Microsoft CEO Satya Nadella’s transformation of the company from a staid desktop sales company into a dynamic cloud subscription company has been remarkable. By the number of enterprise users, Microsoft has become the most widely used cloud service provider in just two years. Perhaps unsurprisingly, because of its ease and ubiquity, OneDrive is the most used part of the Office 365 suite.
Such figures come from a Skyhigh Networks analysis of more than 600 enterprise users of Office 365 products. The statistics are impressive – but one feature that should concern all security officers is that there is no reduction in users’ risky behavior. In particular, users are continuing to store sensitive data unencrypted in the Microsoft cloud.
Microsoft itself gets Skyhigh’s highest rating based on an objective assessment of its security controls. But this should be viewed in light of the Microsoft shared responsibility model: Microsoft owns the platform security, but the customer is responsible for its data and the safe use of the platform.
The indication from Skyhigh is that users are not behaving properly. For example, the average enterprise now has 204 files that contain ‘password’ in the file name stored in OneDrive, which is up from 143 files in Q3 2015.
Looking at all the data stored in OneDrive and Sharepoint, Skyhigh found that 17.1% of the data is sensitive. Most of this, 9.4%, is considered confidential information (such as financial records, business plans and source code); but 4.1% is PII, 1.9% is PHI, and 1.7% is payment details.
This presents two challenges for the security team: firstly to keep the data secure, and secondly to maintain compliance after migrating to the cloud. Encryption, where possible, would help in both cases – but it isn’t often happening.
“It is surprising,” commented Nigel Hawthorn, Skyhigh Networks’ Chief European spokesperson, “that businesses and employees are still taking a relaxed approach to document security, especially when you consider the high frequency of threats. You would hope that the spate of high-profile data breaches would make enterprises sit up and take notice about the need for encryption, but the amount of unencrypted sensitive data stored on OneDrive is increasing.”
Users seem to assume that Microsoft will protect their data – which is simply not the case where incidents are caused by user behavior. Skyhigh points out that account credentials can still be acquired via phishing scams and used by third parties to gain access to corporate data. “Taken together, the average organization experiences 2.7 threats each month within Office 365.”
This comprises compromised accounts (“such as an unauthorized third party logging in to a corporate Office 365 account using stolen credentials”); insider threats (“such as a user downloading sensitive data from SharePoint Online and taking it when they join a competitor”); and privileged user threats (“such as an administrator provisioning excessive permissions to use a user relative to their role”).
Two suggested solutions are improved user security awareness training, and better incident response controls. “More than half of documents across all cloud services that contain sensitive data are stored in Microsoft Office formats,” explains Hawthorn. “This percentage will only increase as OneDrive becomes more tightly integrated to the rest of the suite.” It is imperative, he says, “for businesses to educate their employees about how to safely store documents in the cloud; and that need is even more vital in industries where the nature of data is likely to be highly sensitive such as in financial services or healthcare, two of the biggest users of Office 365.”
The second approach is to improve incident detection and response – the first part of which can be aided by behavioral analytics. Skyhigh gives an example: if a user makes several log-in attempts and then behaves ‘normally’ on the network, it was probably an error (such as entering the password with capslock on); but if several attempts are followed by unusual network behavior, it is probably indicative of a compromised account.
According to Skyhigh Networks, Office 365 is becoming the home of enterprise data. But both enterprises and individual users need to take more care of their sensitive data. The bottom line is that Office 365 users cannot rely on Microsoft’s security if it is their own behavior that lets the hacker in.