As part of the M365 Virtual Marathon, this is a presentation that includes security options for securing your overall collaboration environment including data loss prevention, sharing, sensitivity labels and more.
Breaking the Kubernetes Kill Chain: Host Path Mount
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
1. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
MICROSOFT 365 VIRTUAL MARATHON
Securing Teams, SharePoint, & OneDrive in Microsoft 365
Drew Madelung
Senior Manager @ Protiviti
@dmadelung
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF
#M365VM
M365VirtualMarathon.com
2. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
Mark Your Calendars:
March 23-25, 2021, MGM Grand Resort
Las Vegas, Nevada, USA
M365Conf.com
#M365CONF
TheSharePoint Conferenceis nowTheMicrosoft 365 CollaborationConference
#M365VM
M365VirtualMarathon.com
Broughtto youby:
TheGlobalMicrosoft Community&
M365Conf.com | #M365CONF
4. Visit the Vendors Booth, Sessions and Watch the Videos
Submit Your Answers to Enter the Raffle
You need at least 5 correct answers then submit for a chance to win one of 3
(One in each Americas, APAC, EMEA)
ARE YOU READY FOR A RAFFLE?
WE ARE GIVING AWAY 3 OCULUS QUEST ALL IN ONE!
https://bit.ly/m365raffle
5. CONSIDER DONATING TO THE FOLLOWING CHARITY RELIEF FUNDS:
UNITED WAY: HTTPS://GIVE.UWKC.ORG/M365VM
INTERNATIONAL MEDICAL CORPS: HTTPS://BIT.LY/MEDICALCORPSFUND
10% OF FUNDS FROMSPONSORS GOTO SUPPORT COMMUNITY RELIEF.
FOR MORE INFORMATION WRITE TOINFO@M365VIRTUALMARATHON.COM
7. Overall security
Data Loss Prevention
Classifications
Securing Teams,
SharePoint, & OneDrive
in Microsoft 365
M365 Virtual Marathon
Sharing
Secure Score
As many demos as I can
8.
9. Data is shared more often
and more widely than ever.
Corporate
Public
Private cloud
Vendors SaaS
Ex-employees
Online
backup
Graphic
designer
Offshore
teams
Legal review
Agency
teams
Project
lead
Sales teams
Project
manager
Project
lead
Remote team
Personal
12. What can we do to ensure we are more secure?
How do we get started?
13. Identity
SSO
MFA
Groups
RBAC/PIM
Location
Trusted Location?
Conditional &
Limited Access
Device
Managed?
Domain Joined?
AAD Joined?
App/Service
Teams
Outlook
OneDrive
SharePoint
Content/Data
Sharing
DLP
ATP
AIP / Sensitivity
Retention
Visibility
Secure Score
Security Graph
Compliance Score
Threat Intelligence
CASB
SIEM
Alerts & Audit
Understand all areas to consider
Full credit https://twitter.com/xgokan
14. Identity
SSO
MFA
Groups
RBAC/PIM
Location
Trusted Location?
Conditional &
Limited Access
Device
Managed?
Domain Joined?
AAD Joined?
App/Service
Teams
Outlook
OneDrive
SharePoint
Content/Data
Sharing
DLP
ATP
AIP / Sensitivity
Retention
Visibility
Secure Score
Security Graph
Compliance Center
Threat Intelligence
CASB
SIEM
Alerts & Audit
Understand all areas to consider
Full credit https://twitter.com/xgokan
15. OneDrive is hosted on SharePoint
Teams files are hosted in SharePoint
Yammer files are also on SharePoint
All files are in SharePoint!
This gives you…
• File controls shared across systems
• Security across systems
Files in Microsoft 365
17. Security & Compliance Administration
Support all M365 solutions through
centralized admin centers alongside
app specific admin centers.
• security.microsoft.com
• compliance.microsoft.com
Protection.office.com is still used
18. Secure score – a place to get started
One place to understand your security
position and what features you have
enabled.
Learn what security features are available
to reduce risk while helping you balance
productivity and security.
