The essential
SharePoint & Office 365 Security Audit

10 quick security checks to do on a weekly basis for an efficient Office 365 & SharePoint security.

Snowden, WikiLeaks, NSA: buzzwords that remind us of security everyday. Not a week passes by where we don't hear about individuals being hacked, millions of credit cards records being stolen, or seeing a big corporation facing a major security breach because of a human error. Just ask Sony, The Home Depot, Target, JPMorgan Chase ... the list goes on, and on.

It's an understatement to say that security is the first thing that must come to mind when we think about businesses infrastructure. As many as 85% of all U.S. companies have experienced one or more data breaches in 2013.
security arm
That's a LOT of sensitive data. In 2010, the cost of a data breach averaged at $7.2 million per incident. And this number doesn't even include the cost of indirect revenue loss. Would you want to deal with a company that you knew were champions of security breaches? Yeah, me neither. The loss of business because of trust issues in a company can cost billions!

Of course, security also comes first to mind for companies using SharePoint and Office 365. For most of us, these platform are the brain, lungs & heart of our companies. We want this content to be secure and well protected.

But what is Office 365 or SharePoint Security? How could you state that your environments are secure (and believe it)? In this guide, we've identified the most important SharePoint & Office 365 security actions that you can put in motion to immediately protect and secure your environments. You'll find 10 quick security checks to do on a regular basis to ensure your environments are secure.
Benjamin Niaulin
About the author
Benjamin Niaulin
Benjamin Niaulin is an Office Servers and Services MVP, recognized as one of the Top 25 SharePoint influencers in 2014 and 2nd for Office 365 in 2015. Being a Microsoft Certifier Trainer since 2008 has allowed him to become proficient in simplifying complex technologies, making him an expert in SharePoint & Office 365 vulgarization. He's spoken at over 200 conferences around the world.
Chapter 1

Establish an Inventory of What You Have

Establish an inventory of what you have
If you don't know where your data is and who has access to it, how can you secure what you have in your environments? If you want to properly enforce your security policies and stay compliant, you'll need to establish an inventory of what you have. The Microsoft cloud platform is continuously evolving and empowers people in the organization to create objects and content themselves, so it's crucial for you to monitor Office 365 security.

It's easier to make an inventory of a file share, all we have to worry about is Folders and the Files within. Office 365 however, is a suite of objects. From SharePoint Sites to Groups as well as Lists and Libraries with different kinds of content in each. You need to know what you have, and where you keep it, as well as collect additional information to make better decisions for them.

Where are your Sites? What are they? What templates do they use? Who has access to them? When is the last time someone accessed it? I could go on for hours, there is no such thing as too much information when it comes to your organization's security. However, you need to use it properly.
There's a few ways you can build this inventory in order to tackle your Office 365 security. The admin's trusty PowerShell, if he is comfortable with writing script, is always there to help. You can build an inventory of your SharePoint sites and if the commands exist, almost anything to help you manage SharePoint. However, in Office 365 not all the PowerShell commands are there to help you and not everyone is comfortable writing these scripts.
Chapter 2

Manage User Permissions

Manage User Permissions
If I'm given access to information I'm not supposed to have, there's honestly a good chance I'll go look at it anyway. Office 365 User Permissions can be very difficult to understand if we don't take the time to learn how it all works. When first deployed, SharePoint is actually secure as no one has access to anything. The fun starts when you grant access to objects.
human factor
As a general best practice that goes back to permissions on File Shares, you should never grant explicit permissions to an individual user. Though it works, this can cause a lot of problems when looking at your security in the long run. One of biggest issues lies when the person granted access leaves the company or changes roles, and someone needs to take over.

The powerful search engine in SharePoint as well as the Office Graph with Delve can also introduce new potential breaches. If you didn't know something existed but somehow had access to it accidentally, it still would be relatively difficult to know about it with File Shares. However today, using the search engine or Delve to discover content, you can see everything you have access to.
Ideally, users are always added to groups, and permissions are only applied to these SharePoint groups. This way, you'll be sure that user permissions are well organized and easily manageable. But then you'd also have to train every user to never click on the Share button and grant permissions to an individual user. This may be a little difficult.
Manage your User Permissions Now
Chapter 3

Manage Object Permissions

Manage Object Permissions
There are only specific types of objects on Office 365's SharePoint that can be assigned permissions: Sites, Lists and Libraries, Folders, List Items and Library Documents. Though many of us wish it could be done at the column level or on views, there isn't the option to do so.

