Transcription
10 quick security checks to doon a weekly basis for an efficientOffice 365 security.An eBook by SharegateThe EssentialOffice 365SecurityChecklist
Snowden, WikiLeaks, NSA: buzzwords that remind us of security everyday. Not a week passesby where we don't hear about individuals being hacked, millions of credit card records beingstolen, or seeing a big corporation facing a major security breach because of a human error.Just ask Sony, The Home Depot, Target, JPMorgan Chase. the list goes on, and on.It's an understatement to say that security is the first thing that must come to mind when wethink about business infrastructure. As many as 85% of all U.S. companies have experiencedone or more data breaches in 2013.of all U.S. companieshave experienced oneor more data breaches.1That's a LOT of sensitive data. In 2010, the cost of a data breach averaged at 7.2 million perincident. And this number doesn't even include the cost of indirect revenue losses. Wouldyou want to deal with a company that you knew were champions of security breaches? Yeah,me neither. The loss of business because of trust issues in a company can cost billions!Of course, security also comes to mind for companies using SharePoint and Office 365. Formost of us, these platforms are the brain, lungs & heart of our companies. We want ourcontent to be secure and well protected.But what is Office 365 Security? How could you state that your environments are secure (andbelieve it)? In this guide, we've identified the most important Office 365 security actions thatyou can put in motion to immediately protect and secure your environments.ABOUT THE AUTHORBenjamin Niaulin is an Office Servers and Services MVP, recognized as one of the Top 25SharePoint influencers in 2014 and 2nd for Office 365 in 2015. Being a Microsoft Certifier Trainersince 2008 has allowed him to become proficient in simplifying complex technologies, makinghim an expert in SharePoint & Office 365 vulgarization. He's spoken at over 200 conferencesaround the world.1- .pdf?la en
Table of ContentsChapter One: Establish an Inventory of What You Have4Chapter Two: Manage User Permissions6Chapter Three: Manage Object Permissions9Chapter Four: Broken Inheritance11Chapter Five: Custom Permission Levels13Chapter Six: Edit vs. Contribute Permission Levels15Chapter Seven: Security Auditing17Chapter Eight: External Sharing19Chapter Nine: The Administrator22Chapter Ten: Mobile Devices and Sync’ed Content25
CHAPTER ONEEstablish an Inventoryof What You Have4
If you don't know where your data is and who has access to it, how can you secure what youhave in your environments? If you want to properly enforce your security policies and staycompliant, you'll need to establish an inventory of what you have. The Microsoft cloudplatform is continuously evolving and empowers people in the organization to create objectsand content themselves, so it's crucial for you to monitor Office 365 security.It's easier to make an inventory of a file share, all we have to worry about is Folders and theFiles within. Office 365 however, is a suite of objects. From SharePoint Sites to Groups as wellas Lists and Libraries with different kinds of content in each. You need to know what youhave, and where you keep it, as well as collect additional information to make betterdecisions for them.Where are your Sites? What are they? What templates do they use? Who has access to them?When is the last time someone accessed it? I could go on for hours, there is no such thing astoo much information when it comes to your organization's security. However, you need touse it properly.There's a few ways you can build this inventory in order to tackleyour Office 365 security. The admin's trusty PowerShell, if he or sheis comfortable with writing script, is always there to help. You canbuild an inventory of your SharePoint sites and if the commandsexist, almost anything to help you manage SharePoint. However, inOffice 365 not all the PowerShell commands are there to help youand not everyone is comfortable writing these scripts.Sharegate can help you build not just an inventory, but the right inventorybased on what you are looking to collect. With a criteria-based engine, youcan choose what you want to find, and collect the results in an Excel file.5
CHAPTER TWOManage User Permissions6
If I'm given access to information I'm not supposed to have, there's honestly a good chanceI'll go look at it anyway. Office 365 User Permissions can be very difficult to understand ifwe don't take the time to learn how it all works. When first deployed, SharePoint is actuallysecure as no one has access to anything. The fun starts when you grant access to objects.In 2015,of all data breacheswere caused byhuman error. 2As a general best practice, one that goes back to permissions on File Shares, you shouldnever grant explicit permissions to an individual user. Even if this works, it can cause a lot ofproblems with your security in the long run. One of the biggest issues lies when the persongranted access leaves the company or changes roles, and someone else needs to take over.The powerful search engine in SharePoint, as well as the Office Graph with Delve, can alsointroduce new potential breaches. If you didn't know something existed, but somehow hadaccess to it accidentally, it still would be relatively difficult to know about it with File Shares.However today, using the search engine or Delve to discover content, you can have visibilityon everything you have access to.2- eaches.htm7
