Wherever you put your files, Office 365, OneDrive for Business, SharePoint Online or SharePoint On-Premises you'll have the same security concerns. Though some may be slightly different from one to the other, they all use the same platform and therefore have the same SharePoint security settings. In this article, I'll show you ways beyond the traditional settings and tips to help you with that SharePoint security peace of mind.
The SharePoint Security basics and tips to get you started
Though I want to focus on IRM and Auditing in this article, it doesn't mean that all the usual recommended practices aren't as important. We've covered them, but to name a few:
Granting Full Control to too many people isn't wise
Breaking Permission Inheritance should be kept to a minimum
Understanding Edit vs Contribute permission levels
Granting permissions to SharePoint Groups instead of users or AD Groups when possible
Staying away from explicit permissions to users
Using the Lockdown feature when needed
If you want to read up on these SharePoint security basics, we've written a few:
Use the built-in IRM for additional SharePoint security on documents
If you haven't seen or heard of IRM (Information Rights Management) before, perhaps you may have hard of RMS (Rights Management Service)? I'll explain this in a moment, but keep in mind that it's about protecting content such as documents by managing the rights on it and thus improving our SharePoint security.
It's not new to SharePoint 2013 or Office 365 and has been around for a long time, available for File Shares as well. Its purpose? To add a layer of security that goes beyond simple permissions and prevents fine grained actions like printing a document or forwarding an email.
Though the service is available both On-Premises and on SharePoint Online, there are certain things you should know before you get started.
If you have SharePoint 2013 On-Premises for example, you can only use RMS On-Premises. RMS is a role you can enable on a Windows Server that provides full blown rights management capabilities. It requires a knowhow on the concept of rights management, but more importantly a PKI, or certificates infrastructure if you will. The advantage there is that it can work with many things other than your SharePoint server.
On the other hand, if you are using SharePoint Online through Office 365 you cannot use your On-Premises RMS Server. But don't worry, Azure also has a rights management service you can leverage.
What does this mean with SharePoint? It means you can apply rules to your Lists or Documents libraries that will help protect your List Attachments or Documents. The list of actions your Rights Management service will enable will only apply to Office documents and PDFs and isn't as exhaustive as when your documents are not in SharePoint, still it'll definitely help you manage SharePoint Security.
If you want more details on it, my friend and fellow MVP Antonio Maio has written a great post on it.
Security policies created with IRM on SharePoint document libraries
After enabling Rights Management either On-Premises or in your Office 365 Service Settings, you'll be able to start using its SharePoint security policies on your lists and libraries. You'll also want your SharePoint Settings to be set to use the IRM service after it's enabled.
Now, though this can be done using PowerShell to automate the process as much as possible, you'll be able to take advantage of some new settings in your document libraries.
The following SharePoint security settings can be applied using Information Rights Management policies:
If some of them aren't clear for you or you'd like more information, I found the Microsoft support article to be a great source of information.
I think the two most popular options for this is the disable printing of documents and opening in the browser to prevent screen captures. Of course this will vary depending on the organization and its needs.
Audit what's going on to improve your SharePoint security
In a previous post and link mentioned at the beginning of this article, I talked about an Office 365 security breach that happened to me not too long ago with external users.
In short, someone had access to an entire Site Collection that they were not supposed to have access to. The first thing you want to do after revoking that person's access is to audit what they viewed, opened, or edited. In fact, I'd want to audit everything they did in my site.
By default, Auditing in SharePoint is not enabled.
I assume this is because of the amount of information it creates and stores, so you'll have to turn it on where you want it.
If you don't want to turn on these Audit Events for the entire Site Collection, you can also create an Audit Information Management policy from within a document library or on a content type.
After the timer jobs have ran and enough data collected, you'll be able to view the various Audit Reports from the Site Collection Settings page.
Fair warning though, the experience you get isn't the best. You have to choose a report and then select in which document library to put it only to get an error that the report is empty if that is the case.
If Auditing is crucial for your organization, I'd recommend looking at 3rd party tools for this because collecting this information is long and tedious work from within SharePoint.
Regardless, if you plan on using OneDrive for Business to enable users to work from anywhere, I strongly recommend you enable some auditing to be able to track what goes on there. Microsoft has announced the Compliance Center for over a year now, but it's expected to come very soon to Office 365. This will definitely meet some of our auditing needs, but we'll have to wait and see for that.