The difficult part when you manage Office 365 permissions is that there are so many objects in your environment. As part of your Governance Policies, you'll have different objects that need to be secured differently based on these policies to stay compliant.

How can we be sure that all HR tagged documents are secured properly? Unfortunately, it has to be done manually. You can only imagine, as users use the platform to author and edit content of different types across your Office 365 how chaotic it can become. More importantly, it'll be hard to manage.
The criteria-based search in Sharegate allows you to find these objects based on your organization's security policies. Once found, you can choose to display almost any information about them including their permissions. Do they respect your governance policies? And if not, fix them straight from the tool.
Manage Object Permission
Chapter 4

Broken Inheritance

Broken Inheritance
Unlike File Shares, in Office 365 when you decide that an object should have different permissions than the parent object it is inheriting from, you need to break the permissions inheritance on it.

Because it's actually SQL behind the scenes that stores the content, breaking inheritance creates an impact on how content is stored and retrieved. This then slows your loading performance and really hurts the user experience.

It also makes it very difficult to figure out who has access to what on a particular object when inheritance has been broken multiple levels above. Generally, users don't know about the impact they have as they click on the share button or change permissions. And nor should they, enforcing permissions should hinder the usability or performance of their platform.
One way to solve these issues is by limiting who can change permissions and thus breaking inheritance. In the past and through our governance plan, we've even forbid breaking inheritance on anything other than sites. However, this can't always be easy to maintain and enforce without some kind of custom development.
Find Where Permission Inheritance Is Broken
Chapter 5

Custom Permission Level

Custom Permission Level
Creating new and custom permission levels in Office 365's SharePoint is inevitable. Frankly, I wouldn't do it any other way. Not every SharePoint can be the same, and needs are different from one organization to the next. Permission Levels are what you grant a user or group on an object. For example, you can give Nathalie the "Full Control" permission level so that she has access to your site.

As you can tell, the few Permission Levels that are automatically created cannot always be enough. In many cases, I've created a new one similar to Full Control without the right to create subsites. Essentially, depending on what you need to accomplish, you can create any different Office 365 custom permission levels to give the right access to the right people.

Though this can be very useful in making sure too much isn't granted to someone that needs a minimum of access to an object, it can also be dangerous. For one, who has access to create or edit these Permission Levels? If you edit an existing Permission Level, are you aware of the impact it'll have and on how many people or objects? A single checkbox could be the difference in people being allowed to download a copy offline or not.
Custom Level Permissions
As a general rule, we don't modify any existing Permission Levels in Office 365 sites. Instead, we copy them and edit the copy created to isolate the original and minimize any impact it can have on existing SharePoint objects created automatically.
Chapter 6

Edit vs Contribute Permission Level

Edit vs Contribute Permission Level
This came as a subtle surprise to me when I dove into it. As mentioned above, Permission Levels are rights that you grant a user or group to access an object. If you are experienced with a previous version of SharePoint or simply migrating from it, this change can be quite surprising to you.

When you create a Site in SharePoint, a few groups automatically get created and gain access to the site granted them. One of them, Members, has always been granted the Contribute Permission Level in the past versions of SharePoint. This allowed people within the group to add, modify, and delete content within lists and libraries.

Since SharePoint 2013 and on Office 365, they are granted the Edit Permission Level. This is an entirely new Level that allows users and groups granted this power to also create, change, and delete Lists and Libraries. This is a huge shift in power and can have immense impact on your security, especially if you are migrating or assuming it's like it was in the past.
The first step to mitigate this problem is by knowing it's there. There are a few solutions or perhaps workarounds that can help you ensure users have the right permissions on your objects. Of course, you can simply delete the Edit Permission Level. Though not ideal, it definitely solves the issue. Another way would be to make sure that when Sites are created, the Members Group have their permissions changed from Edit to Contribute.
With Sharegate, you can find any object with the Edit Permission Level assigned to them and switch them to Contribute if required. This can be Groups as well as actual objects granted permission on already.
Chapter 7

Security Auditing

Security Auditing
Who accessed this file in the last few days? Though not everyone is always aware, Office 365's SharePoint comes built-in with Audit Reports to run on the type of content you wish to audit. Want to know who viewed a file or deleted an item in your Document Library? Well now you definitely can.

Office 365 Security Audit is vital in keeping your environment secure as you need to be able to prove or take action on ongoing security breaches. A lot of these actually come from people that have access to data, that either voluntarily share them with malicious intent or as a human error.

