Making sure your organization's data is secure is an important aspect of a successful collaborative solution. Microsoft 365 has a number of tools that can help you keep your data safe while also allowing your users to collaborate seamlessly.
You can assist protect your company's data by doing the following:
Control sharing - you may build a collaborative area for users while protecting your intellectual property by configuring sharing settings for each site that are relevant to the type of material on the site.
Classify and safeguard information - by classifying the different categories of information in your business, you can build governance policies that give sensitive information a higher level of security than information that is supposed to be freely shared.
Manage devices - you can restrict access to information based on the device, location, and other factors using device management.
Monitor activity - by keeping an eye on what's going on in Teams and SharePoint, you can get a better idea of how your company's data is being used. You can also use alerts to detect unusual activities.
Defend against attacks - By utilizing policies to detect dangerous files in SharePoint, OneDrive, and Teams, you can help maintain the data and network security of your organization.
Each of these is explored in further depth further down. There are numerous options available. You can select the choices that provide the optimum combination of security and usability based on your organization's needs. If you work in a highly regulated field or with highly confidential data, you may want to implement more of these safeguards; however, if your company's data is not sensitive, you can rely on basic sharing settings and malicious file notifications.
Who your users may collaborate with, both inside and outside your business, is determined by the sharing options you create for SharePoint and OneDrive. You can: Depending on your company needs and data sensitivity, you can:
Allowing sharing with persons outside your company is prohibited.
Authentication from people outside your organization should be required.
Set a limit on which domains can be shared.
When users share files and folders, they establish a shareable link with the item's rights. There are three main types of links:
Anyone who possesses the link will be able to access the item. Anyone who uses an Anyone link is not required to authenticate, and their access is not auditable.
An anybody link is a secret key that can be transferred and revoked. It can be passed on to others, thus it's transferable. It's revocable because deleting the link revokes access for everyone who received it via the link. It's classified as a secret since it can't be deduced or guessed. The only way to gain access is to obtain the link, which can only be obtained by asking someone for it.
Only people in your Microsoft 365 organization can use the People in Your Organization connections. (They do not work for visitors to the directory; only members may use them.)
A people in my organization link, like an anybody link, is a transferable, revocable secret key. These links, unlike an anyone link, only work for persons who are part of your Microsoft 365 organization. When someone clicks on a link to people in my organization, they must first be verified as a member of your directory. They will be prompted to sign in if they are not already logged in.
Specific people links only work for the people who are listed on the item when it is shared.
A non-transferable, revocable secret key is a specific people link. A specific persons link, unlike the anyone and people in my organization links, will not work if it is opened by anyone other than the person indicated by the sender.
Users within the organization and people outside the organization can exchange specific people links. The recipient must authenticate as the user provided in the link in both circumstances.
It's critical to teach your users how these sharing links function and which ones they should utilize in order to keep your data safe. Send links to Share OneDrive files and folders and Share SharePoint files and folders to your users, along with information on your company's information-sharing rules.
Anyone links provide unauthenticated access. Anyone links are a convenient method to share files and folders with anyone outside of your company. This may not be the ideal solution if you're exchanging sensitive information. Anyone links will not be exposed to users if you need anyone outside your company to authenticate, and you'll be able to track visitor activity on shared files and folders.
Even though Anyone links do not need authentication from anyone outside your organization, you can keep track of who uses them and revoke access if necessary. Anyone links may be a better alternative than emailing an attachment if people in your organization often email documents to others outside your organization.
There are numerous choices for a more secure sharing experience if you want to accept Anyone links. Anyone links can be set to read-only. You can also provide a time restriction after which the link will no longer work.
Another alternative is to choose a different link type as the default for the user to see. This can help to reduce the likelihood of inadvertent disclosure. If you wish to enable Anyone connections but are worried that they will only be used for specific purposes, you can change the default link type to Specific persons links or People in your organization links instead of Anyone links. When sharing a file or folder, users would have to explicitly choose Anyone links.
You can also use data loss prevention to limit access to files that contain sensitive information to anyone with a link.
People in your organization links
People in your organization links are a terrific way for your employees to share knowledge. Users can share files and folders with people who aren't part of a team or members of a site by using People in Your Company connections, which work for everyone in your organization. The link allows them access to a specific file or folder and can be shared throughout the company. This facilitates collaboration with stakeholders from groups that may have their own teams or websites, such as design, marketing, and customer service.
The file or folder will not appear in search if you create a People in your organization link, nor will it offer everyone direct access to the file or folder. To access the file or folder, users must have the URL. The link isn't working for visitors or other people who aren't affiliated with your company.
