Events, OneDrive for Business, Security and Compliance, SharePoint

SharePoint & OneDrive Security & Compliance Updates from Microsoft Ignite

Last week at Microsoft Ignite we shared our investments, our vision, and strategy for addressing today’s most challenging business and technology trends that are ever broadening the threat landscape.  From meeting complex corporate and governmental regulatory compliance, to addressing a more mobile and connected workforce, SharePoint and OneDrive and uniquely positioned to address your business needs.

Stay ahead of data residency requirements with Multi-Geo capabilities in Microsoft 365

Governments around the world are strengthening laws and regulations to protect citizens’ data, preserve national security, and protect business interests.

New Multi-Geo Capabilities in Microsoft 365 with SharePoint and OneDrive provide global organizations a solution to maximizing the value of Office 365, including SharePoint and OneDrive, while meeting data residency and compliance requirements.  Multi-geo capabilities provide you with a choice of geographical locations in which to store, manage, and secure your data by allowing a single Office 365 tenant to span multiple regions, storing data on a per-user or per-site basis.  So whether you’re adding a new user to your organization or need to move an existing user, as well as their data, seamlessly and transparently to that user, to a new region, new multi-geo capabilities are designed to address those needs. Read more about Multi-Geo capabilities in Office 365 at https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-Multi-Geo-in-Office-365/ba-p/107016.

Watch and download Multi-Geo Capabilities in OneDrive and SharePoint Online at https://myignite.microsoft.com/videos/53873 from Microsoft Ignite.

Multi-Geo capabilities for OneDrive and SharePoint are in private preview today. If you’re interested and want to learn more visit the links below.

OneDrive http://aka.ms/OneDriveMultiGeo
SharePoint http://aka.ms/SharePointMultiGeo

Manage your service-level encryption key with Customer Key in Office 365

Gain greater trust from your own clients, with service-level encryption with customer key so that Microsoft does not see or extract any encryption keys. 

Customer key with Office 365 allows you to take control of your information, providing an additional layer of security and data privacy above which is already supplied by Microsoft with SharePoint and OneDrive in Office 365. Customer key can be used to encrypt and/or decrypt the individual encryption keys used to encrypt your cloud storage service for SharePoint Online and OneDrive for Business.  Additionally, you can decide when to change and/or revoke access to these keys limiting Microsoft’s ability to access encrypted content.

Microsoft encrypts your content at rest and in transit throughout SharePoint, OneDrive and Office 365. In fact, we use multiple keys to encrypt your data, and distribute those keys across multiple data centers.  At the service level, we encrypt those keys that are used to encrypt your data. With customer lockbox, even our administrators have no ability to access your data without your explicit, time-bounded consent. Learn more about our encryption features here.

Service-level encryption with customer key goes one step further. You can manage the service-level key(s) that is used to encrypt the SharePoint and OneDrive data encryption keys. You can decide when to change this key(s) and, if your business requires, you can revoke the service-level key(s) and thereby deny the service access to your content.  Read more about Controlling your data in Office 365 using Customer Key at https://support.office.com/en-us/article/Controlling-your-data-in-Office-365-using-Customer-Key-f2cd475a-e592-46cf-80a3-1bfb0fa17697.

Watch and download Manage and control your data to help meet compliance needs with Customer Key https://myignite.microsoft.com/videos/53748 from Microsoft Ignite and read the FaQ at https://support.office.com/en-us/article/Customer-Key-for-Office-365-FAQ-41ae293a-bd5c-4083-acd8-e1a2b4329da6.

Limit information overexposure with sharing and access policies

The risk of information exposure has increased because users don’t always work on desktop computers connected to the corporate network. Access controls now need to account for users connecting their mobile devices to non-secure networks or using their own unmanaged devices. These new access controls start with conditional access policies. Conditional access allows you to keep your corporate data safe while providing your users a secure environment in which they can work from any device. Conditional access in SharePoint Online and OneDrive for Business offers security that goes beyond user permissions. It considers the identity of the user, the devices and applications being used, the network that the user has connected to, and the sensitivity of the data being accessed.

Watch and download Create and manage sharing and access policies for SharePoint https://myignite.microsoft.com/videos/53875 from Microsoft Ignite.

