SharePoint and OneDrive for BusinessSecuring your content in the new world of work

01 Introduction

02 Platform security

03 Information governance

04 Secure access and sharing

05 Awareness and insights

06 Compliance and trust

07 Conclusion

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making Microsoft SharePoint Online and OneDrive for Business more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

The collaboration landscape has changed. Connectivity is ubiquitous, and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device—and for that experience to be seamless.

01 Introduction

In this e-book, you’ll learn about the Microsoft approach to security and compliance with SharePoint Online and OneDrive for Business, which encompasses:

Platform security

Protect content at rest and in transit with layered encryption customer controls and keys to lock down data.

Information governance

Manage your data life cycle process with customizable data retention, discovery, and deletion.

Secure access and sharing

Manage access and sharing settings to guard against leaks of sensitive data.

Awareness and insights

Gain full transparency and insights into users and data with auditing, reports, and alerts.

Compliance and trust

Leverage the proactive and continuous compliance and certification process of

While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed be concerned with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

SharePoint Online and OneDrive for Business are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle behind security for SharePoint Online and OneDrive for Business. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint Online and OneDrive for Business allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work, while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it.

billion records compromised in the last year (Source: Risk Based Security)

days between infiltration and detection (Source: Mandiant Consulting M-Trends, 2016)

of senior managers admit to using personal accounts for work (Source: Stroz Friedberg, On the Pulse: Information Security in American Business)

of organizations lack data governance, leaving them open to litigation and data security risks (Source: AIIM – Information Management in 2016 and Beyond, March)

year over-year-growth in electronic data (Source: AIIM – Information Management in 2016 and Beyond, March)

Customer challenges by the numbers

Data loss is non-negotiable for your business, and exposure of sensitive information and assets can have enormous legal and compliance implications—and impacts on your competitive edge. SharePoint Online and OneDrive for Business safeguard against unintentional disclosures through the defense-in-depth approach of Microsoft Office 365.

Microsoft is constantly working on ways to mitigate the effects of attacks on data and information. These security measures form the foundation of our business products and cloud services. Office 365 gives you enterprise-grade physical and logical security capabilities to secure your IT environment, along with encryption controls to protect your files and email communications.

Protect content at rest and in transit with layered encryption customer controls and keys to lock down data.

02 Platform security

Physical security Capabilities:

Extensive auditing and supervision prevent administrators from getting unauthorized access to your data.

Multiple copies of your data are located across datacenters for redundancy.

With Office 365, your data is stored in Microsoft datacenters that are protected by layers of security. These datacenters guard against not only unauthorized access and security breaches, but natural and environmental threats as well. They are built like, yes, fortresses.

These fortresses, however, are transparent to you. Moving to a cloud service shouldn’t mean losing visibility into your services. We make it easy for you to monitor the status of your services, track issues, and get a historical view of availability. You also always have awareness of who has access to your data and under what circumstances they have it.

Multiple copies of your data are kept across datacenters, which are geographically distributed. If Microsoft expands into a new country in the region where your data is stored, you are notified one-month in advance .

Logical security Logical security keeps administrator access to your files under strict control. This happens through multitenancy architecture and automation processes, plus a combination of port scanning, perimeter vulnerability scanning, and intrusion detection—all to prevent malicious access.

Multitenant architecture

In cloud computing, multitenancy is the ability to share common infrastructure across numerous customers simultaneously, leading to economies of scale. The multitenant architecture of Office 365 supports enterprise-level security, confidentiality, privacy, integrity, and availability standards. Microsoft continuously works to ensure this, and does so based on the assumption that all tenants are potentially hostile to all other tenants. Multiple forms of protection have been implemented throughout Office 365 to prevent customers from compromising Office 365 services or applications, gaining unauthorized access to other tenants’ information, or breaching the Office 365 system itself.

Automation

Most Office 365 operations are automated. At the same time, Microsoft limit its own access to customer content. This enables Office 365 to be managed at scale while protecting against potential internal threats to customer content, such as a malicious actor or the spear-phishing of a Microsoft engineer. A Microsoft engineer might have limited, audited, secured access to customer content, but only when necessary for service operations and approved by a member of senior management at Microsoft (and, for customers who are licensed for the Customer Lockbox feature, by the customer).

Customer data management

In addition to these controls, you can manage your data in Office 365 much like you would in an on-premises environment. As the global admin, you have access to all features in the admin centers. This means you can add or edit users, and assign admin roles to others. And you can also control how users access information from specific devices or specific locations, or a combination of both.

Encryption Capabilities:

Easily and cost-effectively manage and maintain control of the encryption keys used by cloud apps and services.

Encrypt keys and small secrets like passwords by using keys stored in hardware security modules (HSMs) with Azure Key Vault.

