cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Securely Transferring Data from Company O365/M365 to Customers/Partners

MichaelKing
Brass Contributor

‎Aug 25 2020 09:39 AM

‎Aug 25 2020 09:39 AM

Securely Transferring Data from Company O365/M365 to Customers/Partners

What options are available to securely transfer data/documents from company-managed Office 365 (commercial, GCC, or GCC High) environments and customer/partner ones?  I realize the data could always stay in one environment to avoid this problem, but what Microsoft options exist to 'deliver' CUI to customers securely?

2,919 Views
0 Likes
3 Replies
Reply
3 Replies
Dean Gross

‎Aug 25 2020 09:43 AM

‎Aug 25 2020 09:43 AM

Re: Securely Transferring Data from Company O365/M365 to Customers/Partners

@MichaelKing are you asking about bulk transfers or individual files?

0 Likes
Reply
MichaelKing

‎Aug 25 2020 09:46 AM

‎Aug 25 2020 09:46 AM

Re: Securely Transferring Data from Company O365/M365 to Customers/Partners

Either/both @Dean Gross -- I'm more interested in individual files to start with 

0 Likes
Reply
best response confirmed by Sarah.Gilbert (Community Manager)
dmcwee

‎Aug 26 2020 07:32 AM

‎Aug 26 2020 07:32 AM

Solution

Re: Securely Transferring Data from Company O365/M365 to Customers/Partners

@MichaelKing There are a number of caveats to your question when it comes to CUI, like is the system I'm sending data to certified/approved for accessing/processing CUI information.  Without delving into those scenarios and specialized cases here are a two general ways you can share information with partners.  As always we would recommend you review these against your company's security position to determine which scenarios you could or would be willing to support.

 

Option 1 - Share from your service(s)

As you mentioned you could always use capabilities like OneDrive & SharePoint to maintain the data within your organization's services and grant external partners access to the information.  This would allow your organization to control how the partner authenticates (do they MFA before accessing, etc.), uses the least privileged permissions, and allows your organization to ensure the information is within the appropriate information boundary.  

 

Option 2 - Sensitivity Labels / Information Protection

You could consider using Sensitivity Labels (or legacy AIP labels) with encryption.  Protection labels like these are free for your partner to consume information from, so they can receive protected content without needed a protection labeling license, and allows the more traditional sharing of content via email attachment.  You can also control what the user can do with the content, like print/copy & paste, etc., and limit their ability to further share the information.  The challenge here is that just by sending the data encrypted does not necessarily prevent it from be stored or hosted on a non-compliant environment, thus resulting in a DFAR/ITAR/CJIS/etc. spill. So this is really where you need to work with your partner and your security team for an acceptable approach. 

 

Crossing the Clouds

Due to compliance of the GCCH cloud there is no support for using an identity from Commercial or GCC to access a GCCH tenant/service, or vise versa.  This is a major ask by many of my customers as well as the user voice forums and it is something Microsoft is investigating but we do not have any information we can share at this time. 

 

Cross Sovereign Impact on Option 1 and 2

Currently, if we are trying to share across the clouds neither scenario (Host in your environment, or Sensitivity Labels) will work because of the cloud isolation.  So, what we have seen is that customers will use the traditional method of providing partners with a "Partner Account" that is either synced from their on-premise partner AD to Azure AD, or a cloud only account created directly in Azure AD to grant the partner the access they need.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Sarah.Gilbert (Community Manager)
dmcwee

‎Aug 26 2020 07:32 AM

‎Aug 26 2020 07:32 AM

Solution

Re: Securely Transferring Data from Company O365/M365 to Customers/Partners

@MichaelKing There are a number of caveats to your question when it comes to CUI, like is the system I'm sending data to certified/approved for accessing/processing CUI information.  Without delving into those scenarios and specialized cases here are a two general ways you can share information with partners.  As always we would recommend you review these against your company's security position to determine which scenarios you could or would be willing to support.

 

Option 1 - Share from your service(s)

As you mentioned you could always use capabilities like OneDrive & SharePoint to maintain the data within your organization's services and grant external partners access to the information.  This would allow your organization to control how the partner authenticates (do they MFA before accessing, etc.), uses the least privileged permissions, and allows your organization to ensure the information is within the appropriate information boundary.  

 

Option 2 - Sensitivity Labels / Information Protection

You could consider using Sensitivity Labels (or legacy AIP labels) with encryption.  Protection labels like these are free for your partner to consume information from, so they can receive protected content without needed a protection labeling license, and allows the more traditional sharing of content via email attachment.  You can also control what the user can do with the content, like print/copy & paste, etc., and limit their ability to further share the information.  The challenge here is that just by sending the data encrypted does not necessarily prevent it from be stored or hosted on a non-compliant environment, thus resulting in a DFAR/ITAR/CJIS/etc. spill. So this is really where you need to work with your partner and your security team for an acceptable approach. 

 

Crossing the Clouds

Due to compliance of the GCCH cloud there is no support for using an identity from Commercial or GCC to access a GCCH tenant/service, or vise versa.  This is a major ask by many of my customers as well as the user voice forums and it is something Microsoft is investigating but we do not have any information we can share at this time. 

 

Cross Sovereign Impact on Option 1 and 2

Currently, if we are trying to share across the clouds neither scenario (Host in your environment, or Sensitivity Labels) will work because of the cloud isolation.  So, what we have seen is that customers will use the traditional method of providing partners with a "Partner Account" that is either synced from their on-premise partner AD to Azure AD, or a cloud only account created directly in Azure AD to grant the partner the access they need.

View solution in original post

1 Like
Reply