A field guide to SharePoint security: Best practices to protect your sensitive data

Learn to build your SharePoint Online security strategy and give yourself peace of mind when people start collaborating.

Here at ShareGate, we love SharePoint. We love how flexible it is, how good its sites and pages look on the screen, and how easy it is to get started creating content on it.

SharePoint Online is more than a fantastic place to host your knowledge center or intranet: it also makes collaboration easier, with both internal and external stakeholders. And these days, with hybrid and remote teams, collaboration is key.

But as the saying goes: “With great power comes great responsibility.” Storing and sharing your documents in one service can give you serious headaches in terms of security. That’s why you need a strong security strategy, with full control over external sharing and permissions.

This article is a field guide with SharePoint Online security best practices that you can use to build your strategy and give yourself some peace of mind when people start collaborating. Hop on!

SharePoint Online security basics

Before diving into some of the more detailed IRM and auditing SharePoint security practices, let’s review some security basics. So, while reading the rest of this article, be sure to keep the following points in mind:

• Granting full control of important files to a lot of people is usually a mistake. Keeping that circle small will help you avoid the data getting misplaced or falling into the wrong hands.
• Breaking permission inheritance (when a subsite inherits permissions from its parent site) should be kept to a minimum. It can have cascading effects if not managed properly.
• Keep in mind the difference between edit access vs. contribution access. It will help, especially when users need to share your organization’s files with external stakeholders.
• Avoid giving explicit permissions to individual users. Always prefer permission inheritance, group-based permissions, or even default permission levels instead.
• When possible, grant permissions to SharePoint groups instead of users or AD groups. This way, you’ll be more sure of giving the right access to the right people.
• Explore the lockdown feature. This is your best friend to avoid unwanted changes to SharePoint Online key site settings, like site theme, navigation, title, description, logo, etc. This also ensures sites remain compliant and consistent across your environment.

Tips for SharePoint security

Access control strategy

As we mentioned before, Microsoft SharePoint is one of the most popular tools for accessing data and collaborating within an organization. But, having outside collaborators can introduce some potential security risks, like data leaks. This is why implementing strong and clear access governance strategies is so crucial for your data integrity. 

You’ll mitigate these risks by regularly reviewing access permissions and external link sharing and implementing conditional access policies. For an extra layer of security, you can also implement IRM (Information Rights Management), a practice similar to RMS (Rights Management Service), which we’ll discuss right now.

Enable Information Rights Management (IRM)

IRM allows you to apply multiple rules to your sensitive documents, lists, or document libraries to protect your files from unauthorized access. By adopting IRM, you’ll be adding an additional layer of security that goes beyond simple permissions. It can even prevent actions like printing documents or forwarding an email to external and/or internal stakeholders.

The process of enabling IRM on SharePoint Online is really easy. You can follow Microsoft’s setup guide to begin enabling settings to encrypt the following file types:

• PDF 
• The 97-2003 file formats for the following Microsoft Office programs: Word, Excel, and PowerPoint
• The Office Open XML formats for the following Microsoft Office programs: Word, Excel, and PowerPoint 
• The XML Paper Specifications (XPS) format

Regularly audit SharePoint activity

SharePoint’s audit logs allow you to analyze your organization’s files, lists, and folders and see how employees are using them. They’re a great way to gain wide visibility over your SharePoint environment.

For example, if someone has access to a site collection they shouldn’t have access to, the first thing you’ll do after revoking that person’s access is audit what they viewed, opened, or edited. Also, if your SharePoint environment has any missing or mislabeled documents, an audit allows you to see which users are responsible and notify them to fix things quickly.

One way of running audits is on SharePoint itself. By accessing Site Actions within the site settings, you’ll see Audit log reports. You can then select the report you’re looking for and export it into Excel, filter it by date range, view the permission history of an item, etc.

Your SharePoint audit log will typically include information such as:

• The site from which an event originated 
• Item ID, type, name, and location.
• User ID associated with the event.
• Event type, date, time, and source.
• Actions taken on the item.

Automate reporting using ShareGate 

Another way of running audits on SharePoint is through ShareGate’s SharePoint security audit tool. Since manual audits can be very time-consuming, ShareGate provides a fully automated auditing service that produces custom reports designed to capture critical information. And from there, you can take direct action to implement your security policies.

