Lately we’ve been asking many of our customers who leverage the Microsoft ecosystem to “think outside the box”. We’re not asking simply because we’re a Microsoft Gold Partner – but rather because of Consulting with a Conscience™.
True collaboration means using a platform designed with collaboration essentials in mind – understanding that it’s less about the document itself and more about how the groups, the security, the governance and the proper controls are designed to allow the management of the artifacts and control the collaboration process.
This morning BOX, the cloud-based file management service, made the news because misconfigured BOX accounts leaked terabytes of sensitive data belonging to clients - https://nakedsecurity.sophos.com/2019/03/13/misconfigured-box-accounts-leak-terabytes-of-companies-sensitive-data/
Data stored in BOX enterprise accounts is private by default. However, BOX offers the “Custom Shared Link” feature which enables BOX customers to change the default secure shared links so they’re easier to find – making it simpler to share content with large groups both privately and publicly. Which sounds like a reasonable feature.
But here’s the main problem with this type of predictable URL formulation: the “secret” links are easily discovered. The research company who identified the vulnerability was able to quickly write a script to scan for and enumerate BOX accounts with lists of company names. They very easily found BOX customer accounts by checking “https://<companyname> .account.box.com.” Every link that returned a company logo was a potential target.
Our philosophy of asking our customers to “think outside the box” encourages using the Microsoft platform with existing SharePoint, MS teams and the Active Directory groups and policies specifically designed to secure the enterprise. Furthermore, engaging Azure Information Protection, Data Loss Prevention and Rights Management, we can further extend the security needed for externally shared documents.
SharePoint Online has both global (organization-wide) and site collection settings for external sharing. The organization-level settings override any settings at the site collection level and also affect OneDrive.
For your organization and each individual site collection, you can choose from the following basic sharing options:
- No external sharing - sites and documents can only be shared with internal users in your Office 365 subscription.
- Sharing only with external users in your directory - sites, folders and documents can only be shared with external users who are already in your Office 365 user directory. For example, users who have previously accepted a sharing invitation or users who you have imported from another Office 365 or Azure Active Directory tenant.
- Sharing with authenticated external users - sites can be shared with external users who have a Microsoft account or a work or school account from another Office 365 subscription or an Azure Active Directory subscription. When folders or documents are shared, the user is not required to log in using a Microsoft Account or a work or school account - they are sent a one-time code that they can use to verify their identity.
- Sharing with anonymous users - documents and folders (but not sites) can be shared via an anonymous link where anyone with the link can view or edit the document or upload to the folder.
Authenticated users with Microsoft accounts
You can share sites, files and folders with users who have a Microsoft account or a work or school account from another Office 365 subscription in much the same way that you share sites and documents with your internal users. Permissions and groups work the same for authenticated external users with Microsoft accounts as they do for internal users.
Because external users with Microsoft accounts do not have a license to your Office 365 subscription, they are limited to basic collaboration tasks:
- They can perform tasks on a site consistent with the permission level that they are assigned. For example, if you add an external user to the Members group, they will have Edit permissions and they will be able to add, edit and delete lists; they will also be able to view, add, update and delete list items and documents.
- They can use Office Online for viewing and editing documents. If your plan includes Office Professional Plus, they cannot install the desktop version of Office on their own computers unless you assign them a license.
- They will be able to see other types of content on sites, depending on the permissions you give them. For example, they can navigate to different subsites within the site collection to which they were invited. They will also be able to do things like view site feeds.
Authenticated users without Microsoft accounts
You can share files and folders with anyone who has an email address. If the person you're sharing with doesn't have a Microsoft Account or a work or school account, they will be sent a one-time access code for authentication each time they access the file or folder. You can't share sites with users unless they have a Microsoft account.
For more information please take a look at our Office 365 security blog.
CrucialLogics: Your Microsoft 365 Security Experts
As a Microsoft Gold Partner, our team at CrucialLogics has completed successful migrations of over one million objects. We’ve seen time and time again how the Microsoft programs we work with are able to deliver superior security management, tailored to meet even the most stringent privacy needs. Best of all, we’re adept at creating custom IT strategies that perfectly align with business needs, delivering tangible, lasting results to the company’s bottom line.
Want to learn more?
