SharePoint and

OneDrive for Business

Securing your content in the new world of work
01 Introduction

02 Platform security

03 Information governance

04 Secure access and sharing

05 Awareness and insights

06 Compliance and trust

07 Conclusion
01 Introduction
Microsoft has been building enterprise software The collaboration landscape has changed.
for decades and running some of the largest Connectivity is ubiquitous, and the ability to work
online services in the world. We draw from this remotely has become an ingrained part of the work
experience to keep making Microsoft SharePoint practice. People have come to expect to be able to
Online and OneDrive for Business more secure for access email and documents from anywhere on any
users, implementing and continuously improving device—and for that experience to be seamless.
security-aware software development, operational
management, and threat-mitigation practices that
are essential to the strong protection of your services
and data.
While this has been an enormous In this e-book, you’ll learn about the
boost to productivity, it also presents Microsoft approach to security and
huge challenges for security. compliance with SharePoint Online
Previously, businesses needed be and OneDrive for Business, which
concerned with a firewall that ended encompasses:
at the corporate boundary. Now
Platform security
that boundary has shifted to the end
user. Businesses need to ensure that Protect content at rest and in transit
corporate data is safe while enabling with layered encryption customer
users to stay productive in today’s controls and keys to lock down data.
mobile-first world, where the threat
Information governance
landscape is increasingly complex and
sophisticated. Manage your data life cycle process
with customizable data retention,
SharePoint Online and OneDrive for
discovery, and deletion.
Business are uniquely positioned
to help you address these evolving Secure access and sharing
security challenges. To begin with,
Manage access and sharing settings to
Microsoft has continued to evolve with
guard against leaks of sensitive data.
new standards and regulations. This
has been a guiding principle behind Awareness and insights
security for SharePoint Online and
Gain full transparency and insights into
OneDrive for Business. Right alongside
users and data with auditing, reports,
that principle is this one: There is no
and alerts.
security without usability. If security
gets in the way of productivity, users Compliance and trust
will find a different, less secure way to
Leverage the proactive and continuous
do their work.
compliance and certification process of
SharePoint Online and OneDrive for
Business allow your organization to go
beyond its regular business rhythms Customer challenges by the numbers
and be nimbler in responding to
billion records compromised in the last year (Source: Risk
market changes and opportunities.
Based Security)
These solutions enable users to access
the files and documents they need days between infiltration and detection (Source: Mandiant
wherever they’re doing work, while Consulting M-Trends, 2016)
sharing and collaborating in real-time.
of senior managers admit to using personal accounts for work
And you control and own your data
(Source: Stroz Friedberg, On the Pulse: Information Security in
while Microsoft takes care of it.
American Business)

of organizations lack data governance, leaving them open to

litigation and data security risks (Source: AIIM – Information
Management in 2016 and Beyond, March)

