Is My Data in Microsoft 365 and SharePoint 2016 Secure?
We know that security and privacy of data is very important to you. In fact more than half of all organizations consider security and privacy their topmost priority when choosing a platform. We at SharePoint and OneDrive believe that our products need to be smart and intelligent about delivering the right level of security without compromising user productivity. Over the next few minutes I will show you how SharePoint can help you deliver the right level of security for your organization, by delivering differentiated access based on user, device, location and sensitivity of data, prevent unwanted sharing of data, help automate data classification and assign policies and give you higher visibility into user and file activity using audit logs. In addition to the controls we give you I will also highlight the investments we have into Service Fabric to give you better control over the security of your data at rest.
Creating and collaborating on content is fundamental to SharePoint. As we add new functionality to the product one of our key principles is that you cannot have security without usability. Users will always find a way to get their job done and if security gets in their way they will find another, likely less secure, way to get their job done. We have seen this with trends like users bringing less secure consumer services into workplace.
We at SharePoint and OneDrive believe that the level of security and any resulting user friction in the experience needs to be commensurate to the value of the data or the sensitivity of the data. The higher the value of the data, it makes sense to have a high level of security. For example if your user is trying to access a document that contains some intellectual property for the organization, it makes sense to maybe ask them for an additional form of authentication or even block access from an unmanaged device.
On the other hand if your user is trying to access some data with low sensitivity, maybe they’re trying to access their own personal trip itinerary, it does not make sense to add any additional friction in that experience. We believe that security needs to be real time and at the point of access depending upon who you are, what is your user role, what is your level of access. You might have different level of access for people in the HR department versus the R&D department. How are you trying to access that data? Are you using a managed device, an unmanaged device, or maybe a managed app, or maybe a browser on a kiosk? Where are you coming from? Are you coming from a trusted location, a corporate network? Are you on an expected or an unexpected location? Of course most importantly, like we just talked about, what is the sensitivity of the data you’re trying to access?
Remember, the sensitivity of the data can vary during the lifetime of the document as new data gets removed or added to the document. We believe that security at SharePoint and OneDrive needs to be smart to understand all of these aspects in real time to give you the right level of security. We call this differentiated access policies.
I’m now at home using my personal iPhone that is not managed by my organization to access data stored in my work OneDrive For Business. We now have support for managed OneDrive apps in iPhone and Android, so in this case even though the phone is not managed by my organization my app is managed by my organization. I go to my OneDrive app, I tap on it. The screen shows up to remind me that this app is managed by my IT department to protect the company data in this app, which makes complete sense since I connected my organization ID to the app. I click OK. It is now going to ask me for a PIN because this is also an organization policy to manage this app which says I must supply a PIN to make sure it’s me who’s accessing this data on this app. Now I’m in. I can actually see all the documents on my OneDrive For Business and I can be productive against them.
I’ve been working with Alex on a few marketing slogans so I’m going to continue where I left off last night. I click on the document. Word is also managed by my IT department. I click OK, it’s going to ask me for a PIN, and there I’m in the document, I can see the changes I made yesterday. I can actually make some edits if I want and add some new things. But then I decide that I’m actually going to copy some of the slogans I added last night and send them in mail to Alex so I can ask him what he thinks about some of the new things I came up with. I copy a snippet from this document and I decide to send it in Mail. I’m actually using the Mail client that is native on the iPhone and I decide to send this to Alex. I’m going to try and paste what I copied.
Notice how there is no paste option, because the app is managed it is stopping me from copying important information or any data out of the app into another app that is not managed. This makes sense, so I decided, “Oh yeah, I can’t really do that.” But that’s okay, I will just share this document with Alex from the OneDrive app. I go back to the OneDrive app, it will ask me for my PIN again. I select the document and I click share. It tells me that only people in Contoso can view and edit, that makes sense. I click on invite people and I add Alex. I say add, and I’m done. Now Alex and I can both collaborate on the document. This was pretty cool.
Now let’s see what happens if I decide to instead share a document that is considered sensitive by my organization. Let me pick another document that is considered sensitive by my organization and try to share that. Now I get a policy conflict. It tells me that the item I’m trying to share conflicts with the policy. I click OK, it is going to give me details about why it is considered to be in conflict with my companies policy. It tells me that this document contains social security numbers so it is not okay for me to share it with external users. The app prevented me from accidentally sharing this information outside the organization boundaries, that is pretty cool. On the other hand when I’m actually working on documents that are not considered sensitive I was able to share and continue to collaborate.
