Our series of articles examines the risks of sharing files through OneDrive or Teams and offers advice on how to ensure information security without limiting collaboration. The second article will analyze the challenges of IT administrators in adjusting or maintaining access rights and propose a potential solution for CISOs through implementing Data Access Governance. This will be demonstrated using a specific example to showcase the ease of implementation without compromising employee collaboration.
We recommend reading the first article in case you have missed it.
Oversharing content
The issue of oversharing content is prevalent in various organizations. Even though the users have good intentions, they tend to share content with a wider audience, leading to unauthorized access to the content. As hybrid work and external collaboration become critical business themes, the oversharing problem is becoming more significant.
Administrators can restrict access in OneDrive or Teams, so that users are not allowed to share files with people outside the organization. And they can generally limit the options users have to share data within the organization. So, where is the problem? Simply spoken, this leads to over-restricting security measures. These limitation does not work on file or folder level. They don't consider the needs of the users to share files individually on a far more granular way. And as users tend to overcome such general barriers, they will start to collaborate using other processes or tools, which will probably decrease you overall security posture - something you want to prevent at all costs.
One effective approach to preventing this issue is to establish file sharing policies at the level of individual files and folders. And it’s obvious that this leads to a far more complex environment and can't be managed by IT administrators anymore. Not only because of the workload they already have but also because of the lack of knowledge about the context, the data inside these files. It is not within their scope of responsibility to determine the appropriate classification level for data or to understand the rationale behind granting access to specific individuals or groups. The data owner is the only one with the authority to provide accurate information. The person which originally created the document or holds responsibility for the content (for example, the manager of a department).
Data Access Governance enables secure collaboration
Data Access Governance (DAG) is considered the most effective approach to ensuring compliance and data security. Data owners must be empowered to share their files with specific individuals and groups as necessary, while still adhering to the security standards of the organization.
The security standards for the company are centrally configured and updated by IT administrators. But it is the group of data owners who recognize if there is a security violation and adjust the sharing permissions, in most of the cases. It is necessary for them to have the ability to document changes in permissions and provide reasons for those changes. With this implementation, collaborating securely on files and folders will become effortless and compliance can be consistently achieved. To ensure policies are secure enough, it's important to involve both IT administrators and data owners in the decision-making process. Relying solely on administrators to monitor compliance can result in overly broad policies and unnecessary burden. A collaborative approach is necessary. Let's explore how this can be accomplished practically.
DriveLock 365 Access Control
To ensure that Data Access Governance is implemented in a practical and secure way, there are several key aspects that need to be considered:
- Before sharing files, data owners should receive training on how to comply with security policies and understand their responsibility. This includes understanding the different levels of access rights and the implications of sharing a file with someone outside of the organization. Also, a data classification system is required, which should comprise a maximum of five distinct levels. Certain information may be available to the public, while most data can be distributed within the company. Typically, 10-15% of information is classified and only accessible to a limited audience.
DriveLock 365 Access Control facilitates the specification and allocation of data classifications to various locations on OneDrive, Teams, or SharePoint Online. The definitions provide settings for external sharing restrictions and can contain instructions for users on the appropriate level for application.
- Additionally, organizations must have an automated process for monitoring access rights and providing notifications when permissions are changed or are not compliant anymore. This helps to reduce the risk of unauthorized access to sensitive data and ensure that data owners always have an up-to-date view of who has access to their files.
DriveLock 365 Access Control enables data owners to identify and rectify security concerns effortlessly, without requiring administrative intervention, by simply clicking a button. The platform shows the number of users who have access to a specific file, folder, team, or site, as well as whether access has been granted to external individuals. Access rights can be revoked or granted to other groups or individuals as needed.
- Finally, it is important to have a clear procedure in place for revoking access when necessary. This could include automatically revoking access when a user leaves the organization or when the data reaches its expiration date.
DriveLock 365 Access Control includes a role-based access control (RBAC) system that automatically grants or removes access, for example based on changes in an individual's role, department, or employment status within your organization.
Conclusion
Data access governance is essential for ensuring that organizations can protect sensitive data and remain compliant with security policies. By empowering data owners to share files securely, organizations can ensure that their documents are not shared with unauthorized people or groups. An automated process for monitoring and revoking access rights as needed helps organizations stay up to date on who has access to their data and act quickly if something goes wrong.
Protecting important data can be a daunting task for IT administrators, who often find themselves lost in complexity, with too little knowledge of the content they must protect. And while Microsoft 365 provides some assistance in setting limits on sharing content, it does not entirely meet the user's needs for regulating access to individual files and folders.
DriveLock 365 Access Control provides an effective solution for achieving Data Access Governance, ensuring the security of your sensitive data. DriveLock's data owner centric approach simplifies the process for IT administrators compared to other solutions.
DriveLock