year over-year-growth in electronic data (Source: AIIM –

Information Management in 2016 and Beyond, March)
02 Platform security
Protect content at rest and in transit with layered encryption
customer controls and keys to lock down data.
Data loss is non-negotiable for your business, and
exposure of sensitive information and assets can
have enormous legal and compliance implications—
and impacts on your competitive edge. SharePoint
Online and OneDrive for Business safeguard against
unintentional disclosures through the defense-in-
depth approach of Microsoft Office 365.
Microsoft is constantly working on ways to mitigate
the effects of attacks on data and information.
These security measures form the foundation of
our business products and cloud services. Office
365 gives you enterprise-grade physical and logical
security capabilities to secure your IT environment,
along with encryption controls to protect your files
and email communications.
Physical security
Capabilities:
Extensive auditing and supervision
prevent administrators from getting
unauthorized access to your data.
Multiple copies of your data are
located across datacenters for
redundancy.
With Office 365, your data is stored
in Microsoft datacenters that are
protected by layers of security.
These datacenters guard against
not only unauthorized access and
security breaches, but natural and
environmental threats as well. They are
built like, yes, fortresses.
These fortresses, however, are
transparent to you. Moving to a
cloud service shouldn’t mean losing
visibility into your services. We make it
easy for you to monitor the status of
your services, track issues, and get a
historical view of availability. You also
always have awareness of who has
access to your data and under what
circumstances they have it.
Multiple copies of your data are
kept across datacenters, which are
geographically distributed. If Microsoft
expands into a new country in the
region where your data is stored, you
are notified one-month in advance .
Logical security
Logical security keeps administrator
access to your files under strict control.
This happens through multitenancy
architecture and automation processes,
plus a combination of port scanning,
perimeter vulnerability scanning, and
intrusion detection—all to prevent
malicious access.
Multitenant architecture
In cloud computing, multitenancy is the
ability to share common infrastructure
across numerous customers
simultaneously, leading to economies
of scale. The multitenant architecture
of Office 365 supports enterprise-
level security, confidentiality, privacy,
integrity, and availability standards.
Microsoft continuously works to
ensure this, and does so based on
the assumption that all tenants are
potentially hostile to all other tenants.
Multiple forms of protection have been
implemented throughout Office 365 to
prevent customers from compromising
Office 365 services or applications,
gaining unauthorized access to other
tenants’ information, or breaching the
Office 365 system itself.
Automation
Most Office 365 operations are
automated. At the same time,
Microsoft limit its own access to
customer content. This enables Office
365 to be managed at scale while
protecting against potential internal
threats to customer content, such as a
malicious actor or the spear-phishing
of a Microsoft engineer. A Microsoft
engineer might have limited, audited,
secured access to customer content,
but only when necessary for service
operations and approved by a member
of senior management at Microsoft
(and, for customers who are licensed
for the Customer Lockbox feature, by
the customer).
Customer data management
In addition to these controls, you can
manage your data in Office 365 much
like you would in an on-premises
environment. As the global admin, you
have access to all features in the admin
centers. This means you can add or
edit users, and assign admin roles to
others. And you can also control how
users access information from specific
devices or specific locations, or a
combination of both.
Encryption Data in transit File-level encryption

Capabilities:
Easily and cost-effectively manage
and maintain control of the
encryption keys used by cloud apps
and services.
Encrypt keys and small secrets like
passwords by using keys stored in
hardware security modules (HSMs)
with Azure Key Vault.
Office 365 protects the confidentiality
and integrity of customer data by
following industry cryptographic
protocols like Transport Layer Security
(TLS)/Secure Sockets Layer (SSL) and
Advanced Encryption Standard (AES).
Data is protected at rest and in transit,
and protection extends to file-level
protection in some scenarios.
For data in transit, Office 365 secures
customer data by forcing all
customer-facing servers to negotiate
a secure session with client machines
through TLS/SSL protocols. This applies
to protocols on any device used by
clients—such as SharePoint
Online—on the web.
Data at rest
BitLocker volume encryption secures
data at rest. It addresses the threats of
data theft or exposure from lost, stolen,
or inappropriately decommissioned
computers and disks. Office 365
deploys BitLocker with AES 256-bit
encryption on servers that hold all
messaging data, including email and
IM conversations, as well as content
stored in SharePoint Online and
OneDrive for Business.
OneDrive for Business and SharePoint
Online also use file-level encryption
to encrypt data at rest. Office 365
moves beyond a single encryption
key per disk to deliver a unique
encryption key for every file stored in
SharePoint Online—including OneDrive
for Business folders. These files are
distributed across multiple Azure
Storage containers, each with separate
credentials. Not only are these files
spread across storage locations–the
map of file locations is itself encrypted
and the master encryption keys are
physically separated from both content
and the file map. All this makes
OneDrive for Business and SharePoint
Online a highly secure environment for
stored files.

“Privacy and security are essential to everything we do.

