Office 365 and SharePoint Online offer us a great number of options for controlling and managing external or guest access to our information. In several blogs (for example) these options are described in great detail.
But one thing always seems odd to me. And it’s something I explained during my session with Marianne van Wanrooij at Office 365 Engage also. When we discuss all the possibilities we have to control access for external users, it’s the content which is (somewhat) disregarded. And that’s not to downplay the blogs I mentioned. These are great.
But think about this scenario. We have all the external/guest sharing options perfectly set-up. The SharePoint site is protected by the relevant groups and the sharing option has been limited. But when people can access the site and document library, they probably can access the documents themselves, right?
Now imagine that they simply download a document and send this document to an non-authorized (external) person? Or what if the document is copied to the personal OneDrive (using Flow maybe?) and then shared with an external party?
And now imagine that this is sensitive content. An HR department using an Office Group for example. Or a board of directors, using a SharePoint site for storing meeting minutes and agenda’s.
Bottom-line: only securing your access to the content will not be enough. It’s about data classification and using the right (combination) of tools to support this classification. Most of the times your data will be classified as “Internal” and the most basic tools will be sufficient. But when your sharing “Confidential” or “Secret” information, you will need to have additional measures in place.
Think about the possibilities of:
- SharePoint Information Rights Management
- Data loss prevention
- Azure Information Protection (although this doesn’t integrate to well with SharePoint yet, but look at this)
- Multifactor authentication;
- Conditional access.
My point being:
- External sharing options are a great start, but…..
- When using a platform like SharePoint: look at your content closely;
- Use the rights tools to support the right classification;
- Go beyond Office 365 and look at the possibilities of the Enterprise Mobility & Security suite.