These are the SharePoint reports available on ShareGate:

• Reports for SharePoint Online management:
  • Site Report
  • Checked Out Documents Report 
  • Site Collection Report 
  • Unused Site Report 
  • Workflow Report 
  • Lists with Workflow Report
•  Reports for SharePoint Online security:
  • Permission Matrix Report 
  • Audit Report 
  • Orphaned User Report 
  • External Sharing 
  • Sites with Custom Permissions Report 
  • External User Report

Use smart data loss prevention policies

Smart data loss prevention will prevent the conscious or unconscious sharing of sensitive information.

Within Microsoft 365, a good tool to help you with it is Microsoft Purview: it offers a family of solutions that help organizations govern, protect, and manage data. Microsoft Purview Data Loss Prevention is a solution that helps to prevent the unsafe or unauthorized sharing, transfer, or use of sensitive data in your organization.

Pro-level tricks for securing SharePoint

Automate security risk reviews where possible

Managing external sharing and permissions is the #1 factor to stay on top of. To do it efficiently and keep everything balanced and on track, use customizable security settings and policies, ensure full visibility on who has access to what, and automate security reviews.

Custom security and compliance 

Applying custom-fit security settings based on team sensitivity will ensure users only have access to the things they should. Be sure to use custom group sensitivity labels to control each team’s privacy status, and manage advanced permissions settings and guest access permissions. 

Monitor external sharing 

If your team is working with stakeholders outside of their team, you’ll need to be able to quickly view who’s shared what and with who for each team under your supervision. Always be ready to restrict access to sensitive files if needed. 

Conduct reviews regularly 

You can’t underestimate the importance of reviewing automatically what’s been shared externally. Schedule periodic reviews at a cadence that makes sense for your organization and on an ongoing basis to maintain security.

Use a zero-trust strategy

If you came this far into the article and are still unconvinced of our SharePoint security best practices, especially with remote teams and external collaborators, this one is sure to put you at ease: it’s zero-trust. This strategy goes with the motto “Never trust, always verify.”

A zero-trust security strategy requires every user and device to be rigorously authenticated and frequently validated before accessing data or other resources on a network. Regardless of where the person is located, this strategy strictly follows the creed to secure data safety.

It’s important to abide by some key principles when using a zero-trust strategy for your SharePoint security:

Continuous verification

Any access to a private network will be required to verify, regardless of user, devices, zones, or credentials. No one will be trusted equally. 

Micro-segmentation

Data centers will be divided into separate segments, each with independent access and unique services. This ensures that if you have access to one zone, access to another zone isn’t guaranteed unless you have separate authorization. 

Least privilege

Anyone who needs access to private networks will have access granted to them, but only the minimum amount of access needed to perform their most basic daily functions. Further access to sensitive data can be requested if needed. 

Automate context collection & response

Zero trust employs a strategy granting access based on validation and context, which requires more information from the user, like identity, device, location, and type of content to gain access. 

With minimal access being granted to all team members using this zero-trust security system, coupled with VPNs (Virtual Private Networks), you can minimize the strain on their systems, allowing for less downtime and avoiding potential vulnerabilities.

Use third-party solutions

At this point, your team has likely built a solid foundation of strategies, policies, and ecosystems for your organization to operate smoothly. Of course, this is where monitoring becomes crucial to assess and establish progress, ensure security, maintain the organization of your SharePoint intranet, and act on the membership needs of your team. 

Third-party tools like ShareGate allow you to continuously monitor the progress of your policies through dashboards. Not sure what to do with all of the data coming your way? Automated reports on a predetermined schedule can be sent to upper management to better understand your strengths and any potential pain points.

Glossary

Access control—The practice of limiting access to resources or services within an organization’s SharePoint environment to only authorized users or groups. These are put in place to ensure that only those with proper permission can view, modify, or interact with specific resources or services. 

Azure Active Directory—A cloud-based identity and access management service, also known as Azure AD, developed by Microsoft. It provides features and tools to manage user identities and access applications, services, and resources within an organization’s cloud environment. Azure AD also supports multi-factor authentication. 

External sharing—The process of granting access to specific resources or services within an organization’s environment to external users. This usually includes granting access to sites, files, folders, and other resources, along with other Microsoft 365 software. 

External users—Someone who is not a member of an organization’s internal directory or system, but is granted access to specific information or resources. These individuals are typically users who work for another organization, are a partner, vendors, customers, or other stakeholders. 

IRM (Information Rights Management—A set of metrics used to quantify and measure the value and effectiveness of an organization’s information resources, including data, documents, and knowledge assets. These measurements can help organizations to evaluate their information management practices, identify areas for improvement, and optimize the use of their information resources to achieve their business goals.