Our customers expect us to process their sensitive data
according to their country’s unique regulations, which
is why we use Office 365. I advised our leaders and CIO
that the Microsoft approach to security, compliance, and
privacy is of the highest standard in the industry.”
Sascha Schneider
Privacy Counsel Deputy Data Protection Officer
NGA Human Resources
03 Information governance
Data overload is an issue for many organizations.
While your organization might be obligated to keep
content for a certain period—because of compliance,
legal, or other requirements— holding on to data
longer than you need it can create unnecessary
legal risks.
Office 365 can help you get a handle on your data
life_cycle. With data governance features, you can
archive and preserve content from your SharePoint
Online sites and OneDrive for Business
locations—and import that content into your Office
365 organization.
The Retention feature in the Office 365 Security
& Compliance Center allows you to manage the
lifecycle of your content, keeping the content you
need and then removing the content after it’s no
longer required.
Data retention policies
Capabilities:
Enforce compliance with information
management processes and enforce
regulations with information
management policies.
Data retention policies allow you to
meet your organization or industry
compliance requirements. You can set
global retention policies on all content
in Office 365, or dig deeper by setting
granular policies on specific users or
content. Then, to follow through, you
can use intelligence to automate data
retention, classifying data based on
age, type, user, or sensitivity, and use
policy recommendations based on
machine learning.
And, of course, you’re only going to
purge data that’s redundant, obsolete,
or trivial. High value data can be
preserved through applied actions. This
can also be automated, by means of
a customized schedule for preserving
and deleting content.
eDiscovery
Identify and collect the data that might
be relevant to a specific legal case.
Capabilities:
Identify and deliver electronic
information that can be used as
evidence in legal cases.
Use advanced eDiscovery to analyze
unstructured data within Office 365,
perform more efficient document
review, and make decisions to
reduce data for eDiscovery.
Office 365 in-place capabilities simplify
the eDiscovery process, making it
easy for you to find and preserve the
right documents in cases of litigation
or government litigations. Predictive
coding enables you to train the system
to automatically distinguish between
documents that are likely to be
relevant and non-relevant. And with
clustering technology, you can look
at documents in context and identify
relationships among them.
Legal and litigation
controls
Protection of the confidentiality of data
that’s stored within the infrastructure.
Capabilities:
Prevent important documents from
being edited or deleted, and define
how long documents must be
stored by using in-place holds and
document deletion policies.
Control the life_cycle of a SharePoint
site and its associated site mailbox.
Legal and litigation controls help you
prevent important documents from
being edited or deleted, and define
how long documents must be stored.
These controls enable you to manage
the lifecycle of documents to comply
with your organization’s records
management policies. They allow you
to control the lifecycle of a SharePoint
site and its associated site mailbox,
while providing a single experience for
searching and preserving across
Office 365.
04 Secure access and sharing
Gain full transparency and insights into users and data with
auditing, reports, and alerts.

Your data belongs to you. Simple as that. This is your data, you remain in control of it. And we help
another one of the guiding principles behind security you to manage this through access controls, sharing
for SharePoint Online and OneDrive for Business— controls, and application and device management.
that while, at Microsoft, we serve as custodians of
Access controls
Capabilities:
Policies that provide contextual
controls at the user, location, device,
and app levels.
Location-based conditional access
policy that blocks users who are
working from an untrusted location.
Conditional access works alongside
Multi-Factor Authentication in
providing another layer of security.
Multi-Factor Authentication requires
two or more verification methods
for user sign-ins and transactions.
These methods can include randomly
generated pass codes, a phone call, a
smart card, or a biometric device.

Advanced Security Management

The risks to information exposure have
increased in today’s collaboration
landscape because users don’t always
work on desktop computers. Access
controls now need to account for users
connecting their mobile devices to
nonsecure networks or using their own
unmanaged devices.
ensures that you’re aware of any
suspicious activity in Office 365.
This gives you the opportunity
to investigate situations that are
potentially problematic and, if needed,
revoke suspicious user sessions.

These new access controls start with

conditional access policies. Conditional
access allows you to keep your
corporate data safe while providing
your users a secure environment in
which they can work from any device.
Conditional access in SharePoint
Online and OneDrive for Business
offers security that goes beyond user
permissions. It takes into account the
identity of the user, the devices and
applications being used, the network
that the user has connected to, and the
sensitivity of the data being accessed.
Sharing controls
Capabilities:
Extensive sharing controls to support
external sharing, link expiration, and
revocation of access to content
and files.
In working with vendors, clients, or
customers outside your organization,
you often need to share documents
with these external users to collaborate
directly. External users can be
authenticated or anonymous.
The external sharing features of SharePoint
Online help you manage security risks
by giving you the capability to set up an
extranet site. Extranet sites can be locked
down so that only you can invite external
users. Admins can control the list of
partner domains that their employees can
share with users outside the organization.
Allow-and deny lists of email domains can
be configured. Activities of the business
partner users are audited, and reports can
be viewed in Office 365 Activity Reports.

Because authenticated users have

their own Microsoft accounts, you
can share sites and documents much
like you would with users within your
organization. However, since these
users don’t have access to your Office
365 subscription, they’re limited to
basic-collaboration tasks.

Users without Microsoft accounts are

considered anonymous. These users
can access folders and documents
through shareable links without having
to log in with a username or password.
Anonymous users can’t access sites or
be assigned licenses, so they’re only
able to see your documents through
the links you provide. These links are
valid only for as long as you choose.

