The Rencore blog is a treasure trove of SharePoint and Office 365 information. For this article, I have explored the vaults and uncovered 5 ways advised by our Microsoft MVPs on how you can keep control over Office 365 and uphold security in your platform.
Get a handle on JavaScript created solutions
Back in 2018, MVP and Head of Product at Rencore, Waldek Mastykarz, wrote about the importance of constantly checking JavaScript solutions because of one’s lack of control over the hosted libraries.
Waldek pointed to a scenario where a government employee inserted a piece of script offering screen reading capabilities for websites into a donation website to help a presidential campaign. The script was later hacked.
Over 4000 government websites globally were loading a cryptocurrency miner along with the screen reading script. While no real harm was done in the end, and the issue was fixed swiftly, it makes you think about the more malicious things a piece of JavaScript could do through your SharePoint tenant.
There are many versions of the same open source library scripts and different open source scripts. It’s important that you routinely check them for changes. You have no control over who changes 3rd party scripts although the code is embedded on your website.
Don’t allow embedding scripts on modern sites
In 2019, Waldek Mastykarz warned us about the possibility to override the default setting on modern SharePoint sites, which doesn’t allow embedding of scripts.
For some, it limits their flexibility and hinders the way in which they are used to working. This may have not been as problematic in the past when organizations had a handful of site collections created and governed by IT.
However, this is no longer the case today. Users create new site collections at a constant rate. If they need a place to collaborate, they get a site collection. When they need a place to keep the rest of the organization up to date, they get a site collection as well. Creating an Office 365 Group? Yes, you’ve guessed it – a SharePoint site collection, too.
Let’s keep that default setting as it is!
How to Control Office 365 with a good governance plan
MVP and Head of Technical Operations at Rencore, Tobias Zimmergren, succinctly explains the essentials for a successful governance plan:
“You can mitigate SharePoint application risk in various ways, and a good application governance plan is really important and should consist of the following:
- An inventory of how and where all applications are being used
- How applications are being linked
- An analysis of the contents of every single application
- A tight grip on general practice
You should plan how you implement applications, train users, power users and citizen developers.”
Tobias explains further that power users are essential in driving businesses forward, and also achieving a higher ROI from the Office 365 platform itself. A completely modern governance plan should harness and nurture the power-users involvement. It’s about controlling all modifications regardless of who makes them. Therefore, a viable automation solution must also be incorporated to help scale the effort to reach the high standards needed.
Mitigation should be the following:
- Plan for application governance
- Plan for training
- Discover what is in your environment
Understand the correct use of Secure Score in Office 365
Secure Score is a great barometer to get a quick security insight into your Office 365 environment, but many rely heavily on it as the only security measure. Liam Cleary, MVP, security expert and principle advisory specialist at Rencore explains in more detail:
“My personal view is that the Secure Score should go together with your regular Security Program and not replace it. Just because you move to the cloud does not negate the need for Security platforms and controls.”
Liam emphasizes that Secure Score should be on your radar and is a great tool to help you understand the things at a quick glance, but never be complacent and think that your environment is secure. A full security protocol needs to be in place.
Perform an Office 365 risk assessment
Microsoft’s cloud offering Office 365 is fully equipped with many services and components. Being one of the largest cloud platforms globally it is protected well by Microsoft. They provide a Trust Center site to help communicate the various mitigations against risk, Liam Cleary recommends you take a good look at the Office 365 Security section.
All components mentioned offer great security controls when enabled and mitigate many of the risks that organizations face today. But the important point that Liam makes is that a risk assessment helps isolate the possible risks and threats to your security specifically for your organization.
He explains futher:
“Microsoft does not mandate how an organization uses the services, that is left to the business to decide. At this point that is when a risk assessment is needed. Based on our understanding of employees “Accidental User Behavior” and “Malicious User Behavior,” we need to inspect continually, monitor and assess the implementation as it changes over time.”
Rencore Governance MUST be your first step towards staying in control of your Office 365 environment. You can choose what you want to track, build relevant reports, and automate with your business processes in mind. If you would like to learn more about Rencore governance and see it in action, please head to the Rencore Governance product page by clicking the button below.