A recent (September 2017) article suggested that OneDrive for Business (ODfB) (and by extension SharePoint Online (SPO); ODfB is a SharePoint-based service), a key application in Office 365 was a potential source of data leaks and/or target for hacking attacks.
I don’t disagree that, if not configured correctly, any online document management system – not just ODfB/SPO – could be the source of leaks or the target of external attacks. Especially if these systems, and the security controls that can protect the data in them, are not properly configured, governed, administered, and monitored.
But, I would ask, what controls do most organisations have in place now for documents stored in file shares and personal file folders, not to mention USB sticks, and the ability to send document via Bluetooth to mobile devices or upload corporate data to third-party document storage systems? Probably not many, because users have no other way to access the data out of the office.
As we will see, the controls available in Office 365 are likely to be more than sufficient to allow users to access to their documents out of the office, while at the same time reducing (if not eliminating) the sharing of documents with unauthorised users.
How to stop or minimise sharing from OneDrive for Business and SharePoint Online
There is one simple way to prevent the sharing of data stored in SPO and ODfB with external people – don’t allow it.
There are several ways to control what can be shared, each allowing the user a bit more capability. All these options should be based on business requirements and information security risk assessments, and Office 365 configured accordingly.
In this article I will start with no sharing allowed, and then show how the controls can be reduced as necessary.
External sharing – on or off
This is the primary setting, found in the main Office 365 Admin centre under Settings > Services & add-ins > Sites. If you turn this off, no-one can share anything stored in SPO or ODfB.
The option is shown below:
If you do allow sharing, you need to decide (as shown above) if sharing will be with:
- Only existing external users
- New and existing external users [Recommended]
- Anyone, including anonymous users
The second option is recommended because it doesn’t restrict the ability to share with new users. The last option is unlikely to be used in most organisations and comes with some risks.
The next place to set these options are in the SPO and ODfB Admin centres.
OneDrive admin center
If the previous option is enabled, the following options are available for ODfB. Note that BOTH SharePoint and OneDrive are included here because the latter is a part of the SharePoint environment.
- Let users share SharePoint content with external users: ON or OFF.
- NOTE: If this option is turned OFF, all the following options disappear.
- If sharing with external users is enabled, the following three options are offered:
- Only existing external users
- New and existing external users [Recommended]
- Anyone, including anonymous users
- Let users share OneDrive content with external users: ON or OFF
- This setting must be at least as restrictive as the SharePoint setting.
- If sharing with external users is enabled, the following three options are offered
- Only existing external users
- New and existing external users [Recommended]
- Anyone, including anonymous users
If sharing is allowed, there are three sharing link options:
- Direct – only people who already have permission [Recommended]
- Internal – only people in the organisation
- Anonymous access – anyone with the link
You can limit external sharing by domain, by allowing or blocking sharing with people on selected domains.
External users have two options:
- External users must accept sharing invitations using the same account that the invitations were sent to [Recommended]
- Let external users share items they don’t own. [This should normally be disabled]
A final ‘Share recipients’ checkbox allow the owners to see who viewed their files.
SharePoint admin center
The SPO admin center (to be upgraded in late 2017) has two options for sharing.
The first option is under the ‘sharing’ section which currently has the following options:
Sharing outside your organization
Control how users share content with people outside your organization.
- Don’t allow sharing outside your organization
- Allow sharing only with the external users that already exist in your organization’s directory
- Allow users to invite and share with authenticated external users [Recommended]
- Allow sharing to authenticated external users and using anonymous access links
Who can share outside your organization
- [Checkbox] Let only users in selected security groups share with authenticated external users
Default link type
Choose the type of link that is created by default when users get links.
- Direct – only people who have permission [Recommended, same as above]
- Internal – people in the organization only
- Anonymous Access – anyone with the link
Default link permission
Choose the default permission that is selected when users share. This applies to anonymous access, internal and direct links.
- View [Recommended]
- Edit
Additional settings (Checkboxes)
- Limit external sharing using domains (applies to all future sharing invitations). Separate multiple domains with spaces.
- Prevent external users from sharing files, folders, and sites that they don’t own [Recommended]
- External users must accept sharing invitations using the same account that the invitations were sent to [Recommended]
Notifications (Checkboxes)
E-mail OneDrive for Business owners when
- Other users invite additional external users to shared files [Recommended]
- External users accept invitations to access files [Recommended]
- An anonymous access link is created or changed [Recommended]
Sharing via the Site Collections option
In addition to the options above, sharing options for each SharePoint site are set in the ‘site collections’ section as follows. Note that the default is ‘no sharing allowed’. A conscious decision must be taken to allow sharing, and what type of sharing.
When a site collection name is checked, the following options are displayed.
Sharing outside your company
Control how users invite people outside your organisation to access content
- Don’t allowing sharing outside your organisation (default)
- Allow sharing only with the external users that already exist in your organization’s directory
- Allow external users who accept sharing invitations and sign in as authenticated users
- Allow sharing with all external users, and by using anonymous access links
If anonymous access is not permitted (setting above), a message in red is displayed:
Anonymous access links aren’t allowed in your organization
SharePoint Sharing option
The SharePoint Admin Centre has an additional ‘Sharing’ section with the same settings as shown above for ODfB. It is expected that these multiple options will be merged in the new SharePoint Admin Centre due for release in late 2017.
Additional security controls
In addition to all the above settings, there are a range of additional controls available:
- All user activities related to SPO and ODfB, including who accessed, viewed, edited, deleted, or shared files is accessible in the audit logs.
- SPO and ODfB content may be picked up by Data Loss Prevention (DLP) policies and users prevented from sending them externally. This is of course subject to the DLP policies being able to identify the content correctly.
- SPO and ODfB content may be subject to records retention policies set by preservation policies. These may impact on the ability to send documents externally.
- SPO and ODfB content may be subject to an eDiscovery case.
- Administrators can be notified when users perform specific activities in both SPO and ODfB.
- Sharing (and access to the documents once shared) may be subject to security controls enforced through Microsoft Information Protection.
Conclusion
In summary, the settings above allow an organisation to strongly control what can be shared. If sharing is allowed, certain additional controls determine whether the sharing is for internal users or for users external to the organisation. If the latter is chosen, there are further controls on what external users can do. Audit controls and policies may also control how users can share information externally.
The key takeaway is that organisations should ensure that the sharing options available in Office 365 are based on the organisation’s business requirements and security risk framework.
Records about the world 