Microsoft OneDrive for Business is intelligent. The platform has been designed, re-designed, evolved and developed to provide enterprises with faster and more intuitive access to files, projects and folders. It’s an intuitive tool that leverages the capabilities of cloud to provide companies with a more effective way of managing vast quantities of data while streamlining project management and control.
Security best practice considerations for Microsoft OneDrive for Enterprise
Microsoft OneDrive integrates with Microsoft Exchange, Microsoft Office 365, and Microsoft Teams. Considering that Microsoft currently, according to a recent Gartner report, dominates the cloud-based offering space, this makes OneDrive a very useful tool for the organisation looking to reshape its cloud investment. OneDrive comes with a fairly extensive list of benefits and features that can be customised and adapted to suit specific business requirements. Some of the most relevant, for most organisations include: secure file sharing, syncing of local copies for offline viewing and flexible cloud storage and file sharing capabilities.
However, the use of OneDrive does expect a measure of security to be embedded in both use case and organisational culture. There are risks that come with some of the features on offer and they cannot be ignored, especially when most people are still working remotely during the pandemic.
OneDrive Security Risks
The ability to share files both within and without the organisation is a risk. Yes, OneDrive comes with fairly robust security protocols to minimize potential breaches and user error, but security has to be a priority with any OneDrive implementation. The platform itself comes with a variety of backend security services and these are bolstered by its excellent integration with all the other Microsoft apps and services on offer. For those companies that have already invested into Microsoft 365, OneDrive will add some pretty nifty functionality to the project and task-management space along with all the extra security protocols that these systems include.
OneDrive is compliant with ISO 27001, an industry standard that pretty much defines the policies of most tech and IT departments. The platform encrypts the data from client to server via SSL and data at rest is encrypted using AES 256-bit encryption keys. These keys are controlled by Microsoft, however, so only admins can access the data for a limited period of time.
To further minimize OneDrive security risks, Microsoft added OneDrive Personal Vault in September 2019. Designed to manage the growing complexities of online threats – and weirdly predictive of the massive surge in these threats during the global move to remote working – OneDrive Personal Vault is a protected space that is only accessible with a strong authentication process that uses two-factor authentication. Users have to use biometrics, PIN codes or email/SMS codes to access the vault so that private information is given an extra lock and key to ensure richer security and minimal risk.
According to Microsoft, OneDrive Personal Vault syncs to a BitLocker encrypted area on the local hard drive and are encrypted both at rest in the cloud and in-transit to the device. It’s automatically locked after a period of time and can only be accessed by activating the two-factor authentication process. This helps minimise much of the risk associated with access to OneDrive using mobile devices as many remote workers forget to password lock their devices or to even use a password at all. The ‘untethered’ mobility offered by OneDrive is a risk in the wrong hands, especially now.
Personal Vault goes a long way towards redressing some of the gaps left open by users, but there are other factors that have to be taken into consideration as well. The first of these being how users are secured on the network and how they are accessing enterprise-level applications from remote locations. The second is that Personal Vault is encrypted by the user and is for use in the personal application which can see important business information stored outside of the company that is inaccessible by the company. Not available on the enterprise edition, Personal Vault is both a safety valve and a risk that needs to be assessed by the organisation.
OneDrive Security Concerns
The hard reality is that cybercrime has risen proportionately with the move to remote working conditions. Cyber criminals have taken advantage of user error and previously unseen vulnerabilities to penetrate organisations and cause immense damage. This has made the user one of the weakest links in the chain, again. Or perhaps, still. They are still the weakest link in the chain which makes the user the one most likely to cause issues with OneDrive security.
Microsoft OneDrive is a popular choice for most companies because it’s familiar to most users. This is a fairly important quality in light of how easily users can make mistakes, especially now. However, even though it is familiar and comes with some of Microsoft’s own hand-picked security layers, it is essential that any enterprise ensure that it checks the security controls and that these are aligned with its own security systems and parameters. No system is flawless and no solution is perfect so OneDrive is not going to simply slip into place without needing a modicum of adjustment to alleviate relevant security concerns.
OneDrive does come with data encryption using the AES standard and it is compliant with FIPS 140-2. Admins can manage OneDrive from the dedicated admin centre which allows for more precise configuration and permission settings – this is very useful for specific worker controls or managing particular user permissions. However, the company does need to incorporate the platform into its governance, risk and compliance strategy to ensure that it adheres to regulatory data protection and data loss prevention policies. This is critical for any application, particularly within the enterprise space and even more so for an application that’s sole focus is data and data sharing.
By ticking these boxes, the business will put OneDrive on a solid foundation built on the right security principles from the ground up. No app is perfect, but for organisations paying attention to the gaps and the risks, OneDrive can deliver superb business functionality without excessive cause for security alarm.