Site-level device access policies

In March 2017, we introduced device access policies at the tenant level so you can control access from unmanaged or non-compliant devices to content stored in SharePoint and OneDrive.  At Microsoft Ignite 2017, we announced and demonstrated new support for bringing these device access policies to the site collection level, so you can limit access from these devices on a site by site basis, based on the classification of the content.  In addition, an administrator can also allow these devices access to collaborate using the Web browser to provide a seamless user experience for instances where unmanaged devices still need the ability to access and use content stored in one or more sites.

Session timeout policies

Unmanaged and non-compliant devices represent just one of many risks of information overexposure. The use of shared systems has also increased—from shared computers in the workplace, to kiosks at hotels and airports, devices and networks often change, but the one constant is the corporate data they access.  Also at Microsoft Ignite we shared our investments in idle-timeout scenarios that allow you to configure policy to automatically sign-out sessions at a specified interval on these shared systems after a period of inactivity.

Secure external sharing

Secure external sharing in SharePoint and OneDrive provides a seamless external sharing experience enabling sending of secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

Read more about secure external sharing at https://support.office.com/article/cc78357c-6d48-499c-9cc7-dae447d0d391.

Moving forward…

In today’s volatile economic climate, organizations require collaboration, communication, and productivity solutions to be both cost-effective and flexible.  SharePoint and OneDrive can help businesses achieve new levels of reliability and performance, delivering features and capabilities that simplify administration, protect communications and information, and empower users while meeting their demands for greater business mobility.

However, data loss is non-negotiable, and overexposure to information can have legal and compliance implications.  In SharePoint and OneDrive, we’re providing a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time – whether challenged by an increasingly distributed and remote workforce, ubiquities connectivity, or rapid changes in corporate and regulatory compliance, we’ll be there each step of the way, evolving our protection in parallel to your risk.

After all, the security landscape has changed. Ubiquitous connectivity has led to users to expect data mobility, across networks, across devices, and more often, personal devices and shared systems, like kiosks.  These challenges and more complex corporate and regulatory compliance requirements have only made it more challenging to stay ahead of the trends. The video below demonstrates a subset of the latest controls we’ve built and announced at Microsoft Ignite, and how we’ll continue to evolve our capabilities with more fine-grained controls – from the tenant and site level all the way down to the file level.

Office 365 is designed to help every company’s needs for business productivity, content security and compliance with technical, legal and regulatory standards. We’ve been hard at work in lighting up new productivity scenarios in OneDrive and SharePoint and architecting the service to support advanced features to help customers meet their regulatory security and compliance needs.

Resources

We understand that there is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.  Learn more about how we address our customers security and compliance concerns with the resources here.

eBook – http://www.microsoft.com/en-us/download/details.aspx?id=55242

Visual Interactive – http://sharepoint-infographic.azurewebsites.net/

Microsoft Ignite Recording – Security you can trust, control you can count on with SharePoint and OneDrive https://myignite.microsoft.com/videos/55100
Microsoft Ignite Recording – Learn how SharePoint Online safeguards your data in the cloud https://myignite.microsoft.com/videos/53874
Microsoft Ignite Recording – Quickly find what’s relevant and reduce risk with intelligent eDiscovery in Office 365 https://myignite.microsoft.com/videos/53650
Standard
Security and Compliance

Device-based Policies Updates with SharePoint and OneDrive

The risks to information exposure have increased in today’s collaboration landscape because users don’t always work on desktop computers. Access controls now need to account for users connecting their mobile devices to non-secure networks or using their own unmanaged devices. These new access controls start with conditional access policies. Conditional access allows you to keep your corporate data safe while providing your users a secure environment in which they can work from any device. Conditional access in SharePoint Online and OneDrive for Business offers security that goes beyond user permissions. It considers the identity of the user, the devices and applications being used, the network that the user has connected to, and the sensitivity of the data being accessed.

In March 2017 we introduced device-based policies for SharePoint and OneDrive, enabling administrators to configure Tenant-level policies.

Device-based policies for SharePoint and OneDrive in help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices.

On September 1st, 2017 we’ll continue to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged to edit Office Online documents in the browser.

