• United States



Senior Editor

5 ways Microsoft has improved SharePoint security

May 16, 20168 mins
Application SecurityCloud ComputingEnterprise Applications

Revamped SharePoint platform enables more granular security controls, hybrid cloud and on-premise auditing, and BYO encryption keys

“Users will always find a way to get their job done. And if security gets in their way, they will find another, likely less secure, way to get their job done.”

Navjot Virk made that point during the launch of the latest version of SharePoint, Microsoft’s 15-year-old content management and collaboration platform. More than 200,000 organizations use SharePoint, which today reaches more than 190 million users.

Security is one of four key areas of investment in the new SharePoint, according to Jeff Teper, corporate vice president for the OneDrive and SharePoint teams (pictured with Virk). Teper presided over Microsoft’s Future of SharePoint event, held last week, and detailed enhancements to SharePoint Online in the cloud and SharePoint Server on-premises. Together, Teper and Virk gave an overview of Microsoft’s investments in security, privacy and compliance in SharePoint and the OneDrive online storage service. The common theme is tighter, more granular security controls that aim to help IT strike the desired balance between security and user productivity. Here are the specifics.

Differentiated access

Microsoft has built conditional access policies into SharePoint that define access based on the user, device and location. IT can set policy-based access controls for SharePoint that take into account the user role (HR, finance, or R&D, for example); how the user is trying to access the data (from a managed or unmanaged device, or from a browser on a kiosk); where the request is coming from (an expected to unexpected location, or a corporate network or a trusted location); and the sensitivity of the data that the user is trying to access (which can vary during the lifecycle of a document, as data is added or removed).

A user can be prevented from copy and pasting content from a managed app, such as Microsoft Word, into an unmanaged app, such as a personal email app, for example, or prevented from sharing a document deemed sensitive by the organization with someone outside the company. Another policy might require users to supply a pin for certain activities.

“The level of security, and any resultant user friction in the experience, needs to be commensurate to the value of the data or the sensitivity of the data,” says Virk, whose title is principal group program manager for OneDrive and SharePoint at Microsoft.

Looking ahead, Microsoft is working to add more granularity to SharePoint’s access controls. Upcoming security capabilities include the ability to give a user read access, but not download access, for example.

“In order to get even better usability, you should be able to set more fine-grained access,” Virk says. “So instead of allowing a user to have full access or no access at all to a sensitive document on an unmanaged device, you might want to allow the user read or view access, but not download access.”

Additional policies will allow IT to block all access off the corporate network. “A lot of customers have been asking for this,” Virk says. 

IT also will be able to set session length policies depending upon the sensitivity of the data, the user location and the device. “For example, you might want to have longer sessions when a user is using a managed device versus an unmanaged device,” Virk says.

Unified auditing logs

With existing reporting and auditing features, IT admins can view user and file activity using audit logs, and with the new version, Microsoft has enabled unified auditing across SharePoint and OneDrive. Admins can view all file and folder activities, and drill down to view sharing and synchronization histories. Admins also can view activity by a particular user – every file accessed, what was shared and with whom.

“You can now see all user, admin and file activity across your entire tenancy in Office 365 Admin Portal. You can search through it, you can filter it for what you’re looking for, and you can even export this data so you can use your favorite tool to actually process it,” Virk says.

A feature introduced earlier this year, called advanced eDiscovery, integrates machine learning, predictive coding and text analytics to make it easier to sort through large quantities of data. “You now have to power of machine learning to quickly go through large volumes of data and find just the right relevant information you need to retain for legal purposes,” Virk says. “We also have powerful record management tools that let you classify the data and apply the right retention and deletion policies.”

Later this year, Microsoft is set to release a new feature called SharePoint Insights. This service can aggregate usage and compliance data from on-premises and cloud into the Office 365 Reporting Center, so companies can see a unified view across the entire organization.

This is significant for enterprises that have sizable on-premises investments in SharePoint and plan to maintain and add to those on-premises investments.

“All of this innovation in security and compliance is not limited to cloud only. SharePoint 2016 ships with built-in support for data loss prevention, or DLP, policies and record management, so you can automate the classifications, the security policies, the retention policies for your on-premise data as well. And we really believe in the power of hybrid to bring the innovations from the cloud and extend them to your on-premise deployments,” Virk says.

SharePoint site classification

SharePoint already is equipped with tools to discover and protect content – it includes more than 80 pre-built definitions of sensitive content, and companies can create their own custom policies. “You can easily create a policy, for example, to block all access to financial information from an unmanaged device, or you can prevent your users from creating documents which contain Social Security numbers and saving them to their OneDrive,” Virk says.

These policies can be set once and applied across your tenant and into your on-premises farms. “Once you create a DLP policy, all your data is automatically classified and the policies applied at the time of access,” Virk says. “It’s applied to all files across your entire tenancy. You don’t have to worry about setting policies per file or per site.”

Later this year, Microsoft is adding the ability to classify a SharePoint site so that appropriate policies are scoped to all content in a site.

Another new feature is the ability to whitelist and blacklist domains for external sharing.

“Secure sharing and collaboration is fundamental to SharePoint … but we have to make sure there are right controls over it,” Virk says. “You can decide who in your organization has the privileges to share externally. You can also decide what kind of data they can share externally.”

“If you want, you can block them from sharing any sensitive data — block all external sharing for sensitive data – or you can block external sharing at a site level if you think people are working on a confidential project on that site, or you can block all external sharing at your tenancy. You can also control who they’re sharing the data with,” Virk says. “We just shipped a feature that allows you to create blacklists and whitelists of domains that users are allowed to share with. And very soon, you will be able to control the length of time for which an external user gets access to the data.”

Remote session termination is also new to SharePoint. IT can now remotely terminate the sessions of a user, if someone were to leave a laptop in a taxi, for example.

Customer Lockbox

Enterprises want greater visibility and control over who has access to their content stored in Microsoft’s cloud services, and in response, Microsoft developed a new feature called Customer Lockbox.

“In the rare event that a Microsoft engineer needs to get access to your content, because of a customer request from you, we will issue a request through Lockbox. If and only if you grant access, will the Microsoft engineer be able to access your data,” Virk says. “This request and the access are both time-bound, and any and all activity that happens during that window is fully logged and auditable.”

“It is your data. We can’t read it. We don’t use it for any other purposes. You can audit what’s going on from your employees and with … Customer Lockbox, you will be able to see and control even when we operate the service for you,” Teper says.

BYO encryption keys

Along the same lines, Microsoft says it will allow companies to bring and manage their own keys to encrypt their data stored in SharePoint. That ability will be available by the end of this year, 

Files stored in SharePoint are broken down into multiple chunks that are individually encrypted, and the keys are stored separately to keep the data safe, Virk says. “In the future, we would like to give you the ability to manage and bring your own encryption keys that are used to encrypt your data stored in SharePoint,” she says. “If you want you can revoke our access to the keys, and we will not be able to access your data in the service.”