Specific people links
Users who want to restrict access to a file or folder should utilize specific people links. The link is only valid for the person who is provided, and they must authenticate to utilize it. These links can be internal or external (if guest sharing has been enabled).
In Microsoft 365, data loss prevention allows you to categorize your teams, groups, sites, and documents, as well as build a set of rules, actions, and exceptions to control how they're used and shared.
You may build a collaboration environment where people can easily work with one other without unintentionally or purposely sharing sensitive material inappropriately by classifying your information and creating governance rules around it.
You can be reasonably flexible with your sharing options for a given site if you have data loss prevention rules in place, and data loss prevention will enforce your governance requirements. This makes for a more pleasant user experience and prevents users from circumventing unwanted limitations.
Sensitivity labels
Sensitivity labels are a means to assign descriptive labels to teams, groups, locations, and documents, which may subsequently be used to enforce a governance procedure.
Using sensitivity labels allows your users to safely exchange information while also adhering to your governance policies without having to become experts in those regulations.
For example, you may set up a policy that requires sensitive Microsoft 365 groups to be private rather than public. When choosing a classification of confidential information, a user creating a group, team, or SharePoint site would only see the "private" option. See Use sensitivity labels to safeguard content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites for more information on using sensitivity labels with teams, groups, and sites.
Conditions and actions
You can impose a governance workflow when a condition is fulfilled using data loss protection conditions and actions.
Examples include:
If customer information is detected in a document, then users cannot share that document with guests.
If a document contains the name of a confidential project, then guests cannot open the document even if it has been shared with them.
Additional granular criteria, actions, and warnings are available in Microsoft Cloud App Security to help you safeguard your material. When the required condition is met, these features include the ability to delete a user's permissions or quarantine the user.
Notifications to users
User notifications let you notify your users – via email or policy advice – when data loss prevention has found something they should know about. Depending on the situation, the user can then determine the appropriate course of action. For example, if a user unintentionally attempts to share a document that contains a credit card number, the user is notified that a credit card number has been discovered and informed of your company's policy.
Microsoft 365 provides a variety of governance features to help you create an intuitive but secure collaboration environment for your users.
Use device management to ensure that only compliant devices have access to your company's data.
Use conditional access to guarantee that only trusted locations and apps have access to your sensitive information.
To guarantee that your governance needs are satisfied and sensitive information is kept private, monitor information exchange in real time and through reports.
Device Management
You can take extra precautions to protect your company's data by using device management. You can control almost any device owned by your users, including PCs, Macs, mobile devices, and Linux systems.
Examples include:
Ensure devices have the latest updates before allowing access to Microsoft 365.
Prevent copy and paste of confidential data to personal or unmanaged apps.
Erase company data from managed devices.
Keep in mind that guests are likely to have unmanaged devices as you explore your options for governing access to information through device management. If you've enabled guest sharing on your site, be sure unmanaged devices get the necessary access, even if it's just web access via a PC or Mac.
Conditional access
Conditional access in Azure Active Directory adds more safeguards to prevent users from gaining access to your organization's resources in potentially dangerous scenarios, including as from an untrusted location or from out-of-date devices.
Examples include:
Block guests from signing in from risky locations.
Require multi factor authentication for mobile devices.
You can create access policies that are specifically for guests, allowing risk mitigation for people who most likely have unmanaged devices.
Real-time monitoring with alerts
Microsoft 365 Defender services include a robust policy framework that you may use to monitor activities that you deem to be potentially harmful to your company's data.
Examples include:
Raise an alert when a confidential file is shared externally.
Raise an alert when there's a mass download by a single user.
Raise an alert when an externally shared file hasn't been updated for a specified period of time.
Microsoft 365 Defender can also watch for anomalous behavior such as unusually large uploads or downloads, access from unusual locations, or unusual admin activity.
By configuring alerts, you can be more confident in allowing an open sharing experience for your users.
Monitoring with reports
A variety of reports are available in Microsoft 365 to help you monitor site usage, document sharing, governance compliance, and a host of other events.
In Microsoft Defender for Office 365, you can utilize Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to prevent users from uploading harmful files to OneDrive, SharePoint, or Teams.
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams detect a dangerous file, it is locked, making it impossible for users to open, move, or copy it.
You can monitor a list of quarantined things that includes the locked file. The file can then be deleted or released as needed.
For more information on Microsoft 365 or to learn more about our IT support, contact RCS Professional Services to speak with an IT professional and security technician or visit our website www.rcsprofessional.com.