'ed with OneDrive for Business, a great solution to enforce our security policies.
Sharegate can help by showing you which document libraries across your Office 365 have Sync Offline enabled and allows you to manage this option in bulk. Though this OneDrive for Business feature can be very helpful, you might want to disable it in some locations like the HR library with employee information.
Here’s a printable Checklist of everything we covered.
Establish an inventory of all your Office 365 content, including sites, groups, lists and libraries
Verify and manage all User Permissions granted to users in Office 365
Manage Objects Permissions in your environment and ensure they are compliant with Governance Policies
Verify and manage broken inheritance
Create custom Permission Levels for individual users
When Sites are created, ensure that Members Groups have permissions changed from Edit to Contribute
Run audit reports regularly
Verify and manage External Sharing
Ensure administrator credentials are only given to trusted individuals
About Sharegate
Sharegate helps thousands of IT professionals worldwide manage, migrate and secure their SharePoint & Office 365 environments. A product made with love by Montreal-based software development firm GSOFT, where we truly believe that simplicity and happiness are key to success!
Want to learn more? Connect with us on twitter and visit share-gate.com for more SharePoint related content.
@sharegatetools
www.share-gate.com
