The Rencore blog is a treasure trove of SharePoint and Office 365 information. For this article, I have explored the vaults and uncovered 5 ways advised by our Microsoft MVPs on how you can keep control over Office 365 and uphold security in your platform.
Waldek pointed to a scenario where a government employee inserted a piece of script offering screen reading capabilities for websites into a donation website to help a presidential campaign. The script was later hacked.
Over 4000 government websites globally were loading a cryptocurrency miner along with the screen reading script. While no real harm was done in the end, and the issue was fixed swiftly, it makes you think about the more malicious things a piece of JavaScript could do through your SharePoint tenant.
There are many versions of the same open source library scripts and different open source scripts. It’s important that you routinely check them for changes. You have no control over who changes 3rd party scripts although the code is embedded on your website.
In 2019, Waldek Mastykarz warned us about the possibility to override the default setting on modern SharePoint sites, which doesn’t allow embedding of scripts.
For some, it limits their flexibility and hinders the way in which they are used to working. This may have not been as problematic in the past when organizations had a handful of site collections created and governed by IT.
However, this is no longer the case today. Users create new site collections at a constant rate. If they need a place to collaborate, they get a site collection. When they need a place to keep the rest of the organization up to date, they get a site collection as well. Creating an Office 365 Group? Yes, you’ve guessed it – a SharePoint site collection, too.
Let’s keep that default setting as it is!
“You can mitigate SharePoint application risk in various ways, and a good application governance plan is really important and should consist of the following:
You should plan how you implement applications, train users, power users and citizen developers.”
Tobias explains further that power users are essential in driving businesses forward, and also achieving a higher ROI from the Office 365 platform itself. A completely modern governance plan should harness and nurture the power-users involvement. It’s about controlling all modifications regardless of who makes them. Therefore, a viable automation solution must also be incorporated to help scale the effort to reach the high standards needed.
Mitigation should be the following:
Secure Score is a great barometer to get a quick security insight into your Office 365 environment, but many rely heavily on it as the only security measure. Liam Cleary, MVP, security expert and principle advisory specialist at Rencore explains in more detail:
Liam emphasizes that Secure Score should be on your radar and is a great tool to help you understand the things at a quick glance, but never be complacent and think that your environment is secure. A full security protocol needs to be in place.
Microsoft’s cloud offering Office 365 is fully equipped with many services and components. Being one of the largest cloud platforms globally it is protected well by Microsoft. They provide a Trust Center site to help communicate the various mitigations against risk, Liam Cleary recommends you take a good look at the Office 365 Security section.
He explains futher:
“Microsoft does not mandate how an organization uses the services, that is left to the business to decide. At this point that is when a risk assessment is needed. Based on our understanding of employees “Accidental User Behavior” and “Malicious User Behavior,” we need to inspect continually, monitor and assess the implementation as it changes over time.”
Rencore Governance MUST be your first step towards staying in control of your Office 365 environment. You can choose what you want to track, build relevant reports, and automate with your business processes in mind. If you would like to learn more about Rencore governance and see it in action, please head to the Rencore Governance product page by clicking the button below.