Security in the cloud: Getting it right with SharePoint Online

“There are two kinds of organizations: Those who’ve been hacked and know it and those who’ve been hacked and don’t know it. ” – Chad Fulgham, former CIO of the FBI

By now, the numbers have become numbing. Cyber-security incidents are daily news, with reports of escalating impacts and costs that are sometimes measured in the billions.

According to PWC’s Global State of Information Security Survey, there has been a 38 per cent increase in security incidents year-over-year and a 56 per cent increase in the theft of hard intellectual property over 2015.

Because of these kinds of statistics, many organizations have been reluctant to adopt cloud solutions because of a lack of understanding about cloud security. This hesitation also applies to the SharePoint community, which has debated the respective advantages and disadvantages of security and compliance in SharePoint Server and SharePoint Online.

SharePoint Online / Office 365 are public cloud solutions, and as such, customers are required to give up control over some of the parameters they’d be able to change were the solution running in their own data centers. However, these hesitations are often quickly dismissed as many enterprises conclude that Microsoft implements security policies and controls in their data centers that are far more advanced than anything available on-premises.

Microsoft is an industry leader in cloud security and brings in over 10 years of experience building enterprise software and operating over 200 online services. It excels in security best practices like penetration testing, defense-in-depth to protect against cyber-threats, encryption, and strong authentication. Additionally, Microsoft remains committed to providing a trustworthy cloud experience and is transparent with the location of customer data, and who has access under what circumstances.

This is great news for companies looking to realize more value from their investments in secured cloud environments. But as businesses try to figure out how they will migrate their sprawling on-premises SharePoint environments to SharePoint Online, they need to keep security, compliance, and governance controls to sensitive data top of mind, or even content that is successfully migrated can end in disaster.

Under a shared responsibility model it’s up to the customer to monitor and prevent high-risk user activity within these applications. As a result, many are now asking how to meet compliance requirements, how to enable or regulate sharing based on organizational standards, and how to apply proper security, compliance and governance controls to sensitive data.

Thankfully, with a data loss prevention (DLP) policy in the Office 365 Security and Compliance Center, businesses can easily identify, monitor, and automatically protect sensitive information across Office 365. Additionally, Office 365 includes a suite of security services that customers can enable:

· Admin Controls like Legal Hold and E-Discovery for regulatory compliance

· Rights Management Services to empower customers to protect information

· Access and Privacy policies to regulate sharing based on geography or device status

If you’re interested in learning more on this topic, I encourage you to check out our SharePoint 2016 Power User Webinar Series: Chapter 3: Data Loss Prevention in SharePoint 2016: Protect Your Sensitive Information, which dives into identity driven security, data loss prevention and the new Office 365 Compliance Center. This webinar is the final installment of a SharePoint series that New Signature hosted this summer; Chapter 1 and Chapter 2 can also enhance your SharePoint learning experience.

Looking forward, it’s important to note that above and beyond all the hardened preventive measures, Microsoft is also focusing efforts on prediction, detection, and remediation across Office 365 and Azure. The cyber-security industry is shifting towards a data-driven approach that allows organizations to put real-time information to use in ways that can help predict incidents and rapidly respond to threats. Microsoft is leveraging big-data analytics to model, and audit and review data to understand how it is used, by whom and when.

In short, Office 365 provides the granular controls and policies security administrators need to identify, monitor, and protect your sensitive data in the cloud.

But keep in mind that technology alone is not the answer. At the end of the day, the responsibility for information security falls on everyone across an organization, and companies that do it most effectively have security ingrained in their culture, starting from the top. This requires ongoing communication and a visible commitment from senior management, many of whom admit to regularly uploading work files to a personal email or cloud account.