Ideally, users are always added to groups, and permissions are onlyapplied to these SharePoint groups. This way, you'll be sure that userpermissions are well organized and easily manageable. But thenyou'd also have to train every user to never click on the Share buttonand grant permissions to an individual user. This may be a littledifficult.Sharegate allows you to empower users to work easily and helps youstay in control. You can copy permissions and group memberships fromone user to another, as well as check the permissions someone hasacross all your Office 365 SharePoint objects. This way, you can let themclick on share and get their work done, but when the project iscompleted or someone changes roles, you have complete knowledgeand control.8
CHAPTER THREEManage Object Permissions9
There are only specific types of objects on Office 365's SharePoint that can be assignedpermissions: Sites, Lists and Libraries, Folders, List Items and Library Documents.Though many of us wish it could be done at the column level or on views, there isn'tthe option to do so.The difficult part when you manage Office 365 permissions is that there are so many objectsin your environment. As part of your Governance Policies, you'll have different objects thatneed to be secured differently based on these policies to stay compliant.How can we be sure that all HR tagged documents are secured properly? Unfortunately,it has to be done manually. You can only imagine, as users use the platform to author andedit content of different types across your Office 365 how chaotic it can become. Moreimportantly, it'll be hard to manage.The criteria-based search in Sharegate allows you to find these objectsbased on your organization's security policies. Once found, you canchoose to display almost any information about them including theirpermissions. Do they respect your governance policies? And if not, fixthem straight from the tool.10
CHAPTER FOURBroken Inheritance11
Unlike File Shares, in Office 365 when you decide that an object should have differentpermissions than the parent object it is inheriting from, you need to break the permissionsinheritance on it.Because it's actually SQL behind the scenes that stores the content, breaking inheritancecreates an impact on how content is stored and retrieved. This then slows your loadingperformance and really hurts the user experience.It also makes it very difficult to figure out who has access to what on a particular object wheninheritance has been broken multiple levels above. Generally, users don't know about theimpact they have as they click on the share button or change permissions. And nor shouldthey, enforcing permissions should hinder the usability or performance of their platform.One way to solve these issues is by limiting who can changepermissions and thus breaking inheritance. In the past, andthrough our governance plan, we've even forbiden breakinginheritance on anything other than sites. However, this isn’talways easy to maintain and enforce without some kind ofcustom development.Sharegate can show you where permission inheritance has been brokenin SharePoint, tell you who has access there, and opt to inherit back fromthe parent if you choose. With the built-in report, you can find all objectsof a specific type that their permissions changed effortlessly.12
CHAPTER FIVECustom Permission Levels13
Creating new and custom permission levels in Office 365's SharePoint is inevitable. Frankly,I wouldn't do it any other way. Not every SharePoint is the same, and needs are differentfrom one organization to the next. Permission Levels are what you grant a user or group ona specific object. For example, you can give Nathalie the "Full Control" permission level sothat she has access to your site, or limited access, so she can only view or edit specific Listsand Libraries.The few Permission Levels that are automatically created aren’t always enough. In manycases, I've created a new one similar to Full Control without the right to create subsites.Essentially, depending on what you need to accomplish, you can create any differentOffice 365 custom permission levels to give the right access to the right people.Although this can be very useful in making sure too much isn't granted to someone thatneeds a minimum of access to an object, it can also be dangerous. For one, who has accessto create or edit these Permission Levels? If you edit an existing Permission Level, are youaware of the impact it'll have and on how many people or objects? A single checkbox couldbe the difference in people being allowed to download a copy offline or not.As a general rule, don't modify any existing Permission Levels in Office 365 sites. Instead,copy them and edit the copy to isolate the original and minimize any impact it can haveon existing SharePoint objects created automatically.With Sharegate at your disposal, you can validate access based on permissionlevels or use them to create reports to run on your environment. Whether it’sto find everyone, a group or a specific user with Full Control - you will now beable to stay knowledgable and in control on your Office 365.14