“Many of our employees used multiple storage solutions,

but we moved to OneDrive for Business because it has the
stringent data protection standards that our clients expect
and that give us more control over access to our data.”
Sudesh Withanage
Senior Technology Consultant
Virtusa
Application and device Microsoft Intune helps you with
management mobile device management,
securing corporate data on devices
Capabilities:
used by licensed Office 365 users
 zure Active Directory management
A in your organization. If a device is
tools enable collaboration and lost or stolen, you can remotely
deliver holistic identity protection wipe the device to remove sensitive
and adaptive access control.
organizational information.
Integrated device and app
management is enabled through
Microsoft Intune.

With device-based policies, you can

allow, block or challenge access
through Multi-Factor Authentication,
device enrollment, or password
change. Device-based policies for
SharePoint Online and OneDrive for
Business help you ensure that your
corporate resources data isn’t leaked
onto unmanaged devices, such as
devices that are non-domain joined
or non-compliant. These policies limit
content access to the browser while
preventing files from being taken
offline or synchronized with OneDrive
for Business on unmanaged devices.
05 Awareness and insights
Manage your data life cycle process with customizable data
retention, discovery, and deletion.

Understanding usage within your organization helps
you get ahead of security risks and usability issues.
Advanced auditing enables you to discover forensic
information about specific activities conducted by
a user or an administrator. Personalized reporting
offers seamless access to information through a
unified dashboard. And intelligent alerting allows
you to monitor and investigate actions taken on
your data, so that you can contain and respond to
threats—and protect your valuable
intellectual property.
Advanced auditing
Capabilities:

 iscover forensic information

D
about specific activities that
were conducted by a user or an
administrator.

 se RESTful APIs to get an

U
unprecedented level of visibility into
user and admin transactions within
Office 365.

L everage hybrid auditing across

cloud and on-premises.

With advanced auditing in Office

365, you can track changes and user
activity in SharePoint Online and
OneDrive for Business. This allows you
to audit changes made to files and
site collections, as well as the users
who made changes. Every user action
is recorded for a full audit trail. And
you can set up custom alerts when a
specific event occurs. You can quickly
access these audit reports through the
Office 365 Security and
Compliance Center.
Personalized reporting The OneDrive for Business activity
report gives you a holistic view of
Unified reporting and seamless
OneDrive usage in your organization.
information access.
As with SharePoint reporting, you can
Capabilities: see which users are using OneDrive to
sync files back to their local machines
 nified reporting dashboard for
U
and how users are actively engaging
seamless access to information.
across OneDrive accounts in your
 roduct-level reports for more
P
organization.
granular insight about the activities
within each product.

Personalized reporting helps you avoid

the unexpected by being aware of
what’s going on in your organization.

Activity reporting for SharePoint lets

you see how users in your organization
are using SharePoint Online sites
to access, save, and collaborate on
documents. It shows you which users
are active on each team site, and which
users sync documents back to their
local machines or share
documents externally.
Intelligent alerting
 mail notification when users
E
perform specific activities in Office
365.

Enabled through Advanced Security

Management, intelligent alerting allows
you to monitor and investigate actions
taken on your data, identify risks, and
contain and respond to threats made
on your intellectual property.

Threat Intelligence analyzes billions of

data signals across Office consumer
and commercial services, helping
to protect you before attacks reach
your network. These insights can be
integrated with your existing security
management tools.

“We have revealed a more agile way of working that helps

us simplify access to information, promote insights and
analytics across the business, and remain competitive
without sacrificing our essential security and compliance
concerns.”
Matt Potashnick
Chief Information Officer
AXA UK and Ireland
06 Compliance and trust
Take advantage of the proactive and continuous compliance
and certification process used by Microsoft.
For customers considering a move to the cloud,
compliance is a major issue. And it’s a paramount
concern for us at Microsoft as well, which is why
Office 365 offers you continuous compliance. Our
base level of requirements for Microsoft products
and services is always increasing, as impacted by
needs worldwide and across industries. Our specialist
compliance team tracks standards and regulations,
developing common control sets for our product
team to build into the service. We have built over
1,000 controls into the Office 365 compliance
framework that enable us to stay up to date with
frequent changes to industry standards.
Microsoft regularly submits self
assessments to independent third
Capabilities:
party auditors. Microsoft holds key
certifications, including:
EU Model Clauses
FedRAMP
FERPA
FISMA
Continuous compliance
Discover forensic information about
specific activities performed a users
or administrators.
Use RESTful APIs to get an
unprecedented level of visibility
into all user and admin transactions
within Office 365.
These capabilities intelligently simplify
the eDiscovery process, so there’s less
time taken on your end and less strain
on your budget. And as the compliance
landscape expands, our capabilities
expand with it.

