For many of my clients security and privacy of data in the cloud is the top most priority. Balancing the fine line of making your data secure but yet still allowing end users to get their jobs done efficiently and effectively is the key to success for a cloud implementation. You cannot have security without usability because end users will find a way to get their task done if security gets in the way, using less secure services in the workplace and send the security and legal teams into a panic.
The number one goal is the level of security and any resulting user friction in the experience needs to be commensurate to the sensitivity of the data. That means…
- Higher the value of the data, the higher the level of security. For example, if it contains intellectual property it makes sense to ask for additional authentication or force users to use a managed device.
- But, if it’s low sensitivity, like personal trip itinerary, it doesn’t make sense to add any additional user friction.
So how do you balance that fine line? To start, Microsoft allows you to use Differentiated Access Policies based on user, device, location, and sensitivity of data. The policies are based on the following concepts:
- Security needs to be real time and at the point of access depending on who you are, what is your user role, what is your level of access.
- How are you trying to access the data? Is it from managed device, unmanaged device, managed app, or a browser on a kiosk.
- Where are you coming from? A trusted location like your corporate network. Is it an expected or unexpected location.
- What is the sensitivity of the data? Does it contain PII (personally identifiable information such as Social Security Numbers).
Use the Security and Compliance Center to implement these policies based on what’s right for your organization. And use Intune to handle the mobile devices and managed apps.
For visibility into what’s going on in your tenant you can also view user and file activity using audit logs. To view reports, click on O365 audit log reports and you can see all the activity. You can search and refine by using filters to search by user, content, and/or sensitive content.
What about the security of your data at rest?
In order to give higher level of visibility and control over who has access to your data in SharePoint they just shipped a new feature called Customer Lockbox. If a Microsoft engineer needs to get access to your content (based on a customer request by you) they issue a request through Lockbox. Once you approve the access request from your Lockbox dashboard the Microsoft engineer will be able to access the content. This request and the access is time bound and it’s fully logged and auditable. Also, in addition to the current datacenters, Microsoft is scaling the service by adding new geographical locations to store data where it works best for you.
To use Lockbox go to customer lockbox area of the Security and Compliance Center and you can enable the feature. Once it’s enabled you get a dashboard and see your pending requests. You can approve and deny there and also see all previous Lockbox requests.
As an additional form of protection all files are broken down into multiple chunks that are individually encrypted and the keys are stored separately to keep the data safe. In the future Microsoft is working to give you the ability to manage and bring your own encryption keys that are used to encrypt your data that’s stored in SharePoint. If you want, you can revoke access to keys and Microsoft will not be able to access any of your data in the service.
All of these features allow you to find the right level of security without compromising user productivity. Contact me to learn more.