The advanced digital era that we have entered in is full of possibilities and ideas, the ideas that seemed impossible in the past have already implemented or are in making. With each passing year of these technical advancement the world has became more connected with help of various technologies, let it be the invention of telegraph or the internet. This connectivity has given us a chance to stay up to date with all the ideas and change happening all around us and allows us to share the ideas we have that can shape the future. This sharing of ideas and staying up to date id s all done in form of exchange of data.
Today one of the most precious things in this world is data, which can be used to shape the future. But as we know that there are malicious elements around us that are always on the move to get their reach to this data and use it for their own profit. To keep our precious data out the hands if such elements we need to implement higher level of security in everything.
SharePoint online is one such platform which can be used to keep, enhance and refine our data with people around the world. Other than being helpful in just sharing our data, SharePoint online is also one of the most secure platforms where we can manage and keep our data safe as per our requirements and our needs.
SharePoint Security Features
Here are a few key features that SharePoint have to offer to us to use for making our data much secure and enhance our experience of using the SharePoint.
Tenant level security
The tenant in Office 365 directs toward the full Office 365 suite attached to any domain. When Office 365 is set up, it creates a tenant to store all the data for Office 365 including things like SharePoint, OneDrive, etc. This allows all the data related to your organization to sit in a single environment and can be moved around within the tenant with ease.
This is the reason that the tenant level security settings be the first place before we go deeper into SharePoint for applying security measures. There are a few tenant settings which we can simply investigate and configure that will allow us to improve the level of the access that the users have, or you want to provide. Sharing settings are very important and If left to default, they can lead to data breaches.
To access the Sharing settings (tenant level), navigate to the SharePoint Admin center, under Policies, select Sharing.
There are four different levels Sharing available in the sharing settings.
- New and existing guests
- Existing guests
- Only people in your organization
By default, the Sharing settings are set to “Anyone” which allows users that belong to your organization and out of your organization to access the data without authentication. This should never be set for sharing settings as it makes your data vulnerable to attacks related to data theft.
To increase the security of your data from theft we can use the settings “Only people in your organization” this will allow users of your organization to access the data you have and no one else can get access to it even if they have a sharing link to your data.
SharePoint also offers a few more options to help securing data a bit more if required.
Limit external sharing by domain: With this you can Allow or Block specific domains. A common scenario would be collaborating with specific customers or partners. This setting is available at the tenant level, as well as at the site level.
Allow only users in specific Security Groups to share externally: If selected, members of the security group(s) will be the only ones capable of sharing externally.
Guests must sign in using the same account to which sharing invitations are sent: This adds an extra layer of security to make sure that the user accessing the file(s) is the one you expect to. Selecting this option is highly recommended when possible.
People who use a verification code must reauthenticate after this many days [number of days]: New method where guests will authenticate using a one-time passcode for the number of days you configured.
Site level security
Now as we have seen the tenant level security settings, we can now dive down a level deeper in the SharePoint environment and can configure the security at the site level. Here are a few key features that SharePoint have to offer to us at the site level to use for making our data much secure and enhance our experience of using the SharePoint.
When we create a site in SharePoint it automatically creates few permissions group for us to use to manage the access to the site and its data. These Permissions groups have different level of permissions related to them, which can be utilized to limit the access to the site and limit the interaction of the users with the site and the data present in it.
The default SharePoint permissions group created by SharePoint are as follows:
Each of these group has a permission level assigned to it. We can utilize these groups and permissions according to our needs, but SharePoint also offers us the option to create our own permissions group and manipulate them according to our needs and requirements.
SharePoint Permissions levels
The SharePoint Permissions levels and SharePoint Permissions groups goes together hand in hand. We can create multiple permissions groups in SharePoint but if we are not able to manipulate the properties, i.e. the level of access provided by any group, it does not solves our issue of higher security. So, to resolve this issue SharePoint allows us to create our own permissions level where we can set the level of access, we want the users to have and then associate those groups with the Permissions group of our choice and can take benefit of it to increase the security of our data within the SharePoint environment.
Useful unique Permissions levels
Other than just the default Read, edit, view, etc. there are some of the permissions levels that SharePoint have to offer that can be used to enhance or refine the security according to our needs. Some of those permissions levels are as follows-
- View Only: This enables a user to view application pages, it is also used for the Excel Services Viewers group.
- Limited Access: This enables a user to access shared resources and any specific asset. This permissions level is designed to be combined with fine-grained permissions to enable users to access a specific list, document library, folder, list item, or document, without enabling them to access the whole site. Limited Access cannot be edited or deleted.
- Restricted Read: This permissions level will allow the users to view pages and documents, but they will not be able to download or edit any document. The only access the users with this permissions group will have are View Items, Open Items and View Pages which enhances our data’s security even more.
Best Practice: If necessary, create your own SharePoint group and permission level, and avoid modifying or deleting the built-in groups. For more information, please refer to the official Microsoft documentation about the Default SharePoint Groups.
Active Directory (AD) Groups
Unlike SharePoint groups the Active Directory Groups are available globally and are not limited to just on site, which allows us to manage the access of the users to the SharePoint environment at a higher level and not just at site level for better and efficient management.
However, it is entirely possible to create Microsoft 365 security groups directly in the admin center and add those to your SharePoint site as well!
Best Practice: Add security groups to your SharePoint groups for easy management. Although it's possible to add users individually to sites, it will be harder to manage down the line.
Breaking permission inheritance
There are times and requirements which would need the sharing of only one document library or just a single document to be shared with a user and not an entire site, for this we can break the permission inheritance of that document or the library and this way we can manage the access to data at finer levels.
The access request feature allows people to request access to content that they do not currently have permission to see. This feature has been around for a while now and the "Access denied" message with no possible interaction whatsoever is also due to this feature of SharePoint Online. Although there is more configuration to be done in SharePoint on-premises, everything is ready to go in SharePoint Online! We do not have to think about anything else than choosing who should receive those requests to access the resources we want them to have access to, we can also add a custom message for the requestor and review the pending requests and add or remove them as per our needs. If you approve the request, you can also specify the specific level of permission you would like to assign to a user.
So, till now we took a look into how SharePoint offers us the options for customizations to refine and enhance our security needs which we can bend to our will to maximize the security of our data, you can get a better understanding of these options in the article at Microsoft documentation using the link below,
In in the Part 2 of this blog we will see the other security features that SharePoint and Microsoft has to offer to improve the security of our valuable data.