A 7 step security checklist for migrating from on-prem SharePoint to Office 365

Microsoft Office is the tried and true solution for work, so it’s no surprise enterprises moving to the cloud look to a familiar face in Office 365. Despite the cloud services’ significant adoption numbers -- 87.3 percent of organizations have at least 100 employees using Office 365 -- the vast majority of companies have yet to migrate all users to the cloud: 93.2 percent of employees still use Microsoft on-premises solutions.

The transition to cloud leaves companies puzzled on how to safely and effectively migrate extensive on-premises SharePoint environments to SharePoint Online. Once content is successfully migrated, companies must have controls already in place to properly enforcing security, compliance, and governance of sensitive data. Microsoft has significantly invested in the security of Office 365. According to Gartner, however, 95 percent of security incidents involving cloud will come from customer vulnerabilities rather than the service provider. Companies need to worry less about Microsoft suffering a breach and more about their own users’ high-risk activity within Microsoft applications.  It is ultimately up to the enterprise to secure their data in Office 365, and the greatest threats frequently come from within.

Unfortunately, many organizations lack the expertise to address security challenges in the cloud. A recent survey conducted with the Cloud Security Alliance found that a lack of skilled security professionals is the number one obstacle for effectively protecting data in the cloud.

The complexity of Office deployments is a major foundation for security concerns. It is common for organizations utilizing SharePoint Online to end up with hundreds, even thousands, of site collections accessed by employees all over the world. SharePoint Online enables employees to easily provide access to data to individuals outside of the company such as customers, suppliers, or business partners. This is a key benefit of cloud, but far from risk-free.

After studying several successful and failed migrations to SharePoint Online, seven lessons stand out for those thinking of making the switch or tie up loose ends after the fact.

1. Locate the crown jewels.

The first step in auditing security when moving to the cloud is to find out where sensitive data is stored and who has access. In the average SharePoint Online deployment, 17.4 percent of documents contain sensitive data. Broken down by data type, 9.2 percent contain confidential data, 4.2 percent contain personal data, 2.2 percent contain health data, and 1.8 percent contain payment data. The simplicity of accessing and sharing data in SharePoint Online highlights the need to tailor each employee’s access to sensitive data based on role. There is no need for an engineer to access customer financial data, or an HR professional to download intellectual property. Finally, "hidden in plain sight" is not an effective strategy when it comes to cloud security. The average company has a shocking 143 files stored in OneDrive that contain the word “password” in the filename.

2. Limit data oversharing.

Office 365 enables several convenient functions, including ease of collaboration with fellow employees and even external business partners. In fact, Office 365 is a major driver of the cloud economy: the average enterprise uses collaborates with 72 business partners on the platform, more than on any other collaboration platform. Nevertheless, companies may not to limit the sharing of sensitive data with business partners. Research shows that 29 percent of data shared externally ends up in the hands of high-risk partners, potentially exposing companies to a Target-style breach.

3. Don’t leave Information Rights Management (IRM) policies behind.

Enterprises often enforce IRM policies for data in their on-premises SharePoint. However, many companies shy away from applying the same policies to data in the cloud because they  do not wish to host their encryption keys in the cloud and/or to avoid the hustle of downloading client software to access acquired SharePoint file.

Companies should still apply IRM policies, but in a targeted manner: only to sensitive files as they are downloaded, using encryption keys stored on-premises.

4. Get smart to machine learning.

Microsoft makes all user events in Office 365 available via a Management Activity API, which provides 162 event types that users perform. It would be preposterous to manually track these events for malicious or negligent behavior, such as an employee extracting vast amounts of data before leaving for a competitor. The recently added Graph API opens the door to security tools to analyze these raw events. Microsoft has followed the lead of enterprise cloud providers by opening up this partner ecosystem. Now companies can leverage emerging technologies like machine learning to identify anomalous activity against a background of millions of routine events that make up everyday cloud usage at an enterprise today.

5. Construct policies based on devices and access locations.

Office 365 enables users to access data on a smartphone or laptop at anytime and from anywhere in the world, increasing the mobility of the modern workforce. Nonetheless, the increased accessibility and sprawl of information exposes corporate data to new risks. Accessing sensitive data through unmanaged networks, such as public WiFi, substantially increases the risk of a security incident. A good place to start is to block downloads of sensitive data in SharePoint Online unless employees use trusted networks and VPNs managed by the company. By doing this, you restrict download permissions while still allowing the employee to preview items in Office 365 online. Additionally, restrict access to sensitive material from unmanaged devices and enforce the use of managed devices. In case an employee’s phone is stolen, the thief will not be able to access Office 365 and the company can remotely wipe the drive.

6. Don’t make passwords your last line of defense.

Passwords have become a weak link in enterprise security, and Office 365 is not exempt. 76.3 percent of enterprises experience at least one incident each month where a third-party gains access to a corporate cloud account via a stolen or guessed password. The average company experience 5.1 incidents each month. Using the same Activity Monitoring APIs mentioned above, third-party security solutions can identify out-of-order login attempts such as a user who normally logs in from San Francisco logging in from an untrusted location such as China, consecutive logins to an account across an implausible geographic distance in a given time frame, or multiple brute force login attempts. Closing passive accounts belonging to former employees, or zombie accounts, is one way to reduce the risk of having accounts compromised.

7. Do not put all your eggs in the same administrator’s basket.

Every company’s nightmare is the rogue administrator using his or her privileged account to exfiltrate data, with the infamous example of Edward Snowden. Administrators have even branched out illicit use of their access to include crimes like insider trading. As a result, it is crucial to not only include end users when auditing activity and permissions, but also the administrators overseeing sites.

There’s no question using SharePoint Online benefits collaboration and access to information to employees. When done right, the move to Office 365 can improve security as well. By taking a pro-active approach to security when migrating to SharePoint Online, companies can receives the full benefits of cloud while keeping sensitive data safe.

Photo credit: Melpomene / Shutterstock

Phil Dicorpo is Director of Product Management, Skyhigh Networks