CHAPTER SIXEdit vs ContributePermission LevelsCONTRIBUTEEDIT15
This came as a subtle surprise to me when I dove into it. As mentioned above, PermissionLevels are rights that you grant a user or group to access an object. If you are experiencedwith a previous version of SharePoint or simply migrating from it, this change can be quitesurprising to you as well.When you create a Site in SharePoint, a few groups automatically get created and gainaccess to the site granted them. One of them, Members, has always been granted theContribute Permission Level in the past versions of SharePoint. This allowed people withinthe group to add, modify, and delete content within lists and libraries.Since SharePoint 2013 and on Office 365, they are granted the Edit Permission Level. This isan entirely new Level that allows users and groups granted this power to also create, change,and delete Lists and Libraries. This is a huge shift in power and can have immense impact onyour security, especially if you are migrating or assuming it's like it was in the past.The first step to mitigate this problem is by knowing it exists. There are a few solutions, orperhaps workarounds, that can help you ensure users have the right permissions on yourobjects. Of course, you can simply delete the Edit Permission Level. Though not ideal, itdefinitely solves the issue. Another way would be to make sure that when Sites are created,the Members Group have their permissions changed from Edit to Contribute.With Sharegate, you can find any object with the Edit Permission Levelassigned to them and switch them to Contribute if required. This can beGroups as well as actual objects granted permission on already.16
CHAPTER SEVENSecurity Auditing17
Who accessed this file in the last few days? Though not everyone is always aware, Office365's SharePoint comes built-in with Audit Reports to run on the type of content you wishto audit. Want to know who viewed a file or deleted an item in your Document Library?Well now you definitely can.Office 365 Security Audit is vital in keeping your environment secure as you need to be ableto prove or take action on ongoing security breaches. A lot of these actually come frompeople that have access to data, that either voluntarily share them with malicious intent oras a human error.One thing you should know, is that due to the performance needed to enable these AuditReports the feature is disabled by default. This means that if you decide to view the reportsbecause of a possible breach or simply to inspect, it will be too late. This is a per SiteCollection feature that also needs to be granularly configured per List or Library and evenby Content Type.There isn't a million possibilities to solve this, you just need to enable the feature andconfigure it where needed. Remember not to go Audit crazy either, the sheer informationgenerated can really slow down your user's experience with the platform.However, making sure it's turned on and properly configured in everysingle Site Collection can be tedious work and prone to human errors.With Sharegate, you can manage your multiple Office 365 andSharePoint Security Audit in bulk by making sure it's turned on whereyou need it to be.18
CHAPTER EIGHTExternal Sharing19
Office 365 introduced External Users to allow you to share content with people outside ofyour organization. A very useful feature in today's reality, working with External Users isalmost a necessity. However, it introduces a very serious potential security threat if notproperly monitored. Where are these Office 365 external users and what do they have accessto, especially months after they no longer need that access anymore?inemployees use cloud apps to sharesensitive corporate data outside ofthe four walls of the organization.3The way it works can be confusing for users and potentially allow them to make a mistake.The email address of a potential external user entered when sharing an object isn't actuallyto what that object will be granted. You still need an Office 365 or Microsoft Live accountto access the information. Make sure to read and understand the definitive guide toOffice 365 External Sharing to understand how it works and the impact it has on your ownOffice 365's security.There are multiple perspectives to consider when managing External Sharing in yourOffice 365. What is the list of all External Users currently in your environment? What iscurrently shared to External Users? What content has been shared with External User "X"?What are the documents still shared to External Users that haven't been accessed in a "X"amount of time?3- lsesurvey/20
Though you have basic controls to manage External Sharingin Office 365, there isn't any way to provide actual guidanceto ensure complete control of your entire tenant.Sharegate brings you that control with just a few clicks. Build your ownreports using External User and Externally Shared Content as criteria.You can also run pre-built actions to quickly get insight on these as wellas take action, thus keeping you in complete control while still enablingyour organization21
CHAPTER NINEThe Administrator22
