SharePoint Online Security Best Practice Guide for MSPs

Despite the tight security services provided by Microsoft, we know how frequently SMEs' Office 365 is breached, either intentionally by hackers or inadvertently by carelessness. In such a scenario, it makes us wonder, can we fully trust Microsoft to protect us from mal actors in 2022??

The simple answer is yes.

The complicated answer is: Microsoft is as secure as WE configure it.

Does that make you uneasy? Well, it should, because Office 365 security is as much of the user's responsibility (or, moreover, the service provider) as it is for Microsoft.  

Microsoft SharePoint Online follows the same laws of public cloud security and hence needs to be configured carefully. Good thing you can follow a defined set of practices to ensure that your Microsoft services are working at full throttle and that security and business needs are in balance. As experts in Office 365 cloud security, we’d like to break down some of the effective SharePoint Online Security Best Practices.

Factors Affecting SharePoint Online Security

It might be surprising, but SharePoint Online security can be jeopardised due to some foundational mistakes. They are listed below

1. ‍ Gaps in Office 365 set up- SharePoint is exposed when left wide open. Failing to follow security best practices and being susceptible to users’ errors make it vulnerable to data leakage. ‍
2. Risks due to Untrained Users- Unaware users with minimum or no security training, tend to look for shortcuts in SharePoint Online. This makes the organisation open to risks and breaches.
3. ‍Lack of follow-ups- Once security best practices are configured, it is also important to keep going back periodically to ensure and verify that they remain in place and safe processes are being followed by employees.

SharePoint Online Best Practice Security Tips

Limit SharePoint Access

SharePoint offers management policies which can be defined according to your requirements. These policies help manage the devices and content. Policies also allow you to control content access locations, connected devices, and applied authentication. These settings can be found on OneDrive and allow you to manage multiple things like encrypting app data when the device locks, using time intervals to verify user access, removing app data when the device is offline etc. Based on your level of security needed and storage of sensitive data, block:

• Downloading files in the app.
• Screenshots permissions.
• File copying and content copying.
• File printing.
• Data backup in the app.
• Opening SharePoint on other apps.

Secure Externally Shared Content

New SharePoint external sharing policies have been a game-changer in making info sharing seamless with individuals and groups outside your organisation. However, not managing it properly can cause security concerns. For example, external sharing policies are enabled by default through all SharePoint sites, exposing them to undesired viewers. Some of the best practices for external sharing are as follows:

• Never share copies of files as attachments to email or chat.
• Consider turning off sharing through anonymous links.  
• Limit content sharing to familiar email domains only if practical.  
• Disable sharing for site collections with sensitive data.  
• If practical, ensure that content can only be viewed by the user matching the exact email address.

Note: You may have observed that we do not fully advocate the elimination of anonymous sharing in all cases because it has been found that doing so can leave some uninformed users reverting to attachment sharing which is not advised.

Secure SharePoint Groups

SharePoint allows you to form sets of users called ‘groups’ whose access can be controlled. SharePoint can have Azure Active Directory security groups or can have a combination of security groups and individual users. All the groups have different permission levels that can be adjusted according to business requirements. Some best practices to follow here are:

• Avoid modifying or deleting the default groups, instead create your own SharePoint group and permission levels.
• Ensure that the necessary processes are in place to consistently maintain all the permissions/group membership changes.
• Carefully configure the privacy settings for special group "Everyone except external users". This group has a default permission level of "Edit" if a group-connected team site is set to "Public”. When set to “Private”, you have to manually add members through “site permissions”.
• A site should have only ONE company administrator. The company administrator group encloses all users who are assigned the global admin role and has the ability to create and manage all Microsoft 365 groups.

Monitor Via SharePoint Auditing

Once your cloud environment is safe, ensure that it is continuously monitored. SharePoint auditing is necessary to know the who, what, and when of 'content changes'. Like other security measures, auditing also needs planning. Ranging from legal requirements, governance, audit log tracking, and audit data storage, every organisation should set its personal goals. Turning on the audit logging can majorly impact your storage, so make sure you audit judiciously. Follow these best practices:

• Set a strong Audit Retention Policy where the retention duration is well above the industry average limits. For example, as per IBM, it takes 287 days to identify a breach and 80 days to contain it
• To avoid drowning in events logged in the audit log, track only those events that add value. Turn on the option to log “Opened and downloaded documents, viewed items in lists, and viewed item properties” for impactful results.
• Adjust retention policies and audit log options according to your unique needs. Every site collection is different so apply retention specifically where sensitive data is stored.
• Move your audit logs out from the content databases to an external centralized location. There is no backup solution in SharePoint, so you can go for third-party vendors.
• Generating and viewing excel audit reports one site collection at a time can be time-consuming. Save time using PowerShell scripts to accumulate data from multiple site collections.

More SharePoint Security Considerations

Here are some common yet “not-to-be-ignored” security best practice considerations for SharePoint:

1. MFA: Don’t stop after applying MFA on just Admins. Go all the way to applying MFA on all accounts wherever possible.

2. Security and Compliance Center: Plan and implement security compliance needs as per your company policies. Manage Data Loss Prevention (DLP), Sensitivity Labels, or Retention labels & policies, from the security and compliance center.

3. Office 365 Trust Center: Microsoft understands the security concerns of storing and processing sensitive data in the cloud. Hence they have shared the relevant in-depth information on security, privacy, compliance etc. within the Trust Center Overview. It is imperative for O365 users to go through these documents to ensure they are well equipped to apply the provided security best-practices.

4. Classifying Content: Data classification is important to apply security controls quickly. SharePoint Online offers tools to put sensitivity labels to content and publishing the labels with a policy outlines how those labels should be treated. There is also provision for automatic labeling, which can be applied to both passive and active content.

5. Train your Employees: Similar to all cloud-based services, SharePoint online users should be aware of some common security practices. Sharing only the intended files and entire folders/collections.  Locking their personal devices, using strong passwords, using anti-virus, logging out of public systems, and backing up all important files are some steps they can begin with.

Automate SharePoint Online Security

We learnt that even though Microsoft provides top-notch security to its users, it cannot protect you from insider threats caused due to human negligence. Configurations within Office 365 are often laborious, time consuming and require diligence. In an organization that manages security for many clients, it can become almost impossible to keep a check on these activities like monitoring, detecting, and remediating continuously. This is where third-party solutions like Octiga can automate everything. Through their automation, there is zero need to go into PowerShell. It is as good as flipping a switch to secure your SharePoint Online and keep it there! Book a quick chat session with us to learn what we can do for your business.