OFFICE 365 8 MIN READ

SharePoint Online Security Best Practices

Miguel Bernard
WRITTEN BY MIGUEL BERNARD
SharePoint Online Security Best Practices

There is still a lot of anxiety among IT decision makers about using the cloud. A recent study found that 90% of decision makers believe that an increase in cloud services will result in a greater probability of a breach occurring.

While the cloud has been around for a number of years now, a lot of IT pros remain skeptical about the compliance standards of their cloud provider – especially when it comes to smaller cloud-based tools.

That’s worrying, no? Well, cloud security depends on two things: one part depends on the provider, while another part depends on how you manage your company’s access and usage of the environment. Take Office 365 and SharePoint Online, for example.

On the Microsoft side of things, the corporation has a pretty good track record for cloud security and their Trust Center keeps you updated with all the latest news and information about how Microsoft is managing the cloud.

But, some responsibility also falls down to you –each company has access to its own compliance center where it can manage and organize security settings.

Because you have control over security in SharePoint Online, this gives you some very valuable flexibility – like how much access is given to external partners, for instance. On the other hand, this also opens you up to some risk. Fundamentally, it’s all about how well you manage security in SharePoint Online.

And that’s what we want to talk about today!

What Are the Security Issues Related to SharePoint Online?

SharePoint Online is part of Office 365, operating as the ‘cloud version’ of SharePoint.

For many companies, the big advantage of any cloud-based solution is that it reduces the need for you to host and maintain a server in-house. This means you save time and money, and means your IT staff spend less time on maintenance and more time on operations.

But, by storing company data in the cloud, you do lose some control over how those servers are managed and maintained and hand over a lot of responsibility to Microsoft. That can make some IT managers worry.

But is SharePoint Online a risky platform? Well, not necessarily any more than SharePoint on-premises. You can pretty much guarantee that Microsoft’s data centers have better firewalls and greater general protection than the servers in the basement of your building.

But, on the other hand, storing data in the cloud means it’s easier for anyone with a password to access your environment and take your data – they don’t have to be physically in the same building as your servers.

So how can companies deal with the new challenges of data and user security in the cloud?

3 Tips to Manage your SharePoint Online Security

  1. Sharing your SharePoint Online Content with external/third-party users

    3rd Party Users in SharePoint

    Before the arrival of SharePoint 2013, adding external users to a SharePoint environment was a complex process – you had to add them individually to your Active Directory or another identity provider.

    This has been improved significantly in Office 365, where SharePoint content can be shared with external users in one of three ways:

    • Sites can be shared using a Microsoft Office 365 ID or Microsoft Account (also known as Live ID)

    • Individual documents can be shared using a Microsoft Office 365 ID or Microsoft Account

    • A direct guest link to documents can be sent to grant anonymous access to specific documents

    There used to be a limit on the number of external users within an Office 365 site, but Microsoft recently announced that the limit on the number of external users has been removed.

  2. Manage Group Permissions in SharePoint Online

    Group Permissions in SharePoint

    Since SharePoint 2003, security settings in SharePoint on-premises applied either to individual users or to SharePoint groups. The big difference between the two is that it’s much easier to manage permissions for groups.

    For example, when a number of sites have to be shared with the HR department, it can be done either by giving permission to each of the users or by sharing the data with a group.

    In the first scenario, when an HR employee leaves, their permissions have to be revoked individually. When managing permissions for a group, the user simply needs to be removed from that group.

    In larger companies, it can even be beneficial to assign Active Directory (AD) groups to SharePoint groups. Group membership is then normally managed at Active Directory level.

    By assigning the AD groups to SharePoint, group membership changes only need to be applied in Active Directory. In SharePoint Online, the same logic applies – so just make sure you’re doing this consistently and have a process in place for when an employee leaves the company.

  3. The Office 365 Trust Center

    Office 365 Trust Center

    Microsoft is aware that one of the biggest problems with storing data in the cloud is the perception of trust. Data stored in "on-premises" systems can be secured by internal IT personnel, which allows for a better level of confidence, even if such solution still includes some degree of risk.

    For companies who tend to be more risk-averse, cloud technology can be a worrying prospect. In order to help, Microsoft has created a standalone site called the ‘Office 365 Trust Center’, which covers everything regarding security. This includes:

    • Physical security: Can people walk in and out at data centers? How are the buildings physically secured?

    • Logical security: How are servers configured, what network security is applied, what kind of auditing is implemented?

    • Data security: How is the actual data secured? If someone gains access to the database, are they able to read your data?

    The other big worry for IT decision makers when considering Office 365 is that Microsoft is principally a US company, which is under the judicial reach of the PATRIOT Act.

    This means that the US Government can require Microsoft to hand over customer data. In February 2014, Microsoft released detailed information on exactly how this issue affects Office 365 customers.

    Part of the answer is encryption, with the customer keeping the key so no one but them has access to the data. The other part is trusting Microsoft’s public statements.

SharePoint Online in Office 365 is a Secure System

SharePoint Online and Office 365, secure systems

Security is a concern for companies using cloud-based solutions such as Office 365. The cloud presents a change in how data is stored, with additional layers of control and access taken away compared to the "traditional" on-premises environment.

However, of all the cloud providers, Office 365 has to be among the most secure and is almost certainly safer than most companies’ standard firewalls.

Of course, it’s true that using SharePoint Online opens you up to different kinds of risks, but the tools it provides mean system admins and users should be able to control data effectively.

There is always going to be a slim risk that some rogue employee or contractor could try and breach your systems, yet by implementing security best practice, permissions and so on, the damage those individuals can do becomes limited.

So, as long as you follow best practice, you should be all good!

Hey, got another minute?

Learn more about external sharing and benefit from the full potential of your Office 365.

The Ultimate Office 365 migration checklist
ShareGate Logo White

Benefit from the full potential of the cloud.

Businesses have to move to the cloud and adapt to it. That’s a fact. ShareGate helps with that.

See how