On Day 26 of the Cybersecurity awareness month, learn SharePoint Online security tips to safeguard against potential risks in Microsoft 365. Stay tuned for more blog posts in our M365 Cybersecurity blog series.
In a world where information flows freely, and collaboration knows no boundaries, SharePoint emerges as one of the shining epitomes of collaboration tools provided by Microsoft. But as we bask in the warm glow of SharePoint’s potential, we must remember that with great collaboration comes the need for even greater security. And lurking in the shadows are threats such as uncontrolled site sharing, data loss, external sharing to untrusted domains, etc posed by both cunning cyber villains and simple human slip-ups.
Fewer the people who have access to sensitive data, the lower is the risk of a data leak.
Therefore, managing SharePoint Online security is absolute! Now, SharePoint admins: are you stuck in a rut, answering the same question over and over? How can I improve security in SharePoint? Don’t fret! We’ve put together a SharePoint security checklist to guide you in ensuring that your configurations are accurate. Simply go through the checklist step by step, and you’ll be fully prepared to securely share your valuable resources in SharePoint Online.
First, let’s know why SharePoint security is important!
Why SharePoint Online Security is Important?
SharePoint security is important because it keeps your business information safe. It ensures that only the right people can access and work with your important documents and data. This protection helps prevent data leaks, maintains your reputation, and keeps your business running smoothly.
What are the assets that should be protected in SharePoint?
It’s essential to protect various assets within SharePoint for a smoother collaboration. These assets include,
- Sites – Think of sites as the entrance to your SharePoint. Lock them up to keep your stuff safe.
- Document libraries – Protect them to keep your important files, folders, and lists safe.
- Permissions – Use them to make sure only the right people can see or edit your documents and data.
- Groups – Easily control who’s on your team.
- Access – Control who can access your important information.
- Sharing, files, folders, lists – Be careful who you share with to keep your data safe. When you share, share with right permission!
- Permission levels – Choose who gets what permission to control what they can do with your documents and data.
Most Common Vulnerabilities in SharePoint and Solutions
Securing SharePoint Online is a very big deal and cannot be done with a single click and a few configurations. It requires multiple configurations and steps to put the first lock to SharePoint. For this reason, we have categorized the SharePoint security best practices into two:
- Secure SharePoint as an Environment
- Secure the data stored within SharePoint
Secure SharePoint as an Environment
The first and foremost thing you need to know is that SharePoint allows you to manage security and permissions on 3 different levels. These levels are:
- SharePoint site
- SharePoint list or a library
- The item in the list, such as document
SharePoint administrators always dream of creating a secure SharePoint site. Here, we will be looking at all the important SharePoint security settings necessary to keep the first level safe – that is securing SharePoint Online sites.
One critical setting to focus at the very beginning is how you allow sharing within your SharePoint site. Sadly, many people skip this step and let users loose on the platform without any changes. If you don’t adjust this, it can cause significant problems like oversharing and potentially result in data leaks. So, let’s begin the SharePoint Online security best practices by discussing how to limit sharing in SharePoint Online. Some of the possible risks associated with securing SharePoint are listed:
- SharePoint Tenant-level Sharing Settings Oversight
- Prevent data exposure in SharePoint Online
- Overreliance on Item-Level Permissions
- Account Compromises in SharePoint
- Track unauthorized user activities in SharePoint
✅Solution: Pay attention to SharePoint sharing settings. Don’t leave them at default to avoid potential data breaches!
Manage Anonymous Sharing in SharePoint Online: Turn it off, or at least set an expiration date for more control. In most cases, it’s probably best to only allow authenticated external guests or to set an expiration date at the very least.
Restrict Domains in SharePoint Online: Manage the domains that can access your SharePoint.
Set up expiration dates in SharePoint Online: To prevent unauthorized access to your content, set expiration dates on company links, secure links, and anonymous links as appropriate. This will ensure that access to the content is revoked after a certain period of time.
✅Solution: SharePoint provides a dedicated section for access control in the SharePoint admin center.
SharePoint admin center -> Policies -> Access control
In this page, you can find options to:
- Restrict access from unmanaged devices
- Automatically sign out from inactive sessions
- Allow specific network locations
- Block access from other apps
By configuring these settings based on your requirements, admins can restrict how users are allowed to access SharePoint Online.
3. ❌Risk: Overreliance on Item-Level Permissions.
- Instead of assigning and managing SharePoint permissions to individual items or files, prefer assigning permissions at higher-level containers like libraries, folders, or even SharePoint sites.
- This maintains a cleaner and more manageable permission structure.
- Make use of permission inheritance to keep security settings consistent and easily audited.
- Overall, using inherited permissions can reduce the risk of unauthorized access and simplify access control management.
Tip: When you share, share it with the least permission as the people you choose option.
✅Solution: Enforce MFA, include SharePoint in the assignment of cloud apps, and add an extra layer of security with conditional access policies. Phishing attacks often target users to trick them into revealing their passwords. MFA can help mitigate these attacks, as attackers would need the second factor in addition to the password, making it more difficult for them to succeed.
✅Solution: SharePoint Audit– SharePoint admins can make use of this feature to track user activity on content types like lists and libraries within your SharePoint site. By using these capabilities, organizations can more effectively meet compliance standards and gain insights into how their data is being utilized, making it easier to spot unusual or concerning activities.
