Forum Discussion

Slee6004's avatar
Slee6004
Brass Contributor
Oct 10, 2023
Solved

How you control OneDrvie sync to personal devices?

Hi forum members,   Under today's cyber security landscape, what is the policy for organizations control OneDrive for business sync content to personal devices?  I mean allow or block it and what i...
OneDrive for Business
Sync
  • Anonymous's avatar
    Anonymous
    Oct 12, 2023

    Slee6004 

    Thanks for the feedback, the policies for Microsoft services are plain and simple.

    The organization in question needs service only Intune can provide and with the services comes certain policies which can't be mitigated.

     The Zero Trust model is a security strategy that assumes no connection can be trusted, even if the user or account was previously authenticated. It seeks to address the following:

    1. Continuous verification: Always verify access, all the time, for all resources.
    2. Limit the “blast radius: Minimize impact if an external or insider breach does occur.
    3. Automate context collection and response: Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response.
    4. Verify explicitly.
    5. Use least privilege access.
    6. Assume breach.

      Regarding your concern about allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place, it’s important to note that containerization and encryption are just two of many mitigation controls that should be in place to protect your content. While DLP scans and event logging are useful reactive measures, they do not provide complete protection against cyberattacks.

      I would recommend that you consider implementing additional proactive measures such as:

      1.Conditional Access: This feature allows you to control access to your organization’s resources based on specific conditions such as location, device compliance, and risk level.

       

      2.Data Loss Prevention (DLP): This feature helps you identify and protect sensitive information across Microsoft 365 apps and services.
      Microsoft Defender for Endpoint: This feature provides endpoint protection against cyber threats.

       
       
       
       

       

       

      3.Microsoft Cloud App Security: This feature provides visibility into cloud applications and services used in your organization.

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please give it a Like :smile:

    Appreciate your Kudos! Proud to contribute! 🙂

     

Slee6004's avatar
Slee6004
Brass Contributor
Oct 11, 2023
Hi Recep_Gencaslan695, thank you for your insights. We do have Intune licenses, but it is currently in pilot mode so not fully configured yet. We currently permit syncing to a specific domain, which is the aspect the business is interested in removing restriction from. The rationale is that it is easier for them to transfer content from their personal PC/Mac. However, in today's cybersecurity landscape, I believe it's imperative to adopt Zero Trust principles. This entails continuously evaluating all entry points and user identities continuously. Allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place could potentially expose us to a high risk of cyberattacks.

I was told that content in OneDrive is already containerized and encrypted, and we have DLP scan looking for sensitive data. Since we have E5 so there are advanced event logging and logs are kept for one year. Additionally we have other 3rd party tool to monitor bulk data transfer so we should be protected.
 
I am not sure all those mitigation controls will help protect our content. Seems to me they are more reactive approaches. This is why I'd like to ask the community members' experiences at different organizations. Any feedback is appreciated.

Thanks once again!
Anonymous's avatar
Anonymous
Oct 12, 2023

Slee6004 

Thanks for the feedback, the policies for Microsoft services are plain and simple.

The organization in question needs service only Intune can provide and with the services comes certain policies which can't be mitigated.

 The Zero Trust model is a security strategy that assumes no connection can be trusted, even if the user or account was previously authenticated. It seeks to address the following:

  1. Continuous verification: Always verify access, all the time, for all resources.
  2. Limit the “blast radius: Minimize impact if an external or insider breach does occur.
  3. Automate context collection and response: Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response.
  4. Verify explicitly.
  5. Use least privilege access.
  6. Assume breach.

    Regarding your concern about allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place, it’s important to note that containerization and encryption are just two of many mitigation controls that should be in place to protect your content. While DLP scans and event logging are useful reactive measures, they do not provide complete protection against cyberattacks.

    I would recommend that you consider implementing additional proactive measures such as:

    1.Conditional Access: This feature allows you to control access to your organization’s resources based on specific conditions such as location, device compliance, and risk level.

     

    2.Data Loss Prevention (DLP): This feature helps you identify and protect sensitive information across Microsoft 365 apps and services.
    Microsoft Defender for Endpoint: This feature provides endpoint protection against cyber threats.

     
     
     
     

     

     

    3.Microsoft Cloud App Security: This feature provides visibility into cloud applications and services used in your organization.

 

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! 🙂

 

Resources