Office 365 protects the confidentiality and integrity of customer data by following industry cryptographic protocols like Transport Layer Security (TLS)/Secure Sockets Layer (SSL) and Advanced Encryption Standard (AES). Data is protected at rest and in transit, and protection extends to file-level protection in some scenarios.

“Privacy and security are essential to everything we do. Our customers expect us to process their sensitive data according to their country’s unique regulations, which is why we use Office 365. I advised our leaders and CIO that the Microsoft approach to security, compliance, and privacy is of the highest standard in the industry.” Sascha Schneider Privacy Counsel Deputy Data Protection Officer NGA Human Resources

Data in transit

For data in transit, Office 365 secures customer data by forcing all customer-facing servers to negotiate a secure session with client machines through TLS/SSL protocols. This applies to protocols on any device used by clients—such as SharePoint Online—on the web.

Data at rest

BitLocker volume encryption secures data at rest. It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks. Office 365 deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive for Business.

File-level encryption

OneDrive for Business and SharePoint Online also use file-level encryption to encrypt data at rest. Office 365 moves beyond a single encryption key per disk to deliver a unique encryption key for every file stored in SharePoint Online—including OneDrive for Business folders. These files are distributed across multiple Azure Storage containers, each with separate credentials. Not only are these files spread across storage locations–the map of file locations is itself encrypted and the master encryption keys are physically separated from both content and the file map. All this makes OneDrive for Business and SharePoint Online a highly secure environment for stored files.

Data overload is an issue for many organizations. While your organization might be obligated to keep content for a certain period—because of compliance, legal, or other requirements— holding on to data longer than you need it can create unnecessary legal risks.

Office 365 can help you get a handle on your data life_cycle. With data governance features, you can

03 Information governance

archive and preserve content from your SharePoint Online sites and OneDrive for Business locations—and import that content into your Office 365 organization.

The Retention feature in the Office 365 Security & Compliance Center allows you to manage the lifecycle of your content, keeping the content you need and then removing the content after it’s no longer required.

Data retention policies Capabilities:

Enforce compliance with information management processes and enforce regulations with information management policies.

Data retention policies allow you to meet your organization or industry compliance requirements. You can set global retention policies on all content in Office 365, or dig deeper by setting granular policies on specific users or content. Then, to follow through, you can use intelligence to automate data retention, classifying data based on age, type, user, or sensitivity, and use policy recommendations based on machine learning.

And, of course, you’re only going to purge data that’s redundant, obsolete, or trivial. High value data can be preserved through applied actions. This can also be automated, by means of a customized schedule for preserving and deleting content.

eDiscoveryIdentify and collect the data that might be relevant to a specific legal case.

Capabilities:

Identify and deliver electronic information that can be used as evidence in legal cases.

Use advanced eDiscovery to analyze unstructured data within Office 365, perform more efficient document review, and make decisions to reduce data for eDiscovery.

Office 365 in-place capabilities simplify the eDiscovery process, making it easy for you to find and preserve the right documents in cases of litigation or government litigations. Predictive coding enables you to train the system to automatically distinguish between documents that are likely to be relevant and non-relevant. And with clustering technology, you can look at documents in context and identify relationships among them.

Legal and litigation controls Protection of the confidentiality of data that’s stored within the infrastructure.

Capabilities:

Prevent important documents from being edited or deleted, and define how long documents must be stored by using in-place holds and document deletion policies.

Control the life_cycle of a SharePoint site and its associated site mailbox.

Legal and litigation controls help you prevent important documents from being edited or deleted, and define how long documents must be stored. These controls enable you to manage the lifecycle of documents to comply with your organization’s records management policies. They allow you to control the lifecycle of a SharePoint site and its associated site mailbox, while providing a single experience for searching and preserving across Office 365.

04 Secure access and sharing

Gain full transparency and insights into users and data with auditing, reports, and alerts.

Your data belongs to you. Simple as that. This is another one of the guiding principles behind security for SharePoint Online and OneDrive for Business—that while, at Microsoft, we serve as custodians of

your data, you remain in control of it. And we help you to manage this through access controls, sharing controls, and application and device management.

Access controlsCapabilities:

Policies that provide contextual controls at the user, location, device, and app levels.

Location-based conditional access policy that blocks users who are working from an untrusted location.

The risks to information exposure have increased in today’s collaboration landscape because users don’t always work on desktop computers. Access controls now need to account for users connecting their mobile devices to nonsecure networks or using their own unmanaged devices.

These new access controls start with conditional access policies. Conditional access allows you to keep your corporate data safe while providing your users a secure environment in which they can work from any device. Conditional access in SharePoint Online and OneDrive for Business offers security that goes beyond user permissions. It takes into account the identity of the user, the devices and applications being used, the network that the user has connected to, and the sensitivity of the data being accessed.

