News

Microsoft Highlights Security and Compliance Milestones for OneDrive and SharePoint

• By Kurt Mackie
• 07/10/2020

Microsoft outlined some recent security and compliance enhancements that are either already available or will be coming to Microsoft 365 tenancies using OneDrive and SharePoint by year's end.

Details were offered as a press briefing last week in video format, although the presentation, heavy with product demos on the compliance side, is currently available for anyone to watch on demand via a link at this page. During the presentation, Sesha Mani, a group program manager for security and compliance in Microsoft 365 services, offered the following roadmap slide:

The slide shows Microsoft 365 security and compliance capabilities, most of which are already available at the "general availability" (GA) commercial-release stage, having been released in May or June. Other security features are expected to appear by year's end.

Mani summarized the overall highlights of the Web presentation, which focused a lot on the use of sensitivity labels for data loss prevention (DLP), in this blog post. In general, Mani said that IT security is past the point of relying on firewalls to protect data. To achieve zero trust, it's now necessary for organizations to have in place data and device protections, as well as strong identity and access controls.

Previews Coming at Year's End
Not much was said during the talk about the new security features for OneDrive and SharePoint that are expected to arrive at year's end, mostly at the preview stage. The rich client co-authoring capability for protected files wasn't described, for instance. Possibly, it permits collaborations while still retaining protected-file security capabilities for Office files.

Mani did explain a little about the feature called "multifactor authentication (MFA) at the site level," which appears to be helpful for organizations needing mixed security controls. Here's what he said:

And also there's a new capability, multifactor authentication policy at the specific site collection level. So, for example, imagine a scenario where [you have] top secret sites. You want to protect them with multifactor authentication, but, for general training materials [the] sites are OK, users can access them. So, for that level of scenario or use cases, we can now meet with this MFA policy at that site level.

The coming Instant Session Revocation preview is tied to Azure Active Directory.

"The other key feature we're looking at is instant session revocation, so you can revoke a specific user session in Azure Active Directory, then across all Microsoft 365 that user session is revoked," Mani said.

The Expiring Permission feature is already at preview, with general availability coming at year's end. Possibly, Mani was referring to setting expirations for access to OneDrive or SharePoint sites, but the details weren't elaborated.

The DLP Block Anonymous for Sensitive Files feature is also currently at the preview stage, with general availability expected at year's end, according to Mani. He didn't describe it, though.

Sensitivity Labels
Microsoft turned on sensitivity labels in early May for Microsoft 365 tenancies using OneDrive and SharePoint. It lets users classify Office documents, which get protected and monitored for DLP compliance via the Microsoft Information Protection service. In late May, Microsoft added the ability to automatically classify documents using sensitivity labels. With this feature, IT pros can create the automatic classification policies for documents. They can then test these policies prior to implementation by first running them in simulation mode.

This week, Microsoft announced the ability to mark new files stored in OneDrive or SharePoint as being "sensitive by default," which is a DLP capability that's at the general availability stage. The sensitive by default capability gets enabled by running a new PowerShell cmdlet. Here's what the cmdlet does, per the announcement:

The cmdlet prevents guests from accessing newly added files until at least one Office DLP policy scans the content of the file. If the file has no sensitive content based on the DLP policy, then guests can access the file. If the policy identifies sensitive content, then guests will not be able to access the file.

In late June, Microsoft extended sensitivity labels protections using the Microsoft Information Protection service to Microsoft Teams, Microsoft 365 Groups and SharePoint sites, which is available at the general availability stage. Files associated with those services can be assigned sensitivity labels that link to "policies related to privacy, external user membership, and unmanaged device access," Microsoft indicated.

Compliance Protections
Information Barriers, a capability that lets organizations set policies to block communications between employees (as might be done to avoid conflicts of interest within financial institutions, for instance), will be reaching general availability for OneDrive sometime this summer. Information Barriers was described back in early May as preview capability for Microsoft Teams, as well.

Insider Risk Management for Microsoft 365 reached the general availability release stage back in February. It checks for employee high-risk activities using artificial intelligence and machine learning capabilities, and also serves as an investigatory tool.