That was my experience on my phone at home, now I’m at work logged into my work device that is fully managed by my organization. I’m on my OneDrive, I can actually see all the files and you can see that some of the files have a little icon overlay on them. If I hover one one of them it will actually tell me that this particular document is in conflict with a policy. If I click on it. It is going to open up a policy tip that tells me that this document contains social security number and therefor sharing with external collaborators is prohibited. Now I understand that some of the documents in my OneDrive are special and considered sensitive by my organization.
Now I’m going to go and switch to my mail. During the course of the day I’m doing my usual work and I decide that I want to share some document with Tony who works for another company, and we’ve collaborating on some things. I decide to send a mail to Tony at Treyco and I decide to attach a document. Now I’m not aware whether this document is sensitive or special or not, I just select the document, I click next. I decide to send it as an attachment because that’s what I usually do and I type the subject. I say, “Check this out,” and I hit send. Now let’s see what happens. It turns out that this document is actually sensitive and I’m not allowed to share it. I immediately get an email back which actually tells me that a custom flow in the exchange rules has blocked me from sending this message. My organization’s policies dictates that attachments with social security numbers cannot be sent to people outside the organization.
In fact this particular exchange rule is going to apply to any email client I might try to use. In all cases, I as a user am prevented from sharing important information outside the organization, and that’s a good thing. Now I’m back in OneDrive doing my usual work. I’ve been working on some marketing slogan with an external company, Treyco, and I would like to share this document with the folks I’m working with at Treyco so that they can review it and give me some feedback. I click share and I type their names.
I’m first going to share with Tony, firstname.lastname@example.org, and then I also have to share it with Rob but I can’t seem to remember Rob’s address at Treyco, but I do remember Rob’s personal email address so I decide to use email@example.com. Now I’ve just been prompted and it tells me that it is not okay for me to share with firstname.lastname@example.org. That makes sense, it’s probably not a good idea to send corporate information to people’s personal email addresses, so I’m going to delete Rob and I’m going to go find Rob’s right email address. I’m now able to share with him. Now Tony, Rob and I can easily collaborate on this document.
Now let me show you the admin experience for setting up these differentiated access policies. The first thing I’m going to show you is how you can manage the OneDrive mobile apps. We’re going to start in the Intune admin portal. I’m the Intune admin portal and here I actually have an iOS policy and an Android policy. When I click on the iOS policy it will actually show you, you first have to give the name for the policy, in this case I’m just calling it an iOS policy. You have to assign some users to that policy, I’ve got a man group, and then you say which apps should this policy target. In this case it’s targeting OneDrive and all Office and Outlook apps.
Then what are the settings for this policy? In that case the settings are pretty simple, are basically saying that this policy says that the apps can only copy data between other managed apps and you must simply a very simply PIN and the PIN has an expiration of 1 minute, so every 1 minute of inactivity you have to resupply the PIN. That is it. That’s all you need to manage your OneDrive apps.
Now let me show you how you can setup differentiated policies based on the sensitivity of the data. For this we’re going to start in the O365 admin portal. From there we’re going to click on security, which is going to take me to the new security and compliance center. From there I’m going to click on security policies, which is going to take me to data loss prevention policies. This is where I can setup policies specific to the sensitivity of the document. We only have one policy here around the social security numbers. When you click on this policy, this policy currently applies to SharePoint and OneDrive and in future you’ll be able to select Exchange as well.
This policy has some rules associated with it, we only have 3 simple rules. The bottom 2 are about educating the users about what they can and cannot do if the document contains a social security number. In this case it says if the document contains a social security number, then there’s an action associated with it. The action says we’re going to send some notifications and also have a custom policy tip which informs the user that since the document contains a social security number sharing with external collaborators is prohibited. Now this top rule is the more important rule, which is actually going to completely restrict sharing with external users. In this case the rule says, if the document contains a social security number, and it is shared with people outside my organization, then the action is you should block access to the content and send the notification. This is basically how what is kicking in and that’s why the user is not able to share with any external user when there’s any sensitive document and Exchange is also blocking you from sending that document as an email.