Conditional access works alongside Multi-Factor Authentication in providing another layer of security. Multi-Factor Authentication requires two or more verification methods for user sign-ins and transactions. These methods can include randomly generated pass codes, a phone call, a smart card, or a biometric device.

Advanced Security Management ensures that you’re aware of any suspicious activity in Office 365. This gives you the opportunity to investigate situations that are potentially problematic and, if needed, revoke suspicious user sessions.

Sharing controlsCapabilities:

Extensive sharing controls to support external sharing, link expiration, and revocation of access to content and files.

In working with vendors, clients, or customers outside your organization, you often need to share documents with these external users to collaborate directly. External users can be authenticated or anonymous.

Because authenticated users have their own Microsoft accounts, you can share sites and documents much like you would with users within your organization. However, since these users don’t have access to your Office 365 subscription, they’re limited to basic-collaboration tasks.

Users without Microsoft accounts are considered anonymous. These users can access folders and documents through shareable links without having to log in with a username or password. Anonymous users can’t access sites or be assigned licenses, so they’re only able to see your documents through the links you provide. These links are valid only for as long as you choose.

The external sharing features of SharePoint Online help you manage security risks by giving you the capability to set up an extranet site. Extranet sites can be locked down so that only you can invite external users. Admins can control the list of partner domains that their employees can share with users outside the organization. Allow-and deny lists of email domains can be configured. Activities of the business partner users are audited, and reports can be viewed in Office 365 Activity Reports.

“Many of our employees used multiple storage solutions, but we moved to OneDrive for Business because it has the stringent data protection standards that our clients expect and that give us more control over access to our data.”Sudesh WithanageSenior Technology ConsultantVirtusa

Application and device managementCapabilities:

Azure Active Directory management tools enable collaboration and deliver holistic identity protection and adaptive access control.

Integrated device and app management is enabled through Microsoft Intune.

With device-based policies, you can allow, block or challenge access through Multi-Factor Authentication, device enrollment, or password change. Device-based policies for SharePoint Online and OneDrive for Business help you ensure that your corporate resources data isn’t leaked onto unmanaged devices, such as devices that are non-domain joined or non-compliant. These policies limit content access to the browser while preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

Microsoft Intune helps you with mobile device management, securing corporate data on devices used by licensed Office 365 users in your organization. If a device is lost or stolen, you can remotely wipe the device to remove sensitive organizational information.

Understanding usage within your organization helps you get ahead of security risks and usability issues. Advanced auditing enables you to discover forensic information about specific activities conducted by a user or an administrator. Personalized reporting offers seamless access to information through a

05 Awareness and insightsManage your data life cycle process with customizable data retention, discovery, and deletion.

unified dashboard. And intelligent alerting allows you to monitor and investigate actions taken on your data, so that you can contain and respond to threats—and protect your valuable intellectual property.

Advanced auditingCapabilities:

Discover forensic information about specific activities that were conducted by a user or an administrator.

Use RESTful APIs to get an unprecedented level of visibility into user and admin transactions within Office 365.

Leverage hybrid auditing across cloud and on-premises.

With advanced auditing in Office 365, you can track changes and user activity in SharePoint Online and OneDrive for Business. This allows you to audit changes made to files and site collections, as well as the users who made changes. Every user action is recorded for a full audit trail. And you can set up custom alerts when a specific event occurs. You can quickly access these audit reports through the Office 365 Security and Compliance Center.

Personalized reportingUnified reporting and seamless information access.

Capabilities:

Unified reporting dashboard for seamless access to information.

Product-level reports for more granular insight about the activities within each product.

Personalized reporting helps you avoid the unexpected by being aware of what’s going on in your organization.

Activity reporting for SharePoint lets you see how users in your organization are using SharePoint Online sites to access, save, and collaborate on documents. It shows you which users are active on each team site, and which users sync documents back to their local machines or share documents externally.

The OneDrive for Business activity report gives you a holistic view of OneDrive usage in your organization. As with SharePoint reporting, you can see which users are using OneDrive to sync files back to their local machines and how users are actively engaging across OneDrive accounts in your organization.

“We have revealed a more agile way of working that helps us simplify access to information, promote insights and analytics across the business, and remain competitive without sacrificing our essential security and compliance concerns.”Matt PotashnickChief Information OfficerAXA UK and Ireland

Intelligent alerting Email notification when users perform specific activities in Office 365.

Enabled through Advanced Security Management, intelligent alerting allows you to monitor and investigate actions taken on your data, identify risks, and contain and respond to threats made on your intellectual property.

Threat Intelligence analyzes billions of data signals across Office consumer and commercial services, helping to protect you before attacks reach your network. These insights can be integrated with your existing security management tools.

