Data loss is non-negotiable for your business. Not only can it cost your company huge amounts of time and money—not to mention the impact on your competitive edge if certain IP is compromised—exposure of sensitive information and assets can have enormous legal and compliance implications, too. These worries are heightened by the current business climate, which is seeing more and more people work outside the protective confines of their company’s network.
Microsoft is committed to helping protect your company’s most critical data as the business world changes before our eyes. For content stored in the Microsoft Cloud, that commitment starts with OneDrive.
Last month we shed light on the Top 5 reasons organizations use OneDrive for data security while working remotely emphasizing on how OneDrive helps with safe sharing and user productivity whilst empowering admins with tools to manage and monitor content wherever its used.
Read on to learn how Microsoft 365 and OneDrive helps keep your data secure and private at the same time reducing the stress on IT during compliance or litigation issues.
Govern Intellectual Property
As your digital data estate increases so does its vulnerability to attacks and leakage. It’s an unavoidable fact of today’s ever-evolving technology. But with the right governance and Microsoft, you can better protect your information against malware and data leaks. Microsoft 365 and OneDrive together give admins a robust toolset for combating ransomware, retaining critical data, and meeting litigation requirements—all extremely important in today’s business environment.
Data retention
Due to compliance and/or legal requirements, your organization might be obligated to keep content for a certain period of time. Data retention in OneDrive is an effective tool for managing and governing the lifecycle of your data. Admins can set global retention policies on all organizational data as well as granular policies on critical users or content, like tax forms, press materials, competitive research, or work visas. They can also implement retention labels for crucial content to impose rules based on set classifications. Admins can automatically apply retention labels to specific types of information or empower their users to manually do the same.
Data retention can also reduce risks associated with litigation and security breaches. If a user leaves your organization, files that are subject to a retention policy will be preserved for the duration of that policy with their respective sharing permissions intact. Similarly, admins can set policies that permanently delete old content when it’s obsolete or redundant to further minimize the chance of malware.
Lastly, data retention policies and labels support record management for managing regulatory, legal, and business-critical records across your corporate data.
eDiscovery
Built-in eDiscovery in Microsoft 365 helps you identify, preserve, and review data in OneDrive that can be used as evidence during litigation. Admins can search for content related to a case using specific keywords and then export or place a hold on that content. Similarly, eDiscovery holds can be placed on entire OneDrive accounts being investigated. Analyzing search results using Advanced eDiscovery, which integrates machine learning, predictive coding, and test analytics, admins can further reduce the costs and challenges associated with sorting through large quantities of unstructured data.
As the business world transitions into a new world of work, protecting company data stored in the cloud becomes more important than ever. With malware protections and data retention in OneDrive, admins can help ensure the safety of critical information—even when users are working outside the office. The same is true for legal compliance: as an admin working remotely, you can still find and preserve cloud-based data to save yourself more time and your company more money.
Ransomware
Ransomware attacks have increased dramatically in recent years, causing significant economic damage in their wake. And there’s no sign that trend is slowing: by one estimate, ransomware will cost the global economy $20 billion in 2021. Microsoft 365 and OneDrive are designed to help protect your data from such attacks. If your company is infected by ransomware, Windows Defender on Windows 10 and OneDrive will detect and notify you of the attack; provide steps for cleaning your device; and, help you recover lost data with Files Restore. Files Restore reinstates your entire OneDrive to a previous time within the last 30 days. This feature can also be used if OneDrive files and folders get deleted, overwritten, or corrupted.
Drive Awareness and Insights
Having the right tools is a good first step toward protecting your company’s confidential content. But knowing how users and other admins interact with that content adds an extra layer of security and control. Microsoft 365 offers detailed audit logs and reports that let you trace OneDrive activity at the folder, file, and user levels. That kind of transparency helps protect data while giving your admin team valuable user insights that could influence future IT decisions.
Audit logs and reports in Microsoft 365 Security and Compliance Center surface unprecedented levels of visibility into user and admin activities within OneDrive. Every user action, including changes and modifications made to files and folders, is recorded for a full audit trail. Admins can even audit the users themselves who made those changes, helping them understand how people share, request access, and sync content in OneDrive. Audit logs help uncover admin activities in OneDrive as well, such as changing a network or device access policies. Advanced auditing capabilities add to these auditing efforts with log retention policies and the ability to retain all records for a year to enable forensic and compliance investigations.
Deploying alert policies is another crucial step for monitoring activities performed by OneDrive users. These alerts notify admins when users share a file externally, assign access permissions, or create an anonymous link. Admins can define the alert conditions and policies that will best help them investigate, contain, and respond to any risks of data leakage.
In addition to custom settings, Microsoft 365 Security and Compliance Center also provides default alert policies for OneDrive, such as:
- an abnormal volume of files deleted from a user’s OneDrive in a short duration of time
- a high volume of malware detected in files located in OneDrive accounts
- a large number of files shared externally
- unusual amount of activity (e.g., accessing, downloading and deleting files) performed on the externally shared files by users outside of your organization
If you have added retention labels to classify data, you can easily verify that they're being applied as intended. Extensive reports ascertain the label activity for files and folders in OneDrive for the past 30 days and include details like which user applied, changed, or removed labels to exactly which file or folder. Also, label analytics can help you locate which labels are being used most and where they are being applied. These capabilities recently made generally available under the ‘know your data’ scenario and you can learn more here.
Auditing insights are yet another tool for maintaining data security as companies consider their work-from-home policies. Using audit logs and reports, admins can quickly understand how users and other admins are interacting with their OneDrive content and pinpoint unusual activities before it becomes a threat.
