Forum Discussion

Slee6004's avatar
Slee6004
Brass Contributor
Oct 10, 2023

How you control OneDrvie sync to personal devices?

Hi forum members,

 

Under today's cyber security landscape, what is the policy for organizations control OneDrive for business sync content to personal devices?  I mean allow or block it and what is the reasons behind those decisions?  My organization has it configured to only allow syncing only computers joined to our domains.  But the business has access to our affiliated tenant's OneDrive for business so threaten to save data there.  Now we are at the point where content will be either be exfiltrated and no control or allow syncing to personal devices.  Wanted to get some feedback from the forum and see what the best practices are.  Any suggestions is greatly appreciated.  

 

  • Deleted's avatar
    Deleted
    Oct 12, 2023

    Slee6004 

    Thanks for the feedback, the policies for Microsoft services are plain and simple.

    The organization in question needs service only Intune can provide and with the services comes certain policies which can't be mitigated.

     The Zero Trust model is a security strategy that assumes no connection can be trusted, even if the user or account was previously authenticated. It seeks to address the following:

    1. Continuous verification: Always verify access, all the time, for all resources.
    2. Limit the “blast radius: Minimize impact if an external or insider breach does occur.
    3. Automate context collection and response: Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response.
    4. Verify explicitly.
    5. Use least privilege access.
    6. Assume breach.

      Regarding your concern about allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place, it’s important to note that containerization and encryption are just two of many mitigation controls that should be in place to protect your content. While DLP scans and event logging are useful reactive measures, they do not provide complete protection against cyberattacks.

      I would recommend that you consider implementing additional proactive measures such as:

      1.Conditional Access: This feature allows you to control access to your organization’s resources based on specific conditions such as location, device compliance, and risk level.

       

      2.Data Loss Prevention (DLP): This feature helps you identify and protect sensitive information across Microsoft 365 apps and services.
      Microsoft Defender for Endpoint: This feature provides endpoint protection against cyber threats.

       
       
       
       

       

       

      3.Microsoft Cloud App Security: This feature provides visibility into cloud applications and services used in your organization.

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please give it a Like :smile:

    Appreciate your Kudos! Proud to contribute! 🙂

     

  • Slee6004 

    The policy is mainly to control 'sync settings', because by default users are allowed to sync personal OneDrive accounts.
    It is important for organizations to have policies in place to control the 'syncing of OneDrive' for Business content to personal devices.

    OneDrive policies can be used to control sync settings, and administrators can configure these policies using Group Policy or administrative templates in "Microsoft Intune".

     Additionally, it is possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. In this case, a policy named “Allow syncing only on PCs joined to specific domains” would be activated in the OneDrive admin module.

    The best solution is to get a Microsoft Intune license and reach out to the Intune support team for further assistance. 

    https://intune.microsoft.com

     

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please give it a Like :smile:

    Appreciate your Kudos! Proud to contribute! 🙂

     

    • Slee6004's avatar
      Slee6004
      Brass Contributor
      Hi Recep_Gencaslan695, thank you for your insights. We do have Intune licenses, but it is currently in pilot mode so not fully configured yet. We currently permit syncing to a specific domain, which is the aspect the business is interested in removing restriction from. The rationale is that it is easier for them to transfer content from their personal PC/Mac. However, in today's cybersecurity landscape, I believe it's imperative to adopt Zero Trust principles. This entails continuously evaluating all entry points and user identities continuously. Allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place could potentially expose us to a high risk of cyberattacks.

      I was told that content in OneDrive is already containerized and encrypted, and we have DLP scan looking for sensitive data. Since we have E5 so there are advanced event logging and logs are kept for one year. Additionally we have other 3rd party tool to monitor bulk data transfer so we should be protected.
       
      I am not sure all those mitigation controls will help protect our content. Seems to me they are more reactive approaches. This is why I'd like to ask the community members' experiences at different organizations. Any feedback is appreciated.

      Thanks once again!
      • Deleted's avatar
        Deleted

        Slee6004 

        Thanks for the feedback, the policies for Microsoft services are plain and simple.

        The organization in question needs service only Intune can provide and with the services comes certain policies which can't be mitigated.

         The Zero Trust model is a security strategy that assumes no connection can be trusted, even if the user or account was previously authenticated. It seeks to address the following:

        1. Continuous verification: Always verify access, all the time, for all resources.
        2. Limit the “blast radius: Minimize impact if an external or insider breach does occur.
        3. Automate context collection and response: Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response.
        4. Verify explicitly.
        5. Use least privilege access.
        6. Assume breach.

          Regarding your concern about allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place, it’s important to note that containerization and encryption are just two of many mitigation controls that should be in place to protect your content. While DLP scans and event logging are useful reactive measures, they do not provide complete protection against cyberattacks.

          I would recommend that you consider implementing additional proactive measures such as:

          1.Conditional Access: This feature allows you to control access to your organization’s resources based on specific conditions such as location, device compliance, and risk level.

           

          2.Data Loss Prevention (DLP): This feature helps you identify and protect sensitive information across Microsoft 365 apps and services.
          Microsoft Defender for Endpoint: This feature provides endpoint protection against cyber threats.

           
           
           
           

           

           

          3.Microsoft Cloud App Security: This feature provides visibility into cloud applications and services used in your organization.

         

        If I have answered your question, please mark your post as Solved

        If you like my response, please give it a Like :smile:

        Appreciate your Kudos! Proud to contribute! 🙂

         

Resources