For customers considering a move to the cloud, compliance is a major issue. And it’s a paramount concern for us at Microsoft as well, which is why Office 365 offers you continuous compliance. Our base level of requirements for Microsoft products and services is always increasing, as impacted by needs worldwide and across industries. Our specialist

06 Compliance and trust

Take advantage of the proactive and continuous compliance and certification process used by Microsoft.

compliance team tracks standards and regulations, developing common control sets for our product team to build into the service. We have built over 1,000 controls into the Office 365 compliance framework that enable us to stay up to date with frequent changes to industry standards.

Microsoft regularly submits self assessments to independent third party auditors. Microsoft holds key certifications, including:

EU Model Clauses

FedRAMP

FERPA

FISMA

HIPAA Business Associate Agreement

ISO/IEC 27001

UK G-Cloud v6 Official

Continuous compliance Capabilities:

Discover forensic information about specific activities performed a users or administrators.

Use RESTful APIs to get an unprecedented level of visibility into all user and admin transactions within Office 365.

Office 365 helps you meet evolving internal investigation, legal, and regulatory requirements with rich set of eDiscovery capabilities. Validating your organization’s security practices can be an expensive, exhaustive, and exhausting process. Office 365 enables you to identify relevant data quickly through advanced tools like machine learning, predictive coding, and text analytics. Advanced eDiscovery reduces the volume of data by finding near-duplicate files, reconstructing email threads, and pinpointing key data relationships. Plus, you can easily export this data to third-party applications for review.

These capabilities intelligently simplify the eDiscovery process, so there’s less time taken on your end and less strain on your budget. And as the compliance landscape expands, our capabilities expand with it.

“Our legal department, risk management group, and human resources organization thoroughly reviewed our options to make sure the [system] we chose would support continuous adherence to all our requirements. Like other global companies, we must comply with all local regulations. Office 365 gives us confidence that we can remain in compliance from a data privacy and security standpoint.”Sherry Nubert Chief Information Officer The Goodyear Tire & Rubber Company

“As we build the bank of the future, we are providing the right tools and technology for our people, resulting in improved agility and security. Our move to Office 365 is also helping us... reduce IT costs in half. We’re fully committed to the cloud as we add on all the Office 365 functionality, including the Enterprise Mobility Security Suite and Customer Lockbox.”

Jeff HendersonExecutive Vice President and Chief Information OfficerTD Bank Group

Transparent operations Capabilities:

24/7 escalation to the development team to resolve issues that cannot be resolved by operations alone.

Thorough review of all service incidents and an analysis if your organization is affected.

Controlled access to your data through Customer Lockbox.

Our operations are transparent, so you can check in on the state of your service, track issues, and get a historical view of availability. This means you always know where your data is stored as well as who has access to it and under what circumstances. You can find all of this information in the Office 365 Trust Center.

By design, Office 365 commercial services are separate from our consumer services so that there is no mixing of data between the two. We maintain that you are the owner of your data, and we do not mine customer data for purposes other than providing you productivity services.

Even when you require a Microsoft support engineer to access your data, such as to troubleshoot and fix an issue, you maintain control of your data. Customer Lockbox enables you to approve or reject requests to access your data. Each approved access request is only available until it expires. Upon resolution of the issue, the request is closed and access is no longer approved.

Customer Lockbox also helps you demonstrate that you have data access procedures in place, which can be necessary in meeting compliance obligations.

Privacy by designCapabilities:

Privacy controls enable you to configure who in your organization has access and what they have access to.

Design elements prevent mingling of your data with that of other organizations using Office 365.

Privacy controls enable you to configure your company privacy policies. To comply with business standards and industry regulations, you need to protect sensitive information and prevent its inadvertent disclosure. This includes financial data or personally identifiable information (PII), such as credit card numbers, social security numbers, and health records.

With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically prevent the accidental sharing of sensitive information across Office 365. DLP allows you to control how your data flows internally as well as outside your organization.

Microsoft advocates for data privacy on behalf of customers, and safeguards customer data with strong contractual

In the new world of work, SharePoint Online and OneDrive for Business allows you to access email and documents from anywhere on any device—and to do so securely. Our approach provides this productivity protected by security with defense-in-depth solutions to safeguard your data. We give you the user and administrative controls to shield and defend your IT environment and the privacy of your customer data, so you can comply with standards and regulations.

07 Conclusion

SharePoint Online and OneDrive for Business allow your business to get ahead while getting a handle on your data, providing tools to manage your users and devices, better understand usage within your organization, and be better prepared for any actions taken on your data.

Microsoft has been a leader in trusted enterprise-grade solutions for decades now. And as the collaboration and compliance landscapes evolve, we do too. Learn more at the Microsoft Trust Center.