Posted On 04 Dec 2018
More businesses are adopting Microsoft Office 365 daily and storing their data in the cloud. A significant portion of this data—around 20%—contains sensitive financial, personal, or business information. Although many people now trust the cloud as a secure platform, at all times, it remains the customers’ responsibility to ensure that they remain in accordance with Microsoft’s requirements, particularly in terms of not sharing files with unauthorized third parties and sticking to internal and external regulations about what can be kept in the cloud.
To protect against data loss, all organizations should have data loss protection (DLP) policies in place that govern email and cloud uploads. Make sure that you know where your sensitive data is stored, and that every employee is aware of the type of data that must not be placed in the cloud.
If you’re already using Office 365, you should run an audit on the data that has been uploaded. You can run a scan on all the services that save data (OneDrive, SharePoint Online, and Exchange Online). You should search for social security numbers, credit card numbers, health information, salary information, account information, passwords, and more.
Your IT department should be mapping sensitive data as it moves around your system, knowing who has access to it, with whom it is being shared outside, et cetera. The IT department will then be able to educate employees regarding uploading behaviors.
Office 365 has a strong set of APIs that can help you enforce your sharing policy so that administrators will be notified of any potential violations so that links can be blocked, permissions can be changed, and those who have made the error can be notified.
Depending on your company’s security rating (e.g., if you deal with a defense contract) certain types of information must not be uploaded to Office 365. It may be necessary to identify the confidential high-level data that must not be uploaded by checking your data for keywords, document fingerprints (e.g., tax forms), looking for patterns (e.g., credit card numbers, social security numbers), and setting up a list of terms that should be red flagged for uploads, e.g. brand names. Several actions can be taken if violations are notified, such as quarantining files, blocking them, or deleting them.
To prevent confusion, a consistent DLP policy should be developed for the use of all cloud services so that your employees know what they can, and cannot, upload and violations can be swiftly identified and addressed.