Cloud security controls series: OneDrive for Business
One of the Microsoft cloud services that I get asked about most often is OneDrive for Business. It’s part of Office 365 – so many, many customers are already using this service. OneDrive for Business can help ensure that business files for organizations’ users are stored in a central location making it easy for users to search, share and collaborate on documents using a range of devices including Windows and Windows Phone devices, Android, Mac OSX, and iOS-based devices. Many enterprise customers want to take advantage of the many benefits this service offers, in addition to the relatively low cost and unlimited storage capabilities it provides.
But naturally, customers have questions about the security controls built into OneDrive for Business that will help them manage the security of the data they store there. Customers want to ensure that this service provides appropriate protections to help them manage the risks of unauthorized access to data and accidental leakage of data.
I recently wrote an article about encrypting data at rest in Microsoft cloud services where I discussed how encrypting customer data and properly managing the encryption keys can help mitigate the risk of unauthorized access to that data. I also wrote an article on how data in-transit is protected. If you haven’t read these articles yet, I suggest reading them as a prerequisite to this article as I mention a bunch of controls, like physical security controls, that help protect customer data in OneDrive for Business beyond what I’ll discuss in this article. It’s important to understand that there are layers of controls (physical datacenter security, network security, access security, application security, etc.) inside Microsoft cloud services that help protect customer data, and give customers options on how to manage their organizations’ highest priority risks.
First, let’s look at how data stored in the service is encrypted at rest. Data at rest in OneDrive for Business is encrypted at both the disk level and the file level. Microsoft has been deploying BitLocker Drive Encryption across the OneDrive for Business service to provide disk level encryption. Many enterprise customers are familiar with BitLocker as they use it to protect data stored on their on-premises Windows-based systems. In addition to numerous other security controls that help protect data in OneDrive for Business, BitLocker helps manage the risk of physical disk theft from a Microsoft datacenter. Even if someone could steal a disk or server out of a datacenter, BitLocker would not allow an attacker to boot the system or harvest customer data from it.
Microsoft has also been rolling out per-file encryption for OneDrive for Business in Office 365 multitenant and new dedicated environments that are built on multitenant technology. This file level encryption employs a combination of chunking the files that customers store in the service into smaller pieces, encrypting each chunk with a separate key and distributing chunks randomly across multiple storage containers in a datacenter. The keys used to encrypt the chunks of content (content encryption keys) are encrypted themselves with a master key. The encrypted chunks of content, the master keys, and the “map” used to re-assemble the chunked content into the original file that the customer stored in the service are all stored in physically separate data stores. This combination of safeguards, combined with the aforementioned BitLocker Drive Encryption, are a very effective set of security controls that help manage the risk of unauthorized access to data.
This article and video walks you through the combination of BitLocker Drive Encryption and file level encryption in the OneDrive for Business service: Data Encryption in OneDrive for Business and SharePoint Online.
Another question I get asked about OneDrive for Business from time to time is how it synchronizes data securely. The graphic below illustrates how the synchronization process works along with the aforementioned file level encryption process.
Perhaps the question I get asked most often about security controls for OneDrive for Business is whether administrators can block data from being synchronized to unmanaged systems. Many organizations do not want their organization’s data to be distributed to personally owned or unmanaged PCs where policies are not being enforced. File synchronization can be configured to work only on domain-joined PCs; it can also be configured to only synchronize to PCs that are members of administrator specified Windows domains. This control is configurable using administrators’ favorite system interface: PowerShell cmdlets. Mobile systems that need to access files stored in OneDrive for Business can be managed using mobile device management (MDM) policies via MDM for Office 365. This will help ensure that mobile devices meet organizational security requirements, like enforcing PIN usage on the device, as well as full wipe and selective wipe capabilities. A blog post and video describing these features and other related features is available here: New IT management controls added to OneDrive for Business.
Of course, auditing controls are important to enterprise customers as well. Auditing controls available in the Office 365 compliance center enable organizations to audit all the actions taken on their files stored in OneDrive for Business. For example, organizations can monitor which PCs or Macs attempted to sync with OneDrive and who viewed and shared files. The screen shot below illustrates this type of activity report, which can also be accessed via a Search PowerShell cmdlet, as well as the Office 365 Management Activity API.
There is a lot of other great information available – check out some of these other resources:
The Office 365 Trust Center
The OneDrive blog
OneDrive How-To
Lastly, the OneDrive team announced new security capabilities in OneDrive for Business just this week. These new features will help customers govern how their users share files via OneDrive for Business – a key control area that I know many customers are interested in. These new capabilities include:
Limiting external sharing permissions for specific users
Depending on your organization’s policies, it might or might not permit users to share files with external parties. OneDrive for Business already provided a switch for administrators that disabled external sharing for all OneDrive for Business users. Now a new feature gives administrators the ability to disable external sharing permissions for specific individual users. This will help some organizations enforce information sharing policies that apply to specific roles inside their organization. For example, it can be applied to roles who work on information that is classified as confidential – do not share. Once the administrator disables sharing for a user, the user is then informed they can’t share to external parties via OneDrive for Business.
Managing external sharing domains
The OneDrive team is also working on a new feature that will enable administrators to limit which external email domains their users can invite to view or edit shared files. Administrators will be able to configure an “allow list” or a “deny list” of email domains (as seen below) that will help them control who their users can share files with via OneDrive for Business.
Auditing external sharing invitations
In cases where policy does permit file/information sharing, some customers will still want the ability to audit the invitations to share files stored in OneDrive for Business that their users send to external parties. Now administrators can enable a feature that will send a blind copy of each invitation email to a dedicated archive mailbox for review.
Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection