Over the past few years, organizations have gradually adopted cloud technologies for a wide range of business purposes. Usually, the cloud service utilized first is file storage. Cloud storage enables all business, from small to large, to control costs while ensuring high availability of their data. Two popular options for cloud file storage come from Microsoft: Microsoft OneDrive is for non-business customers and comes as part of its email services. OneDrive for Business is designed for companies; this Microsoft cloud file storage option is normally part of an Office 365 subscription.
When choosing a cloud file service, organizations consider many factors, such as cost, data center locations, performance, storage capabilities and integration with other platforms. One critical topic that is often overlooked is the security of the platform. Too often, businesses trust these services simply because the vendor claims they are secure, when they really should check the available cloud security controls for themselves. Knowing how secure the data your business owns should be the number one criterion when choosing a cloud file storage service.
Here, I’ll review the key security features of OneDrive for Business and offer five important best practices for keeping your organization’s data secure.
How Secure is OneDrive for Business?
From day one, Microsoft ensured that OneDrive for Business had the essential security features, from authentication and control to encrypted storage. And ever since, Microsoft has steadily worked to improve the security controls in OneDrive for Business to meet even the most stringent business requirements.
Key Security Features
All communication with the OneDrive for Business service is protected using SSL/TLS:
- All SSL connections used for communication to OneDrive for Business across the internet are established using 2048-bit keys.
- Data movement between datacenters is transmitted over a private network and is further protected with encryption.
These two features ensure that when you access your content resources, or when your data is replicated to other data centers protections are still in place.
Second, all data is encrypted at rest using BitLocker disk-level encryption combined with per-file encryption of the actual content. The per-file encryption is especially powerful, since each encrypted file has a unique encryption key, and every subsequent update to the file is encrypted using that key. Encryption keys reside in a different location from the content. The encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is complaint with Federal Information Processing Standard (FIPS) 140-2.
The final piece of encryption is within the SQL content databases that hold the map required to locate and reassemble all of the content and the keys needed to decrypt all the data.
User Permissions and Sharing
Global Admins and SharePoint Admins can manage OneDrive for Business through the OneDrive Admin Center, where configuration and organizational sharing settings and base permissions can be defined. Within the Microsoft Office 365 suite, there is a one-to-one relationship between OneDrive for Business and SharePoint Online; each OneDrive location is actually a site collection within SharePoint Online. As a result, management of OneDrive for Business security and permissions is identical to SharePoint management.
The OneDrive Admin Center provides sharing settings that control all sharing links. Within the Default Links category, administrators can set the type of link used by default when users share items:
- Shareable — If external sharing in SharePoint Online is allowed to anyone, then this setting is available. This setting makes the link accessible by anyone who has the link.
- Internal — This setting makes links accessible only by users within the organization. If external sharing is allowed, end users will have to select the link type every time they share files
- Direct — These links can be accessed only by the people specified when the end user creates the link. Use this type to share with guests who will be required to authenticate or with a small group of individuals in your organization.
External sharing permissions are available at the global, site collection and user levels. OneDrive for Business provides granular controls that enable you to prevent individual users from sharing content. Using the sliders in the OneDrive Admin Center, you can fine-tune the permission levels for SharePoint Online and OneDrive for Business external file sharing to suit your organization’s needs.
Synchronization of Content
One of the most appealing features of OneDrive for Business is its ability to sync content to multiple devices. OneDrive for Business provides a Files On-Demand service that offers three different file states so you can choose whether a given piece of content should be kept online only, be locally available or be always available.
The OneDrive Admin Center enables you to further control the OneDrive sync client; in particular, you can restrict syncing to domain-joined devices only or block syncing of certain file types.
Even tighter restrictions can be applied using policies offered by Microsoft Intune. If you are using OneDrive for Business on corporate devices such as Windows 10 laptops, you can also use Active Directory Group Policies to restrict synchronization further. For example, you could prompt Windows 10 users to move their local files to OneDrive for Business.
Data Protection and Data Loss Prevention Policies
If you store files in any cloud file storage service, including OneDrive for Business, you need to establish policies that control the types of content that can be stored and shared. OneDrive for Business offers five core protective functions:
- Perform an audit log search of activities
- Apply data loss prevention policies
- Apply preservation policies
- Create and manage eDiscovery cases
- Create alerts for specific activities
Data loss prevention policies are needed to control the flow of data within the file storage system, especially sensitive data such as personal employee or customer data. These policies use rules to identify credit card numbers, Social Security numbers, driver’s license numbers and other types of sensitive data. Each policy can be modified based on how the content is shared. For example, there is a rule that could block access to content that contains Social Security numbers if it is shared externally, or block access to content that includes bank information and that is shared within the organization.
Tips for Improving OneDrive for Business Security
Even though Microsoft provides great protections, many organizations either don’t know what is available or do not know the best practices to implement. Here are five key tips for improving data security in OneDrive for Business:
- Define and apply data loss prevention policies to control data flow.
- Set up both site collection and end user restrictions for sharing of content.
- Define and apply device policies to restrict access and synchronization.
- Utilize features provided by the larger Azure services to protect OneDrive for Business, such as Advanced Information Protection and Conditional Access Policies.
- Augment native OneDrive for Business logging and auditing with third-party software to get better insight into user behavior.
By understanding OneDrive for Business security features and following these five best practices, you will be able to better understand end-user and admin behavior in your enterprise, address security issues in a timely manner and pass compliance audits.