Configuring Policies

Once available in First Release Tenants site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.

NOTE

The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

We understand that there is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.  Learn more about how we address our customers security and compliance concerns with the resources here.

eBook – Securing your content in the new world of work with SharePoint and OneDrive

Visual Interactive – Share with confidence with SharePoint and OneDrive

Learn more about device-based policies at https://blogs.technet.microsoft.com/wbaer/2017/03/09/device-based-conditional-access-policies-rolling-out-to-first-release-for-sharepoint-and-onedrive/.

Standard
Administration, Security and Compliance

Secure your information with SharePoint and OneDrive

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure – and while we continue to drive forward with a cloud-first, mobile-first vision – security and compliance are at the foundation of everything we do.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint Online and OneDrive for Business more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

The collaboration landscape has changed. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.
While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

blog2

SharePoint Online and OneDrive for Business are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint Online and OneDrive for Business. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint Online and OneDrive for Business allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work, while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it – click here to explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

What’s coming next with Administration and Manageability?
In Q4 CY2017 we will begin rolling out the new SharePoint admin center. From the home page, you’ll notice just how much better it is, with interactive activity reports, Message Center posts, and a health dashboard tuned to the needs of SharePoint administrators.

1_1

You’ll easily find and work with the dozens of SharePoint settings the service gives you to configure sharing, access, and the service. And we know you’ll love the dynamic new Site Management page, which lets you view, filter, and edit the configuration of all of your SharePoint sites, including sites connected to Office 365 groups.

1_2

What’s coming next with Security and Compliance?
The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content, and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams.

Today we announced upcoming support for customer managed keys. In Q4 CY2017, you will be able to host your own key in Azure. That key be used to further encrypt your data in Office 365, so that should you choose to leave Office 365, you can revoke the key and your data will be inaccessible to the service.

We also announced that conditional access policies will be coming to site collections. These policies allow you to define access based not only on user and permissions levels, but also based on the device , the user, or the location. Conditional access policies can currently be applied to your Office 365 tenant as a whole. In late CY 2017 we will allow you to define these policies at the site collection level, so that you can manage security on a granular, use-case basis.

Watch the short video here that demonstrates and shares more details about these investments and hope to see you at Microsoft Ignite where you can learn more about what’s next for security, compliance, and administration for SharePoint and OneDrive.

Standard
Administration, Security and Compliance, SharePoint

Introducing the new SharePoint Admin Center

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure.

Innovation in the cloud drives tremendous business value, and it delivers new capabilities to the IT professionals who work tirelessly to support, configure, administer, and secure their organizations’ content and services.

We’ve built Office 365 with global scale, exceptional reliability, and support for compliance across every industry and geography. On top of intelligent security that keeps your service and content protected and private, we give you granular and dynamic controls so that you can manage access and distribution of your organization’s sensitive information. We’ve equipped you with detailed activity and usage reports. And we’ve brought the innovations born in Office 365 to SharePoint Server with out-of-the-box capabilities and connected, hybrid experiences.

While our new user experiences are designed to be simpler, more intuitive, and more powerful we also believe administration should be just as simple, just as intuitive, and just as powerful, and to that, later this year we’re introducing a completely revamped SharePoint Admin center that draws heavily on our modern principles. An administrative console designed to help IT achieve more, so their users can achieve more.

Home
The redesigned “Home” is designed to surface the most important information and quickly help you discover some of the most important information about the service, both its health, and how your organization is using SharePoint Online.

home

Site Management
Borrowing from the modern List experience in SharePoint Online, the new Site Management page promotes ease of use and flexibility – a one stop shop for viewing and managing some of the most important aspects of SharePoint Online sites.  You can now sort, filter, and discover information about your sites and their activity.

sitemanagement

Sharing
At the foundation of SharePoint is sharing, and we’re bringing sharing controls to the forefront of administration. Closely aligned with the OneDrive Admin Center, our sharing controls are designed to help your users make the most of their work all the while making it easy for you to control the flow of your organizations information.

sharing

Device Access
If you’re complacent, you’re likely not compliant – however, we believe compliance shouldn’t get in the way of collaboration and over the past year have introduced several new conditional access policies across user, location, and device pivots to help you secure access to your information. With the upcoming SharePoint Admin Center, you can quickly access and use these policies to address your unique business needs.

deviceaccess

To learn more about conditional access in SharePoint Online https://blogs.technet.microsoft.com/wbaer/2017/03/13/security-and-compliance-in-sharepoint-online-an… or to explore more security and compliance scenarios visit https://go.microsoft.com/fwlink/?linkid=848765. When you’re done exploring, be sure to read our new eBook “Securing your information in the new world of work” at https://go.microsoft.com/fwlink/?linkid=849048.

