Last year I wrote a blog post on encrypting OneDrive for Business data with Office 365, and through my work I’ve had a lot of discussions with customers about how to handle data in OneDrive while still enabling the business. Here are my top 4 things to look at to keep OneDrive for Business data secure.
Limit who you share with
Within your organization there are defined business partners that may need access to some of your content. In the OneDrive for Business admin console there are features to limit sharing by domain, and restrictions on how those users can accept sharing requests. Additionally, you can block external users from sharing content they don’t own. These are a great starting points for enforcement of a security posture for OneDrive.
Restricting when and how the sync client can be used
The sync client can be troubling for a lot of organizations since it is taking your data out of the Microsoft cloud and putting it on a computer that may not be known to IT. Restrictions on the sync client are also available in the OneDrive admin portal. You can restrict the sync client to PCs that are joined to specific domains and block syncing of specific file types.
Use Microsoft Intune to enforce mobile application management policies for the OneDrive mobile app
If you are already using or thinking about using Intune to manage your organization’s mobile devices, then creating mobile application management (MAM) policies for OneDrive will extend security outside of the traditional perimeter. There are a host of settings for OneDrive and MAM and most of them are aligned to keep data within the Microsoft suite of applications. This allows device data to be wiped if the phone is lost/stolen or the user separates from the organization without wiping personal data.
Create a Data Loss Prevention Policy
If there is specific data that needs to be either restricted or handled in accordance with regulatory requirements, then defining a data loss prevention policy (DLP) for OneDrive is a no-brainer. DLP settings can be accessed from the Office 365 security and compliance console and the policies can extend to Exchange Online, SharePoint Online, and OneDrive for Business.
As an example, in order to handle the sharing of credit card or ABA numbers stored in OneDrive we can create a DLP policy that looks for those items and blocks sharing or accessing that content. Policy tips can also be deployed to end users to advise them if violating content is detected while working on a document.
To enhance these capabilities even further a product like Microsoft Cloud App Security might be a worthwhile investment.
Use Azure Rights Management to Encrypt OneDrive for Business
Azure RMS can be leveraged to encrypt files on the egress out of OneDrive for business. This applies to the sync client as well as downloading. For more information about Azure RMS, check out my recorded webinar.
Using this with OneDrive must be done with planning and care. I would not recommend this as an organization-wide deployment. It’s better to identify which users deal with sensitive data and use it on their OneDrive for Business. See my other blog about how the sync client handles Azure RMS.
Keeping your data secure must be a top priority as more workloads get transitioned to the cloud. Ensure that you are using all the tools that are included with Office 365 to facilitate an effective security posture.
Steps to deploy this can be found on TechNet here.
Need help configuring this for your organization? Call us today! +1 877 862 1617