I just showed you a very simple policy based on social security numbers. You can create the policies that are right for your organization based on many other sensitivity types. Beyond the settings and controls we also give you visibility into activities in your tenant ,and we now have unified auditing logs across SharePoint and OneDrive. Let me show you what that looks like. You’re going to click on reports, new reports. That is going to take you to the auditing logs. Click on Microsoft 365 audit log reports, that is going to bring up the audit log viewer. Here you can actually see all the activity that has happened on your tenant, but you can also select specific type of activities if you want. We now have activities for files and folders, sharing, synchronization. But for now I’m just going to select all the activities that have happened on my tenant in the last 2 days.
This is a lot of stuff but I can use the right filters. Let’s say I just wanted to see all the activity that has happened on a sensitive document. I go here and I type, password application, this was one of the sensitive documents I showed you before. I can see everybody who has access to this document, the last time it was shared and modified. If I wanted I can also see all the activity performed by a user. I’m going to go here and see everything that Sarah did. This is showing every file she accessed, what she shared, who she shared with. This gives me a good sense of everything that has happened in my tenancy.
Now let me show you on other cool feature we have added for the admins. You can now remotely terminate the sessions of a user. Imagine Sarah calls help desk to tell them that she just lost her laptop, she left it in a taxi. You as a admin can go in and terminate all of her sessions to make sure that nobody can get to your important data using her laptop. Let me show you how you can do it, it’s pretty simple. You start the SharePoint PowerShell and in the SharePoint PowerShell you you just have to type one single command and that’s it. It asks you, “Are you sure?” You say yes, and now in a few seconds you will that Sarah’s session is terminated. There you go. Sarah was locked out of her session, pretty cool.
So far I’ve shown you how you can setup differentiated access based on user, device, location and the sensitivity of data. Let me now share with you where we’re headed directionally over time. In order to get even better usability you should be able to set more fine grain access. Instead of allowing a user to have full access or no access at all to a sensitive document on an unmanaged decide, you might want to allow the user read or view access but not download access. You should also be able to set different session lengths depending upon the sensitivity of the data, the user location and the device. Maybe you want to have shorter session lengths for access from an unmanaged device versus a managed device.
Very soon as an admin you will be able to see both on prem and Microsoft 365 audit logs altogether in the Microsoft 365 admin portal so that you can have a single place to get the complete view of your organization. Beyond the control that we give you at the tenant level we have also made additional investments in the fabric of the service to give you better control over the security of your data at rest. We know that because security and compliance is very important to you, where your data physically resides is also very important to you. As we continue to scale the service we continue to add new geographical locations where you can choose to store your data.
In the last 12 months alone we have added Australia, Japan and India, and in the coming months we will be adding Germany, UK and Canada. In order to give you higher level of visibility and control over who has access to your content stored in SharePoint we just shipped a new feature called customer lockbox. In the rare event that a Microsoft engineer needs to get access to your content because of a customer request from you, we will issue a request through lockbox, if and only if you grant access will the Microsoft engineer be able to access your data. This request and the access are both time bound, and any and all activity that happens during that window is fully logged and auditable. Let me show you how this works.
You’re going to go to the admin portal, click on service settings, click on customer lockbox. This is where you can enable or disable this feature. Once you’ve enabled this feature you can click on the dashboard to see any pending request. You go to customer lockbox request, click on that and in this particular case I have 1 pending request. I have the support call number right next to it and I can decide to either approve it or deny it. If I want to see a history of all previous request I can click view details and history. Here you can see all of your previous customer lockbox requests and you can see which ones you approve, which ones you denied, and you can also see all the support tickets associated with them.
One more thing, as you may now every file stored in SharePoint is broken down into multiple chunks that are individually encrypted and the keys are stored separately to keep the data safe. In the future we would like to give you the ability to manage and bring your own encryption keys that are used to encrypt your data store in SharePoint. If you want you can revoke our access to the keys and we will not be able to access your data in the service.
This was an overview of our new investments in the area of intelligent security and compliance in SharePoint and OneDrive. We want to enable you to have the right level of security for your organization without compromising user productivity. You can try these features in the admin portal on Microsoft 365 today. You can also visit the Trust Center to learn more. Thank you for watching.