Settings
We’ve taken the many settings available to you for SharePoint Online and grouped and isolated them to simplify how you manage some of the more discrete options for the service and sites.

settings

To see more of the new SharePoint Admin Center check out the video below and to learn more be sure to register for Microsoft Ignite.

 

 

Standard
Security and Compliance

#MinuteMonday – Create Network Location-Based Conditional Access Policies in SharePoint Online

The days of the corporate boundary beginning at the firewall are over, today’s corporate boundary is the end user.  Connectivity is ubiquitous and with an endless number of devices available, people have an increasing number of options for staying connected at anytime, anywhere.

As a first step to providing administrators security and control in a mobile and connected world are conditional access policies.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device.

Standard
Security and Compliance

Security and Compliance in SharePoint Online and OneDrive for Business

In today’s complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholders—both in the cloud and on-premises.  Microsoft has decades-long experience building enterprise software and running some of the largest online services in the world.  For SharePoint Online and OneDrive for Business we use this experience to implement and continuously improve security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of services and data.

With SharePoint Online and OneDrive for Business our unique approach to security and compliance encompasses:

scpost

  • Platform Security – The processes and infrastructure in our datacenters to keep your data safe.
    Secure Access and Sharing – The management access and sharing settings to ensure your sensitive data doesn’t leak, based on your needs.
  • Awareness and Insights – Complete visibility to make informed decisions, track, and account for all file activity with full transparency with reports and alerts.
  • Information Governance – Your ability to govern the lifecycle of data, including deletion and retention policies, eDiscovery, and legal holds.
  • Compliance and Trust – A service that meets the latest compliance standards.  Trust – is about giving you full transparency and visibility into how we treat your data.

Over the past several weeks we’ve delivered a number of new features and capabilities (with more to come) that align to these pillars.

Secure Access and Sharing
Location and device-based conditional access policies

Awareness and Insights
Hybrid auditing general availability

Information Governance
Unified eDiscovery

In addition, one recent development is the use of graphs for correlation and visualization, supporting the analysis and actions on the output of our intrusion detection systems. To learn more about how we defend Office 365 with Graph Analytics see also https://blogs.technet.microsoft.com/office365security/defending-office-365-with-graph-analytics/.

We know that data loss is non-negotiable, and overexposure to information can have legal and compliance implications.  SharePoint Online and OneDrive for Business provide a broad array of features and capabilities designed to make certain that your sensitive information remains that way with investments across our security and compliance principles to include compliance tools that span on-premises servers and Office 365 while providing a balance between enabling user self-service.

We’re continuously working to ensure content usage adheres to corporate policy defending your organization from today’s growing and evolving advanced threats.

To learn more about security and compliance with SharePoint Online and OneDrive for Business:

Read more about how we secure your files at https://www.microsoft.com/en-us/download/details.aspx?id=53884.

Review Office 365 Trust where we share our commitments and information about security, privacy, and compliance at https://products.office.com/en-us/business/office-365-trust-center-welcome?legRedir=true&CorrelationId=de8d945b-65d3-41bc-b5a5-41d503131554.

Stay up to date with our security and compliance blogs at https://blogs.office.com/security/ and https://blogs.office.com/compliance/.

Standard
Security and Compliance

Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive

The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges…

Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.

Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  

1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren’t compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  

For detailed information on configuring these policies see also https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622?ui=en-US&rs=en-US&ad=US&fromAR=1.

FaQ

Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.

Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.

Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to https://www.microsoft.com/en-us/cloud-platform/conditional-access.  For additional security on HBI data you should also consider using Azure RMS.

Standard