Permissions inheritance—It’s when the permissions assigned to a parent SharePoint object, like a site, list, or folder, are automatically inherited by its child objects, including subsites, subfolders, and items. Users with granted permissions to a parent object are also granted permissions to all child objects within that hierarchy. 

Permission levels—A set of predefined access levels or permissions that can be assigned to users or groups in SharePoint to control their level of access to site content and functionality. They can provide a granular and flexible way to manage site security, allowing site owners to assign permissions to specific actions, like viewing, editing, creating, or deleting content.

Retention policies—Rules that are set up to control the lifecycle of content based on the content’s age, relevance, and value to the organization. They can also be used to automate the management of content and ensure compliance with legal, regulatory, or business requirements.

Security groups—A collection of users or groups that are granted specific access permissions to SharePoint sites, lists, libraries, and other resources. This simplifies the management of permissions and makes it easier to grant or revoke access as needed. 

SharePoint admin center—A web-based management console that allows administrators to manage and configure their SharePoint environment. It provides a central location where admins can perform various tasks like creating and managing sites, configuring user permissions, setting up searches, managing site collections, and monitoring usage and performance. It also provides access to tools and features designed to optimize the SharePoint environment. 

SharePoint communication sites—Pre-designed, responsive, and mobile-friendly SharePoint sites that are primarily used for broadcasting information and news to a wide audience within an organization or to the public. These pages are usually visually appealing and user-friendly, containing customized images, videos, and other media to create engaging and dynamic content. 

SharePoint security and compliance center—The security and compliance center is a hub within the SharePoint admin center that provides a set of tools and features to help organizations manage compliance and regulatory requirements related to the SharePoint environment. Some features include compliance policies, retention policies, data loss prevention, and e-Dictionary tools that help organizations identify, classify, protect, and govern sensitive data. This can all be done within the SharePoint environment. 

SharePoint document—A file or digital document that is stored and managed within a SharePoint environment. This can include Word documents, Excel spreadsheets, PowerPoint presentations, PDFs, images, videos, and more. 

SharePoint group—A collection of users, created within a SharePoint site, that share common Sharepoint permissions and access to resources within the site. These groups are made to simplify the management of site permissions. 

SharePoint list—A collection of data or information that is organized in rows and columns, similar to a spreadsheet. These lists are used in SharePoint to store and manage different types of information like contacts, tasks, calendars, and announcements. They can be customized for different views, fields, and settings to meet specific business needs.

SharePoint pages—Individual pages within a SharePoint site that can be used to create and publish content, like news, announcements, reports, and web pages. These pages are highly customizable and can be tailored to fit different branding and design requirements.

SharePoint site—A web-based platform developed by Microsoft that allows individuals and teams to collaborate, store, organize, and share information within an organization. These sites can be customized to meet specific business needs. They typically include a variety of features such as document libraries, lists, workflows, and search capabilities which can be used for project or document management. 

SharePoint team site—A specific SharePoint site that is designed for team collaboration. It provides a centralized location where team members can access and share information, collaborate on documents, manage tasks and calendars, and communicate with each other. 

Site owner—A user who has full control and is responsible for managing a specific SharePoint site or site collection. These owners have responsibilities like creating and managing the site’s content, configuring its settings and features, and controlling site permissions and access. 

Related materials

Now that you’ve come to the end of our SharePoint security best practices field guide, we want to share a few companion pieces that will help you design the best strategy for your Microsoft 365 tenant:

• Top 3 tips to boost remote work security for Microsoft 365—Key tips on implementing multi-factor authentication, enforcing strong passwords, and monitoring user activity to help boost remote work security for Microsoft 365.
• 2022 roundup: Top blogs on Microsoft Teams and SharePoint security—A collection of blog pieces on strengthening the security of SharePoint and Microsoft Teams. The blogs cover various topics, such as protecting sensitive data, preventing unauthorized access, and managing security settings. 
• 3 methods to avoid sprawl and enhance Microsoft 365 security—We go over 3 ways to help avoid sprawl and enhance Microsoft 365 security, specifically in a self-service environment. These methods include implementing governance policies, conducting regular audits, and providing training and education to users. 
• SharePoint Online security tips—To help organizations protect their data and systems, we’ve put together vital security tips like limiting access to sensitive data, configuring security settings, and using encryption to protect data in transit and at rest.