Blog Post

Privacy is a fundamental human right in this digital age, and the user should be able to question how their data is being handled. In the past few years, Office 365 products like SharePoint and OneDrive has become a significant platform for enterprise organizations to store their data. We are talking about gigabytes of content which the organizations used to store behind a firewall, which is now being uploaded to the cloud. Even though some companies are still using the SharePoint on-prem solution, who are too stubborn to move to SharePoint Online because they think it is not safe, well, the fact is an on-prem solution also is vulnerable to cyber-attacks.

It is your choice of whether to choose on-prem or online, many comparisons have been made between them, and the pros and cons are on both sides. Read up on the differences between SharePoint Online and on-prem. SharePoint Online is completely run on the cloud, all your data is on the cloud, even though you are the owner of your data, in a cloud, you are giving it to a third party to manage and safe keep. In this case, that party is Microsoft.

It is only logical that you question the safety and integrity of your data in the cloud. To answer that question. Before answering that question you need to understand that, the responsibility for the safety of your data is mutual, yes Microsoft has strong security measures put in to store your data, but you, the owner of the data has to take necessary steps in keeping the data safe. In this blog, we will be discussing these two parts. First, let us look at how Microsoft handles our data?

How Microsoft handles your data?

Your data is protected in transit and at rest by Microsoft. Once data starts from clients, into service, and between datacentres, it is encrypted using the best methods by Microsoft. These encryption methods include SSL/TLS connections. Data is further secured from any disaster at datacentres by moving the data between datacentres.

The data at rest in Microsoft datacentres are protected at a high-level clearance. Firstly, there is the physical protection. Access to datacentres is limited to authorized personnel only, and this personnel is verified with multiple factors of authentication, this includes access cards and biometrics. Further, the datacentres are under 24×7 surveillance by security officers, rigged with motion sensors, CCTV the datacentre is basically a secure fort. Even if someone decided to access your data at rest, their first challenge would be to find the datacentre, since Microsoft does not disclose their location, and then go through all those levels of security.

Secondly, the network protection, with a dedicated Azure Directory domain, your networks, and identities are isolated from the Microsoft Corporate network. Then there is application security, all the features that are being developed follow the security development lifecycle. The automated and manual of the applications for vulnerabilities. The incoming vulnerability reports and evaluation of any possible mitigation is handled by the Microsoft Security Response Centre. There is also a Microsoft Cloud Bug Bounty program, where you can earn money by reporting vulnerabilities. Read more about this at Microsoft Cloud Bug Bounty Terms.

Content Protection, the content at rest is protected using BitLocker disk-level encryption and per-file encryption. BitLocker encrypts all data on a disk while per-file encryption takes it a step further by including a unique encryption key for each file. Additionally, every update to every update to every file is encrypted using its own unique key. This unique key is stored in a physically separate location from the original content. You can read more about these encryption methods for content at rest, in SharePoint Online and OneDrive for business Data Encryption.

To confront the threat of any malware in the uploaded documents, the Microsoft 365 anti-malware engine scans all documents at the time of upload for an AV signature which is updated every hour. You can also use Microsoft 365 Advanced Threat Protection (ATP) to analyze the content and identify sophisticated threats.

The Data stored in Microsoft datacentres are readily available and recoverable. Your data is mirrored in at least two datacentres to moderate the impact of any natural disaster or any other scenario that could affect the service. In case of a ransomware attack, you can use version history settings in a list or a library to roll back, you can also restore data from the recycle bin and site collection recycle bin. Even if an item is removed from the site collection recycle bin you can contact customer support within 14 days to access the backup.

The datacentres are being continuously validated, to ensure that the machines and software are fit and updated. Regular automated workflows that run at the facilities identify the unfit machines and queue them up for a replacement. Microsoft 365 also ensures that the services they provide are audited and compliant. You can visit the Service Trust Portal to find out more about compliance and trust information about Microsoft services.

We have seen how Microsoft handles your data in transit and at rest at their data centers. Now let us discuss how you can ensure the safety of your data in SharePoint and OneDrive for business.

Steps you can take to ensure safety for your data

The most important step you can implement here is two-factor authentication for your identities in Microsoft 365. We cannot stress this more, by doing this you can confront the scenario of a compromised password. The two-factor authentication can be set up through a phone call, text message, or the authenticator app which is available in the app store and Google Play Store. You can find more information about setting up two-factor authentication in Setting up multi-factor authentication for Microsoft 365 users.

Additional steps you can implement to manage or escalate security are discussed below:

1. You can control access from unmanaged devices using Azure Active Directory device-based conditional access. Once turned on, when users sign in from an unmanaged device, they will see an “Access Denied” message on the screen. Using this feature, you can limit access for all users in an organization or only some users or a security group. You can also limit access to certain sites in an unmanaged device.
2.  SharePoint admins can create specific policies to sign-out inactive users after a period of inactivity. This idle session sign-out can be configured in such a way that after a period of inactivity in the browser users will get a warning and will be subsequently signed out.
3. You can prevent accessing SharePoint and OneDrive contents on devices outside the specified domain by users or guests by setting a location-based access control policy.
4. You can setup required sign-in or links that expire or grant limited privileges for external sharing, train your users to share extensively but with precaution. Read more about external sharing for SharePoint Environment here.
5. Create a DLP policy to identify sensitive documents and prevent them from being accidentally exposed or from being shared. With the Data Loss Prevention Policy, you can identify, monitor, and automatically protect sensitive information across Office 365.

In conclusion, answer to the question we asked first, the safety and integrity of your data in SharePoint Online and OneDrive for business in the Microsoft cloud. The data could not be anymore safer! if you are worried that a third party accessing and managing data, think about your Gmail account, SalesForce, DropBox, QuickBooks, or even Facebook, which are already running on the cloud an are managing your data. So, the next time when someone says to you that moving to SharePoint online is a security risk hit them with the facts. With the support from Microsoft and the extra measures, you could set up, the safety and integrity of your data are indisputable.