Secure the Data Stored within SharePoint
SharePoint offers a number of security settings for securing the data stored within SharePoint. Effective security measures are essential for safeguarding sensitive information within SharePoint, such as financial records, customer data, and intellectual property, to mitigate the risks of unauthorized access and data breaches.
Now let’s address some risks and the solutions associated with the powerful settings/features in SharePoint.
- Protect sensitive documents from unauthorized access
- Manage the default – People in your organization links
- Manage content sharing among team members in SharePoint Online sites
- Prevent data deletion mishaps and preserve data in SharePoint
- Protect your sensitive data from accidental or malicious deletion
- Block download of confidential data from SharePoint
- Manage unwanted communication among site members in SharePoint
- Guard against ransomware attacks in SharePoint Online
- Prevent data theft from departing SharePoint users
✅Solution: Sensitive documents in SharePoint could be accessed by unauthorized users such as employees in other departments or new hires who have not been granted permission. This could lead to data breaches and reputational damage. Instead of giving access to multiple specific individuals, use SharePoint groups to assign permissions to specific groups of people.
✅Solution: By default, SharePoint is a bit generous and allows users to share content with People in your organization links. Though this might not look like much danger, it is! Therefore, before sharing ask yourself these questions: who needs access to the content? whether or not the content needs to be shared with people outside of your organization? Based on these factors, decide which link type is most appropriate for each scenario.
✅Solution: Choose How Members Can Share – This helps to control how sharing works on your SharePoint site and make it easier for people to request access to resources. There are three available options.
- Option 1: Site owners and members can share files, folders, and the entire site. People with editing permissions can share files and folders.
- Option 2: Site owners and members, along with people who can edit, can share files and folders, but only site owners can share the entire site.
- Option 3: Only site owners can share files, folders, and the entire site.
In simple terms, these options control who can share things on the site, like files and folders, and whether everyone or only site owners can share the entire site.
Access Requests in SharePoint: In addition to these, you can also use the allow access requests in SharePoint Online. With this feature, users can send requests to access an item or site in SharePoint. Site owners or the assigned members can choose to accept or deny it.
✅Solution: Implement version control and retention to prevent accidental data loss.
Version control allows users to revert to previous versions of a document if errors are made or data is compromised. This capability acts as a safety net in case of accidental or malicious data alterations.
In the event of a security breach or data corruption, administrators can quickly restore the content to its pre-incident state.
Retention label for SharePoint: On the other hand, you can apply retention to the files stored in your SharePoint if you want to retain them for a particular period for compliance reasons. The retained content is stored in the preservation hold library of SharePoint. That is, if retention is applied to a file in SharePoint, and when a user deletes or changes the content in the retained file, the original version is stored in the Preservation hold library.
5. ❌Risk: Protect your sensitive data from accidental or malicious deletion.
✅Solution: Deploy sensitivity labels and data loss prevention (DLP).
Apply M365 sensitivity labels to files in SharePoint and keep it out of serious exploits! A sensitivity label protects a document’s privacy and security when deployed properly. Sensitivity labels can be applied to secure and protect files in SharePoint and it is completely customizable. You can configure a sensitivity label to encrypt a document or mark the content with watermarks, headers, and footers.
Data loss prevention in SharePoint Online is a built-in solution that helps organizations prevent the unauthorized sharing of sensitive information. It works by scanning documents and other content for specific patterns that indicate the presence of sensitive information, such as social security numbers, credit card numbers, and other personal identifiable information (PII).
✅Solution: By blocking file downloads in SharePoint online using conditional access policies, users will only be able to access files through a web browser, without the option to download, print, or sync files. Additionally, users will not be able to access the content through Microsoft desktop apps, considering the danger behind auto-download for desktop apps. A SharePoint administrator or a global administrator can block the download of files.
✅Solution: Use information barriers with SharePoint and prevent the following kinds of unauthorized collaborations:
- Adding a user to a site.
- Block access to SharePoint site or site content using IB.
- Prevent sharing of SharePoint content with other users using IB.
- Immediately stop OneDrive for Business Sync or disconnect the mapped drive to the SharePoint library.
- Ask your Company Administrator (or affected user) to attempt to restore files.
✅Solution: Insider Risk Management is the key! Data Theft by Departing Users Policy Template is designed to automatically identify, and flag activities commonly linked to this specific type of theft.
- By implementing this policy, you’ll receive automated alerts for any suspicious actions connected to data theft by departing employees, enabling you to promptly initiate the necessary investigative measures.
- Not stopping with this, the Microsoft Purview Insider Risk Management detects, investigates, and acts on malicious and inadvertent activities across your organization.
Bonus tip: Use Microsoft Secure Score!
- Microsoft Secure score in the Microsoft 365 Defender portal scans your environment and alerts you to configuration changes that align with the latest security standards.
- They also offer insights into potential threats, how to defend against them, and which features can enhance your security.
- These tools are continually updated based on Microsoft’s research and real-time system monitoring.
- By following Microsoft’s security best practices, you can protect your data in SharePoint and ensure a secure intranet experience.
- It’s a good idea to regularly check your scores and recommendations to enhance your security posture.
We hope that we’ve covered everything from securing access to controlling sharing through this blog. By addressing each potential risk and offering effective solutions, we’ve armed you with the knowledge needed to safeguard your organization’s valuable assets. Don’t wait – start implementing these best practices today to ensure the highest level of security for your SharePoint environment. Your organization’s digital assets deserve nothing less than the best protection.
Thanks for reading! If you have any queries, please don’t hesitate to reach us through the comment section.