Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Office 365 Users Need Better Care of Sensitive Data: Report

Microsoft CEO Satya Nadella’s transformation of the company from a staid desktop sales company into a dynamic cloud subscription company has been remarkable. By the number of enterprise users, Microsoft has become the most widely used cloud service provider in just two years. Perhaps unsurprisingly, because of its ease and ubiquity, OneDrive is the most used part of the Office 365 suite.

Microsoft CEO Satya Nadella’s transformation of the company from a staid desktop sales company into a dynamic cloud subscription company has been remarkable. By the number of enterprise users, Microsoft has become the most widely used cloud service provider in just two years. Perhaps unsurprisingly, because of its ease and ubiquity, OneDrive is the most used part of the Office 365 suite.

Such figures come from a Skyhigh Networks analysis of more than 600 enterprise users of Office 365 products. The statistics are impressive – but one feature that should concern all security officers is that there is no reduction in users’ risky behavior. In particular, users are continuing to store sensitive data unencrypted in the Microsoft cloud.

Microsoft itself gets Skyhigh’s highest rating based on an objective assessment of its security controls. But this should be viewed in light of the Microsoft shared responsibility model: Microsoft owns the platform security, but the customer is responsible for its data and the safe use of the platform. 

The indication from Skyhigh is that users are not behaving properly. For example, the average enterprise now has 204 files that contain ‘password’ in the file name stored in OneDrive, which is up from 143 files in Q3 2015. 

Looking at all the data stored in OneDrive and Sharepoint, Skyhigh found that 17.1% of the data is sensitive. Most of this, 9.4%, is considered confidential information (such as financial records, business plans and source code); but 4.1% is PII, 1.9% is PHI, and 1.7% is payment details.

This presents two challenges for the security team: firstly to keep the data secure, and secondly to maintain compliance after migrating to the cloud. Encryption, where possible, would help in both cases – but it isn’t often happening.

“It is surprising,” commented Nigel Hawthorn, Skyhigh Networks’ Chief European spokesperson, “that businesses and employees are still taking a relaxed approach to document security, especially when you consider the high frequency of threats. You would hope that the spate of high-profile data breaches would make enterprises sit up and take notice about the need for encryption, but the amount of unencrypted sensitive data stored on OneDrive is increasing.”

Users seem to assume that Microsoft will protect their data – which is simply not the case where incidents are caused by user behavior. Skyhigh points out that account credentials can still be acquired via phishing scams and used by third parties to gain access to corporate data. “Taken together, the average organization experiences 2.7 threats each month within Office 365.”

This comprises compromised accounts (“such as an unauthorized third party logging in to a corporate Office 365 account using stolen credentials”); insider threats (“such as a user downloading sensitive data from SharePoint Online and taking it when they join a competitor”); and privileged user threats (“such as an administrator provisioning excessive permissions to use a user relative to their role”).

Two suggested solutions are improved user security awareness training, and better incident response controls. “More than half of documents across all cloud services that contain sensitive data are stored in Microsoft Office formats,” explains Hawthorn. “This percentage will only increase as OneDrive becomes more tightly integrated to the rest of the suite.” It is imperative, he says, “for businesses to educate their employees about how to safely store documents in the cloud; and that need is even more vital in industries where the nature of data is likely to be highly sensitive such as in financial services or healthcare, two of the biggest users of Office 365.”

The second approach is to improve incident detection and response – the first part of which can be aided by behavioral analytics. Skyhigh gives an example: if a user makes several log-in attempts and then behaves ‘normally’ on the network, it was probably an error (such as entering the password with capslock on); but if several attempts are followed by unusual network behavior, it is probably indicative of a compromised account.

According to Skyhigh Networks, Office 365 is becoming the home of enterprise data. But both enterprises and individual users need to take more care of their sensitive data. The bottom line is that Office 365 users cannot rely on Microsoft’s security if it is their own behavior that lets the hacker in.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...