OneDrive for Business Governance: Protect Sensitive Data in the Cloud

Posted by Dan St. Hilaire  /  December 1, 2016  /  Microsoft 365, OneDrive, IT   —   No Comments ↓

Image of folder with padlock around itI recently had an opportunity to chat with an IT guy in the healthcare industry. His organization is considering moving to Office 365, but they are worried about sensitive information being compromised while using the cloud.

Sound familiar? It's certainly a valid concern. The power of Office 365 is awesome, but the fear of document or information leakage can prevent businesses from making the move to the cloud.

Better than before?

You might be surprised to learn that content can be managed BETTER in the cloud than it ever was before. This shift in perspective can be very helpful. Cloud leakage is no different than our concern about sensitive information being left on a desk or moved to a USB drive. What happens when the paper gets tossed or a USB drive is lost?

Good OneDrive for Business governance policies help organizations address those concerns, but there always has been the possibility (and still the possibility remains) that an individual might not follow protocol. It’s no different with the cloud. Employees find solutions to get their job done the easiest and fastest way. Like the user with the non-allowed USB drive, there are rogue users who could use other cloud solutions like a personal OneDrive or Dropbox account to do their work.

Deploying a solution like OneDrive for Business and or SharePoint can help businesses bring their enterprise owned content back into the company and it provides them with controls to secure that data. Using a cloud solution like OneDrive allows businesses to set restrictions for what can be shared, when that share expires, what can be printed or downloaded, etc.

How to Get Your Team to Use Office 365

Policy and governance

Policy and governance around OneDrive and SharePoint are important. You get it. Policy and governance dictate what should or should not be stored in the cloud. That IT guy I was talking to, one of his questions was “how can we verify that it is not communicated or stored on OneDrive?” I wanted to share my reply with you. The Office 365 Security and Compliance Center is a good place to start. It helps to manage compliance across O365 including OneDrive and email, but there’s more that needs to be done.

I think it’s fair to say that 99% of employees aren’t putting data on a USB drive or a personal cloud directory to steal or share personal information. They are doing it because it’s a work process for them. In my opinion the true concern becomes the possibility for accidental leakage and unauthorized access to that cloud-stored data. One thing is for sure, OneDrive for Business is more secure than the waste basket or a lost USB drive. (I've written before about the dangers of not using OneDrive.)

Office 365 encrypts your data while it's on Microsoft’s servers and while it's being transmitted between you and Microsoft. Office 365 also provides controls to fine tune what kind of encryption you want to use to protect your files and email communications. This helps with limiting outside unauthorized access by would-be hackers.

A colleague of mine also noted the use of Conditional Access as another benefit. "In this way it's possible to stop devices for which you don't wish to have access without fulfilling MDM compliance policies or to be domain-joined devices. Plus this allows you to control what users can actually do with the content on these devices once they get the access. For example blocking the ability to save the data outside of the company controlled applications, or even to stop the ability to print (although Microsoft is still perfecting this). For those of us worried about what a user can do with corporate data outside of the network where we have no control these capabilities are essential!"

This infographic by ShareGate, 10 Facts That Prove Your Data’s Safer With Office 365 Security is a nice illustration of the secureness of O365 data. Businesses probably understand that their data is secure, but they still want to know what’s out there and where. There’s reasoning for that need, from document retention consideration to eDiscovery for Litigation holds and more.

Compliance and auditing

Equally important to governance is the ability to audit cloud documents to see how they are shared. This probably answers the question my IT guy had the best. There are tools for compliance like AvePoint and ShareGate, BTW we love ShareGate here at KnowledgeWave. I’d recommend that you review several 3rd party tools that would assist with auditing. This post might be helpful too, The Essential SharePoint and Office 365 Security Audit. Full disclosure: we are a ShareGate partner.


Office 365 also addresses HIPAA security and privacy requirements. Organizations typically address HIPAA with awareness training. OneDrive for Business deployment provides a nice opportunity for a revisit to the HIPAA requirements while at the same time updating users to your new Cloud governance and how it affects HIPAA.

It’s the businesses' responsibility to make sure users understand the new modern way to work. Doing so brings better security to your data. KnowledgeWave can help with this type of training. 

It boils down to governance, training, and auditing

To do it right, it boils down to 3 points.

  1. Training users about your governance and how to use OneDrive/SharePoint in line with the policies
  2. Ongoing auditing of OneDrive/SharePoint files
  3. Quarterly training revisits. The cloud evolves, you need to keep staff up to date

Our solutions can help you with each of the three points.

Chat with an Office 365 Training Expert

Topics: Microsoft 365, OneDrive, IT