One thing you should know, is that due to the performance needed to enable these Audit Reports the feature is disabled by default. This means that if you decide to view the reports because of a possible breach or simply to inspect, it will be too late. This is a per Site Collection feature that also needs to be granularly configured per List or Library and even by Content Type.
There isn't a million possibilities to solve this, you just need to enable the feature and configure it where needed. Remember not to go Audit crazy either, the sheer information generated can really slow down your user's experience with the platform.
However, making sure it's turned on and properly configured in every single Site Collection can be tedious work and prone to human errors. With Sharegate, you can manage your multiple Office 365 and SharePoint Security Audit in bulk by making sure it's turned on where you need it to be.
Chapter 8

External Sharing

External Sharing
Office 365 introduced External Users to allow you to share content with people outside of your organization. A very useful feature in today's reality, working with External Users is almost a necessity. However, it introduces a very serious potential security threat if not properly monitored. Where are these Office 365 external users and what do they have access to, especially months after they no longer need that access anymore?
cloud
The way it works can be confusing for users and potentially allow them to make a mistake. The email address of a potential external user entered when sharing an object isn't actually to what that object will be granted. You still need an Office 365 or Microsoft Live account to access the information. Make sure to read and understand the definitive guide to Office 365 External Sharing to understand how it works and the impact it has on your own Office 365's security.

There are multiple perspectives to consider when managing External Sharing in your Office 365. What is the list of all External Users currently in your environment? What is currently shared to External Users? What content has been shared with External User "X"? What are the documents still shared to External Users that haven't been accessed in a "X" amount of time?
Though you have basic controls to manage External Sharing in Office 365, there isn't any way to provide actual guidance to ensure complete control of your entire tenant
Are External Users accessing your content?
Chapter 9

The Administrator

The Administrator
Let's talk about the administrator for a second, the person that has all the power in your Office 365. Ironically, you may be that administrator and probably won't want to listen to what I have to say. But as I am sure you can agree, the administrator role can be very dangerous when we are talking security.

Though the Office 365 administrator doesn't necessarily have instant access to all sites created or OneDrive's owned by users, he or she can grant themselves that power just as easily. This administrator can turn on and off features that benefits him and leave no trace if he wants to. How can you show what this administrator account has access to?

In some security breaches, it was the administrator account's credentials that enabled hackers to access and steal the information they wanted. You administrator credentials can be stolen and used to erase any indication that the theft has happened.

The Administrator Role can potentially be the biggest security concern in your Office 365.
Have you considered Multi-Factor Authentication for Office 365 to verify the person accessing this account is actually the person intended to use it? Office 365 will validate by calling the registered phone number for the administrator or ask you to validate using a code sent to that phone.

To reduce the risks, you can also make sure you do not work with an admin account. Most companies will have an administrator account that no one uses unless required to elevate their privileges and do something on the platform. Otherwise, they use their regular account on a daily basis.
The Administrator
Also, you can use Sharegate to build and run reports that inspect and validate what is shared to Administrators and how. You can also take action in bulk to remove permissions if needed, based on a criteria-based search.
Chapter 10

Mobile Devices and Sync'ed Content

Mobile Devices and Sync'ed content
With a message like "Cloud-First, Mobile-First" Microsoft made recently, it's inevitable to see more of our users access their content through different devices. This makes it more difficult from a security perspectives since we don't always control these devices.
missing laptop
Office 365 has also introduced the ability to Sync content offline with OneDrive for Business, making it even more difficult for us to enforce our security policies. Combine that with Mobile Devices and access from anywhere, and you have yourself a recipe for sleepless nights worrying about this.

Of course, these features are very important for the organization to be flexible and keep up with the demands of our workforce today. It allows us to stay competitive, and turning it off globally is out of the question.
Simple solutions can help you mitigate the risks, training users to use OneDrive for Business and accessing the content from their mobile devices can go a long way. In fact, making sure that a password is required to unlock their device can already help prevent a breach. Microsoft Intune will continue to play a big part to help protect these company devices.

IRM or Information Rights Management is already available for Office 365 and allows you to add an additional layer of security at the document level. Preventing someone from printing a document or forwarding an email, these are all possible and work when accessed through Mobile Devices. IRM protected documents also work if Sync'ed with OneDrive for Business, a great solution to enforce our security policies.
Mobile Devices and Sync'ed content
Office 365 and SharePoint Migration & Management
Get your free 15-day trial and manage everything from a simple interface.
Start My Free Trial
Sources:
  1. https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en
  2. http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf
  3. http://www.sailpoint.com/blog/2014/12/2014marketpulsesurvey/
  4. http://www.prweb.com/releases/2015/01/prweb12456779.htm
  5. https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en