twixx - Fotolia


Unified content security comes to SharePoint

In the world of cloud data storage, one would think everything is locked down. Nope, it's still up to you. Microsoft offers admins some unified security tools to make it happen.

SharePoint security policies should be a critical element in your overall strategy. Many firms want to ensure that content, once inside SharePoint, can only be seen by authorized users. In the enterprise, most companies have strict, often complex rules for content access. However, SharePoint is only a part of the story.

In Office 365 today, content is managed primarily through OneDrive, SharePoint and Exchange. Historically, content security worked slightly differently depending on the tool -- each has distinctive controls for managing the content lifecycle. Access control lists (ACLs) -- the more traditional security strategy -- served as the primary control approach. Unfortunately, ACLs only solve part of the problem; if the content left the repository, the ACLs did nothing to prevent unauthorized usage. Organizations need more, and Microsoft has begun to provide a unified set of controls to assist.

There are three key enterprise SharePoint security policy needs: control over content disposition -- ensuring sensitive information doesn't leave the organization -- and overseeing security across varying devices. In Office 365, these translate to data loss prevention (DLP), content policies and device management. Combined with ACLs, firms can enable more comprehensive content security policies around their content. Each of these features is reached through the Security & Compliance administrative tool in Office 365.

Data Loss Prevention

DLP represents a set of capabilities for detecting and applying policies to sensitive information. Common examples include content with personally identifiable information (PII), like Social Security numbers, or financial information, like credit card numbers. A more specific example is information related to firm-specific confidential projects. In all cases, DLP allows you to craft policies to "trap" the content and prevent specific actions. These content security policies can be applied across SharePoint, OneDrive and Exchange. Further, they also surface through the Office 2016 products as content is saved to SharePoint or OneDrive, or when emailed through Exchange.

Creating DLP policies in Office 365 is done through the Security & Compliance administrative tool. Administrators create policies through the policy menu. SharePoint security policies can be created using templates provided by Microsoft, like detecting PII in the U.K. using standards for that country, or from scratch.

A screenshot of a security policy being created
Figure 1. Creating a new DLP policy

Content labels

Content labels are a way to categorize content. These categories will then enable specific policy applications. These SharePoint security policies empower organizations to regulate the content lifecycle across tools. For example, if you wanted to ensure content was periodically reviewed, you could create a label to describe this content. You could then further define a policy for that label that initiated a review six months after creation.

Like DLP, content labels and the corresponding policies are managed in Security & Compliance. The management functions are located under Classification. The process to control content through this process starts with one or more labels. Each label should be created to generally describe the content. Once the labels are created, label policies can be created. Each policy allows administrators to set the timing for content retention and a resulting action once the retention period has elapsed. The actions could include a review, deletion or leaving the content as is. These disposition options are similar to content disposition rules found directly in SharePoint Content Types. However, these policies can uniformly apply across products.

A screenshot of content labels being created
Figure 2. Creating label policies

Device management

Whether your organization provides devices or employees bring their own, implementing SharePoint security at the device level is critical. Device loss or theft can create dangerous security breaches -- for device owners, their organizations and related firms. As such, the Office 365 device management capabilities give organizations the ability to reduce risk through tighter content control.

Depending on your license level, Office 365 subscribers will have varying device management functionality. However, basic device management is available under the DLP menu in the Security & Compliance tool. These features enable organizations to both control how content is stored on the device, as well as basic security features enabled on the individual devices. These controls are particularly useful in BYOD firms, as administrators can enforce concepts like encrypted storage, PIN access and managed email access. For those firms that require more control, the related Intune and Enterprise Mobility Suite (EMS) -- both add-ons to Office 365 -- can provide deployment, selective content wipe and location features that are helpful in the event of theft.

Screenshot of defining requirements for devices
Figure 3. Device policy definition

Over the last 18 months, Microsoft has made a number of changes to Office 365. In particular, it's strengthened content security controls. Historically, distinct security functions have given way to a more unified security approach. In addition, critical SharePoint security concepts, like managing a full content lifecycle, proactively detecting sensitive content and applying content security policies, as well as managing the devices where this content sits, provide firms with better security tools.

This should not end the discussion on security control improvement within the enterprise. Features like information rights management, better ACL management and a unified identity system, are also critical components to any security program. However, as Office 365 has evolved, firms needs to adopt and apply these capabilities to reduce risk and improve SharePoint security policies.

Next Steps

Microsoft gives SharePoint admins more analytics in upgraded dashboard

Dig Deeper on Information governance strategy