Maintain ownership and control
Your data is yours alone—even if you’re keeping it in the Microsoft Cloud. We take seriously our responsibility as a custodian of your content and have implemented a series of protocols that keep information private. From Customer Key to Customer Lockbox, Microsoft’s privacy features ensure you maintain control over your data in OneDrive.
OneDrive enables people to store, share, and work together on content. And that content, as well as end user information, is owned solely by the customer with Microsoft serving only as its custodian.
Microsoft 365 provides encryption for both data at rest, such as files saved in a user’s OneDrive, and in transit, such as files being shared between users. But it also offers an added layer of security and flexibility to data at rest letting you manage the root encryption key with Customer Key.
Customer Key enables you to provide your own keys for Microsoft to encrypt data stored in OneDrive, enhancing the ability of your organization to meet the demands of compliance requirements. You must give Microsoft authorization to use your encryption keys. You can revoke the access to the key anytime to make the data unreadable to all, including Microsoft services.
Occasionally, Microsoft engineers help troubleshoot and fix customer-reported issues in the support process. Usually, Microsoft fixes issues using extensive telemetry and debugging tools; however, some cases require a Microsoft engineer to directly access customer content, to determine the root cause and remediate the problem. Customer Lockbox restricts Microsoft’s access to your data in these instances for whatever duration you specify, helping ensure your data remains secure while the issue is being fixed.
Customers who initiate the service request must approve access for the Microsoft engineer and will then have visibility into their purpose and length of access. Access to customer content will be revoked when service operation is completed or the allotted time expired. Actions taken by Microsoft engineers in response to Customer Lockbox requests are logged and accessible via the Management Activity API or the Security and Compliance Center.
In addition to better protecting your data, Customer Lockbox helps you meet compliance needs by demonstrating there are procedures in place for explicit data access authorization. It also provides controls for adhering to regulations like HIPAA and FEDRAMP.
Microsoft drives trust through transparency—and trust is especially important as businesses retool traditional work practices. Customer Lockbox is just one-way Microsoft builds that confidence in our services. No matter how your company operates in the future, you can trust Microsoft will help keep your data secure, private, and compliant.
Manage Regulatory Compliance
Business as usual is anything but these days. As companies move to a more flexible and remote workplace—in part because of changing times and in part because of Digital Transformation imperatives—admins need to ensure their users can access and share data no matter where it resides. They also need to keep government and industry regulations in mind.
Microsoft 365 and OneDrive together boost teamwork and innovation and guarantee easy management of data, users, and devices without straining IT resources and infrastructure costs. And with features like Multi-Geo and Information Barriers, OneDrive propels Digital Transformation in the global workforce of an organization while simultaneously helping organizations address data residency and segmentation guidelines enforced by governments and industry regulators.
Multi-Geo helps you control where your data resides at the individual user level. Your organization can expand its Microsoft 365 presence to multiple geographic regions and/or countries within your existing tenant without disrupting the user experience. This includes a unified sharing experience in OneDrive where features like the global People Picker and “Shared-with-me” provide a unified list of colleagues and shared files across geographies. Content discovery and data access through mobile devices, no matter where the data resides, just works.
Multi-Geo capabilities allow each user's OneDrive to be provisioned in or moved by an admin to a satellite location in accordance with the user's Preferred Data Location (PDL). Individual files are then kept in that location but can be shared with users in other geographies. Admins can implement familiar policies to move data between locations; tailor access, sharing, and configuration policies for each location; and, generate reports to monitor their users and data from the Microsoft 365 admin portal. All administrative controls, like audit log search, eDiscovery, and Data Loss Prevention (DLP), are extended to a multi-geo environment.
Information Barriers empowers organizations, specifically highly regulated industries like finance, energy, and government, to control insider trading and demonstrates that to compliance controllers. It allows administrators to segment their users per compliance needs and associate data to specific segments such that access is granted only if segments match, regardless of other permissions. Currently the functionality restricts teams from communicating with each other through Microsoft Teams, but we are taking a step further to protect your content in OneDrive and SharePoint. Soon, admins will be able to block collaboration between users in 2 segments. For example , in a financial firm once IB policies are implemented,users in the Investment Banking segment can be restricted to share or collaborate on their OneDrive files with users that belong to Advisory segment.
Finally, Microsoft offers a comprehensive set of compliance offerings to help your organization comply with global, national, regional, and industry-specific requirements governing the collection and use of data.
OneDrive with Microsoft 365 has compliance leadership across ISO 27001, SOC, FEDRAMP FERPA, FINRA, GxP, HIPAA/HITECH , HITRUST, PCI DSS and EU Model Clauses, just to name a few. We’re also committed to helping our customers comply with General Data Protection Regulation (GDPR), offering a wide variety of tools for organization to improve their GDPR readiness. Refer here for a full list of compliance offerings
Learn more and stay engaged
We are very thrilled to showcase the best practices and recommendations on protecting your data while working remotely with OneDrive. Join us in the upcoming, related webinar :
Empower your remote workforce with data security in OneDrive on 30th June 2020 at 9:00 am PT.
Also, check out our latest episode of Sync Up- a OneDrive podcast to hear the experts on implementing governance and compliance in OneDrive.
We continue to evolve OneDrive as a place to access, share, and collaborate on all your files in Office 365, keeping them protected and readily accessible on all your devices, anywhere.
You can stay up-to-date on all things via the OneDrive Blog and the OneDrive release notes.
Check out the new and updated OneDrive documentation.
Take advantage of end-user training resources on our Office support center.
Thank you again for your support of OneDrive. We look forward to your continued feedback on UserVoice and hope to connect with you at Ignite or another upcoming Microsoft or community-led event.
Thanks for your time reading all about OneDrive,
Ankita Kirti
OneDrive | Microsoft