19. Azure AD Conditional Access
Corporate
Network
Geo-location
Microsoft
Cloud App SecurityMacOS
Android
iOS
Windows
Windows
Defender ATP
Client apps
Browser apps
Google ID
MSA
Azure AD
ADFS
Require
MFA
Allow/block
access
Block legacy
authentication
Force
password
reset******
Limited
access
Controls
Employee & Partner
Users and Roles
Trusted &
Compliant Devices
Physical &
Virtual Location
Client apps &
Auth Method
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
Session
Risk
3
171TB
Effective
policy
21. Data Loss Prevention
Prevents sensitive data from leaking either inside or outside the organization while providing user education
and empowerment
M365 DLP is common across the enterprise
You can apply multiple policies to different stacks in Office 365 and identify such content as:
• Credit card numbers
• Social security numbers
• Health records
Built on sensitive information types
• You can create your own
Different than Exchange DLP – Based on search
22. Data Loss Prevention
Includes of predefined sensitive info types
Policies are synced to the content sources such as:
• SharePoint, OneDrive, and Teams
Ensure you tune to handle false positives
Priority is important
Roll out in test mode to start
Utilize the alerting and reporting
Enable sensitive by default
26. Turn on/off external sharing
Tenant, per group, per user
Turn on/off per workload
Teams, PowerBI, SharePoint
Allow guests to invite
The identity provider for Teams and SharePoint powered by Azure B2B
Guest access review
Domain allow/block
Different than SPO & OneDrive
Configured in Azure AD
Microsoft 365 Group external sharing
27. Control WHO can share
to external users
• Everyone
• Only specific people
• No one
Control WHICH external users can
be shared with
• Anyone
• Only authenticated users
• Only authenticated users except specific domains
• Only authenticated users in specific domains
• No one
Control WHAT can be
shared externally
• Anything
• Only specific libraries
• Only files without sensitive content
Control HOW externally shareable
links can be used
• Default
• Enabled, but not default
• Mandatory expiration date
• Block externally-shareable edit links
• Disabled
SharePoint, OneDrive, and Teams files external sharing
28. Sharing for OneDrive can be MORE restrictive but not LESS restrictive than SPO
If sharing turned off globally in SPO any shared links will stop working
Sharing Options
No external sharing
Only existing external users (sign-in required)
New and existing external users (sign-in required)
Anyone, including anonymous users (on by default)
Your SharePoint Online sharing
settings determine which OneDrive
sharing settings are available
Setting Sharing in OneDrive Admin
Center affects SPO
SharePoint, OneDrive, and Teams files external sharing
31. Sensitivity Labels vs Retention Labels
Sensitivity labels Retention labels
Description Labels to classify and protect emails,
documents, Sites, Groups
Labels to classify and preserve emails & documents in
O365 only – Exchange, SPOD, Groups
Label Settings
• Encryption
• Content Marking
• Endpoint DLP
• Conditional Access Controls*
• Retention
• Deletion
Label Persistence Yes No
32. AIP vs Sensitivity (Unified)
Investment being made to Sensitivity
Uses similar back end
Can run both via a ‘migration’
AIP client 1.5x and 2.0x for Unified upgrade
34. What
Where 3rd party apps and services (MIP SDK)
How
Office 365 Windows Azure
Unified Labels with Microsoft Information Protection (MIP)
ISVs
Unified labels vision
35. LabelDiscover Classify
Sensitivity Retention
Data growing at exponential rate
Encryption
Restrict Access
Watermark
Header/Footer
Retention
Deletion
Records Management
Archiving
Sensitive data discovery
Data at risk
Policy violations
Policy recommendations
Proactive alerts
Comprehensive policies to protect and govern your
most important data – throughout its lifecycle
Unified approach to discover, classify & label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations
Apply label
Unified approach
Monitor
38. Problems of security
Users need to access data from any device, location
End userData admin/Compliance admin
Increase in data leakage & theft
Challenge in training users on security policies
Bottomline: Protect data & have happy users
Who should I share and what kind of data?
Where can I save what kind of data?
What are my company policies and how
do I remember those?
Bottomline: Just need to get the work done
39. Advice
Complexity is the worst enemy of Security
Find balance between too much security and ensuring your content is secure
Educate your team
40. MICROSOFT 365
Virtual MARATHON
May 27 & 28, 2020
36 hours / 2 days
THANK YOU FOR JOINING US!
DO YOU HAVE ANY QUESTIONS?
Speaker feedback
https://bit.ly/M365VMSpeakerFeedback
Event feedback
https://bit.ly/M365VMFeedback