Let's talk about the administrator for a second, the person that has all the power in yourOffice 365. Ironically, you may be that administrator and probably won't want to listen towhat I have to say. But as I am sure you can agree, the administrator's role can be verydangerous when discussing security.Though the Office 365 administrator doesn't necessarily have instant access to all sitescreated, or OneDrive's owned by users, he or she can grant themselves that power just aseasily. This administrator can turn on and off features that benefit him and leave no trace.How can you show what this administrator account has access to?In some security breaches, it was the administrator account's credentials that enabledhackers to access and steal the information they wanted. You administrator credentials canbe stolen and used to erase any indication that the theft has happened.The Administrator Role can potentially be the biggest security concern in your Office 365.1- 1234562- PASSWORD3- 123456784- QWERTY5- 12345Worst Password List 44- ously-easy-to/23
Have you considered Multi-Factor Authentication for Office 365 to verify the personaccessing this account is actually the person intended to use it? Office 365 will validate bycalling the registered phone number for the administrator or ask you to validate using a codesent to that phone.To reduce the risks, you can also make sure you do not work with an admin account. Mostcompanies will have an administrator account that no one uses unless required to elevatetheir privileges and do something on the platform. Otherwise, they use their regular accounton a daily basis.Also, you can use Sharegate to build and run reports that inspectand validate what is shared to Administrators and how. You can alsotake action in bulk to remove permissions if needed, based on acriteria-based search.24
CHAPTER TENMobile Devices andSync'ed Content25
With a message like "Cloud-First, Mobile-First" Microsoft made recently, it's inevitable to seemore of our users access their content through different devices. This makes it more difficultfrom a security perspectives since we don't always control these devices.About 12,000 laptops are lost everyweek at U.S. airports alone, or5approximately one every 50 seconds.Office 365 has also introduced the ability to Sync content offline with OneDrive for Business,making it even more difficult for us to enforce our security policies. Combine that withMobile Devices and access from anywhere, and you have yourself a recipe for sleeplessnights worrying about security.Of course, these features are very important for the organization to be flexible and keep upwith the demands of our workforce today. It allows us to stay competitive, and turning it offglobally is out of the question.5- .pdf?la en26
Simple solutions can help you mitigate the risks, like training users to use OneDrive forBusiness and accessing the content from their mobile devices can go a long way. In fact,making sure that a password is required to unlock their device can already help preventa breach. Microsoft Intune will continue to play a big part to help protect thesecompany devices.IRM or Information Rights Management is already available for Office 365 and allows you toadd an additional layer of security at the document level. Preventing someone from printinga document or forwarding an email, these are all possible and work when accessed throughMobile Devices. IRM protected documents also work if Sync'ed with OneDrive for Business,a great solution to enforce our security policies.Sharegate can help by showing you which document libraries acrossyour Office 365 have Sync Offline enabled and allows you to managethis option in bulk. Though this OneDrive for Business feature can bevery helpful, you might want to disable it in some locations like the HRlibrary with employee information.27
Here’s a printable Checklist of everything we covered.Establish an inventory of all your Office 365 content, including sites, groups,lists and librariesVerify and manage all User Permissions granted to users in Office 365Manage Objects Permissions in your environment and ensure they are compliantwith Governance PoliciesVerify and manage broken inheritanceCreate custom Permission Levels for individual usersWhen Sites are created, ensure that Members Groups have permissions changedfrom Edit to ContributeRun audit reports regularlyVerify and manage External SharingEnsure administrator credentials are only given to trusted individuals
About SharegateSharegate helps thousands of IT professionals worldwide manage, migrateand secure their SharePoint & Office 365 environments. A product madewith love by Montreal-based software development firm GSOFT, where wetruly believe that simplicity and happiness are key to success!Want to learn more?Connect with us on twitter and visit share-gate.com for moreSharePoint related content.@sharegatetoolswww.share-gate.com
Sharegate allows you to empower users to work easily and helps you stay in control. You can copy permissions and group memberships from one user to another, as well as check the permissions someone has across all your Office 365 SharePoint objects. This way, you can let them click on share and get their work done, but when the project is