HIPAA Business Associate Agreement

Office 365 helps you meet evolving
ISO/IEC 27001
internal investigation, legal, and
UK G-Cloud v6 Official regulatory requirements with rich set
of eDiscovery capabilities. Validating
your organization’s security practices
can be an expensive, exhaustive, and
exhausting process. Office 365 enables
you to identify relevant data quickly
through advanced tools like machine
learning, predictive coding, and
text analytics. Advanced eDiscovery
reduces the volume of data by finding
near-duplicate files, reconstructing
email threads, and pinpointing key
data relationships. Plus, you can
easily export this data to third-party
applications for review.

“Our legal department, risk management group, and

human resources organization thoroughly reviewed
our options to make sure the [system] we chose would
support continuous adherence to all our requirements.
Like other global companies, we must comply with all
local regulations. Office 365 gives us confidence that
we can remain in compliance from a data privacy and
security standpoint.”
Sherry Nubert
Chief Information Officer
The Goodyear Tire & Rubber Company
Transparent operations
Capabilities:
24/7 escalation to the development
team to resolve issues that cannot
be resolved by operations alone.
Thorough review of all service
incidents and an analysis if your
organization is affected.
Controlled access to your data
through Customer Lockbox.
Our operations are transparent, so
you can check in on the state of your
service, track issues, and get a historical
view of availability. This means you
always know where your data is stored
as well as who has access to it and
under what circumstances. You can find
all of this information in the Office 365
Trust Center.
By design, Office 365 commercial
services are separate from our
consumer services so that there is
no mixing of data between the two.
We maintain that you are the owner
of your data, and we do not mine
customer data for purposes other than
providing you productivity services.
Even when you require a Microsoft
support engineer to access your data,
such as to troubleshoot and fix an
issue, you maintain control of your
data. Customer Lockbox enables
you to approve or reject requests
to access your data. Each approved
access request is only available until it
expires. Upon resolution of the issue,
the request is closed and access is no
longer approved.
Customer Lockbox also helps you
demonstrate that you have data
access procedures in place, which can
be necessary in meeting compliance
obligations.
Privacy by design
Capabilities:
Privacy controls enable you to
configure who in your organization
has access and what they have
access to.
Design elements prevent mingling
of your data with that of other
organizations using Office 365.
Privacy controls enable you to
configure your company privacy
policies. To comply with business
standards and industry regulations, you
need to protect sensitive information
and prevent its inadvertent disclosure.
This includes financial data or
personally identifiable information (PII),
such as credit card numbers, social
security numbers, and health records.
With a data loss prevention (DLP)
policy in the Office 365 Security &
Compliance Center, you can identify,
monitor, and automatically prevent
the accidental sharing of sensitive
information across Office 365. DLP
allows you to control how your data
flows internally as well as outside your
organization.

Microsoft advocates for data privacy

“As we build the bank of the future, we are providing on behalf of customers, and safeguards
the right tools and technology for our people, resulting customer data with strong contractual

in improved agility and security. Our move to Office 365

is also helping us... reduce IT costs in half. We’re fully
committed to the cloud as we add on all the Office 365
functionality, including the Enterprise Mobility Security
Suite and Customer Lockbox.”

Jeff Henderson
Executive Vice President and Chief Information Officer
TD Bank Group
07 Conclusion
In the new world of work, SharePoint Online and
OneDrive for Business allows you to access email and
documents from anywhere on any device—and to do
so securely. Our approach provides this productivity
protected by security with defense-in-depth solutions
to safeguard your data. We give you the user and
administrative controls to shield and defend your IT
environment and the privacy of your customer data,
so you can comply with standards and regulations.
SharePoint Online and OneDrive for Business allow your business
to get ahead while getting a handle on your data, providing tools
to manage your users and devices, better understand usage within
your organization, and be better prepared for any actions taken on
your data.
Microsoft has been a leader in trusted enterprise-grade solutions
for decades now. And as the collaboration and compliance
landscapes evolve, we do too. Learn more at the
Microsoft Trust Center.