Organizations worldwide are looking for innovative ways to organize and manage enterprise information, to both facilitate collaboration and reduce costs. The draw to the cloud is clear: it gives organizations the flexibility to support their de-centralized workforce’s productivity, no matter where they work, for a reduced total cost of ownership and a consolidated IT infrastructure. So it wasn’t surprising when, in the midst of a global pandemic, deployments of cloud solutions across enterprise workplaces exponentially rose. But many organizations did so quickly and without security considerations in mind for their Office 365 deployments, which are a treasure-trove of potentially sensitive and unprotected information.
In fact, a recent survey by my company, “Impact of COVID-19 on Workplace Collaboration,” found three-quarters of organizations deployed Microsoft Teams over the past year without proper governance or security in place. Additionally, while most IT teams express confidence in their compliance, only about a quarter do routine governance, compliance and security tasks, leaving them susceptible to both internal and external threats.
With the increase of cybersecurity risks and information breaches, establishing and sustaining strong compliance, governance and cyber assurance solutions for your Office 365 infrastructure is critical. So what are the steps to bring these collaborative cloud environments back into a state of order?
1. Understand Your Obligations for Data Protection
Laws and regulations are based on data protection and security principals that are not typically organization specific. Unfortunately, when it comes to implementing or complying with those laws, too often, internal policy is created based on an interpretation of that law without a real understanding of how employees are using IT systems — like the cloud — that hold the potentially at risk information.
2. Evaluate Your Cloud Environment As It Is
For example, organizations create policies with strict directives like “confidential data is allowed in Microsoft Teams.” But they often build policies without understanding if their SharePoint business users are storing that sensitive data in SharePoint, or why they are choosing to store it there, as opposed to Teams.
To have a true understanding of vulnerabilities, it’s important to develop a plan after performing an organizational site assessment and setting your organizations goals. Only then should you set compliance requirements and standards.
Related Article: Information Governance Is Boring, But Necessary
3. Devise a Compliance Plan
Once you understand your current cloud deployment, and have worked with a multi-stakeholder group that includes compliance officers, business users and IT staff, it’s time to devise your plan. The plan you implement must be one you can enforce, measure and monitor. Equally important is training employees on areas of non-compliance. The plan should consider three primary pillars: data, containers for that data, and the people who will access that data.
This plan will address the framework of the existing cloud environment, adaptation to full governance, and then ongoing monitoring to prevent compliance improvements from degrading. Going forward, all new additions to the cloud environment may be automatically provisioned so they start and remain fully compliant throughout their entire lifecycle.
4. Implement the Solution
To protect sensitive information while enabling productivity and collaboration, your cloud solution needs to be deployed in such a way to make information available to those who should have it, while protecting it from those who should not. Critical steps in this process include:
- Scanning and reporting existing content to identify and subsequently delete, tag or quarantine sensitive, harmful or non-compliant content.
- Regulating user-generated content, preventing the creation or uploading of non-compliant or harmful content.
- Providing for security-trimmed administration, either by SharePoint permissions or by administrative role.
- Easily auditing security settings, investigating usage patterns and monitoring sensitive information.
- Recording and tracking user interactions, security changes and search queries for all SharePoint farms.
- Generating and reviewing reports with various attributes such as time viewed, deleted, renamed, and modified.
Moving forward, the solution should provide access and rights management controls; user and content lifecycle reporting; and continuous monitoring, all of which can lead to a more secure and accessible environment. Companies should also maintain regular and ongoing assessments so they can manage data and ensure the policies are effective. These assessments may reveal key areas for improvement, which administrators should welcome.
Ultimately, a programmatic approach to improving security and confidence in your cloud solution, as a business-critical system for managing sensitive data, will not only have a positive impact on regulatory compliance and the protection of sensitive information, but will play an equally important role in cloud adoption.
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer, AvePoint, Inc. She is responsible for executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts and solutions for risk management and compliance.