In our series of articles, we examine the risks of sharing files via OneDrive or Teams and provide tips on how to ensure information security without restricting collaboration. The second article analyzes the challenges for IT administrators when adapting and managing access rights and describes a possible solution for CISOs by implementing data access governance. Using a concrete example, we show how easy it is to implement without compromising collaboration within the company.
| CONTENT |
Essentially, access rights describe who or what (e.g. users, systems or applications) is allowed to access which resources - and, above all, to what extent. You can think of it like keys to a building, where each key only opens certain doors and is only given to certain people. In the digital world, access rights determine whether someone can read, edit, delete or share a file. These rights are crucial as they ensure that sensitive patient data, company design plans or operational control systems can only be used by authorized persons or systems.
The aim is therefore to guarantee the protection of company data and at the same time enable smooth collaboration. Incorrect management of access rights can quickly lead to data leaks, business interruptions and significant compliance breaches.
Access management is directly responsible for how access rights are implemented and enforced in a system. Once a digital identity has been successfully authenticated, Access Management steps in to determine which specific authorizations - i.e. which access rights - this identity is entitled to. It is the mechanism that assigns and monitors these rights based on predefined policies or roles. Without effective access management, access rights would remain mere concepts; it ensures that only authorized users can actually use the rights assigned to them and that unauthorized access is consistently prevented.
In organizations, content is often shared without thinking - this is a problem. Users tend to share content with a larger audience. There are usually good intentions behind this, but thoughtless sharing leads to unauthorized access to content and files. As hybrid working and external collaboration become critical IT security issues, the problem of "oversharing" becomes more important.
Administrators in Microsoft 365 can restrict permissions in OneDrive and Teams so that users are not allowed to share files with people outside the organization; and they can generally restrict the ability of users to share data within the organization. But such overly restrictive security measures would overshoot the mark. For one thing, these restrictions do not work at the file or directory level. For another, they don't take into account the needs of users who want to share files individually at a much more granular level. And since users tend to overcome such restrictive barriers, they will start using other tools. This would likely degrade the overall security level of data in the organization - something you as a CISO want to avoid at all costs.
An effective approach to avoiding this problem is to set file sharing policies at the individual file and folder level. Obviously, this leads to a far more complex environment to manage. IT administrators are overwhelmed here, not only because of the workload they already have, but also because of their lack of knowledge about the context of the information in these files. It is not their responsibility to determine the appropriate classification level for data or to understand why access should be granted to which individuals or groups. The owner of the data is the only one who is able and should be authorized to make these assessments. It is the person who originally created the document or who is responsible for the content (e.g. the head of a department).
Data access governance (DAG) is considered the most effective approach to ensuring compliance and data security. Data owners must be authorized to share their files with specific individuals and groups as needed, while adhering to the company's security standards.
The security standards for the company are configured and updated centrally by the IT administrators. In most cases, however, it is the data owners who can recognize whether a security breach has occurred and whether sharing permissions should be adjusted. They must be able to document and justify changes to the permissions. With this implementation, sharing files and folders becomes simple and secure and security policies can be consistently adhered to. To ensure that policies are implemented practically and on an ongoing basis, it is important to involve both IT administrators and data owners in the decision-making process. Relying solely on administrators to monitor compliance can lead to overly broad policies, as they will then adapt the guidelines to minimize their efforts. A joint approach is therefore necessary. We will now show you how this can be achieved in practice.
To ensure that data access governance is implemented practically and securely, several important aspects must be taken into account:
Before sharing files, all data owners should receive a short briefing in which they learn how to comply with the security guidelines and fulfill their responsibility for data security. This includes ensuring that they understand the different levels of access rights and the implications of sharing a file with people outside the company. A data classification system is also required, which should include a maximum of five different levels. Certain information can be made available to the public, while most data can be distributed within the organization. Typically, 10 to 15% of information is classified and only accessible to a limited group of people.
DriveLock 365 Access Control allows you to define and assign data classifications to different storage locations on OneDrive, Teams or SharePoint Online. The security class definitions offer setting options for sharing restrictions and can contain instructions for users via the corresponding application level.
In addition, organizations must have an automated process for monitoring access rights and also for notifying when permissions are changed or are no longer compliant. This helps to reduce the risk of unauthorized access to sensitive data and ensure that data owners always have an up-to-date overview of who has access to their files.
DriveLock 365 Access Control enables data owners to detect and resolve security breaches effortlessly and without administrative intervention at the touch of a button. The solution shows how many users have access to a specific file, folder, team or location and whether external persons have been granted access. Access rights can be revoked or granted to other groups or individuals if required.
Finally, it is important to set up a clear procedure for revoking access when necessary. For example, this can be done automatically when a user leaves the company or when data reaches its expiry date.
DriveLock 365 Access Control includes a role-based access control (RBAC) system that automatically grants or revokes access, e.g. when a person's role, department or employment status in your company changes or when a person leaves the company.
Being able to manage and restrict access to data is essential for organizations to protect sensitive data and comply with security policies. By giving data owners the ability to securely share files, companies can ensure that their documents are not shared with unauthorized individuals or groups. An automated process for monitoring and revoking access rights helps organizations stay on top of who has access to their data and act quickly if something goes wrong.
Protecting important data can be a daunting task for IT administrators, who are often overwhelmed by the complexity and know too little about the content they are supposed to protect. And while Microsoft 365 provides some support for setting limits on content sharing, it doesn't fully meet users' needs for regulating access to individual files and folders.
DriveLock 365 Access Control provides an effective solution for data access governance and ensures the security of your sensitive data. DriveLock's data owner-centric approach simplifies the process for IT administrators.