May 16 2021 07:18 PM
May 16 2021 07:18 PM
We have a document library in SharePoint online which will contain confidential information.
How can we reduce security risks?
For starters, MFA is enforced for all users that have access to this document library.
My biggest concern, however, is the entire document library getting synced to a laptop and that laptop getting stolen. Files-on-demand greatly reduces this risk: only the documents that were worked on by that employee would be downloaded to the hard disk. This may be an acceptable risk, but is there a way we can force the document library to be set to "Online-only files" and prevent them from setting the entire document library to "Always keep on this device"?
One safer alternative to OneDrive app sync would be to Map a network drive to a SharePoint library, that way, they see it in Windows File Explorer as if it's a file share, but the information is never copied to their local machine, however, Microsoft says: "this is legacy technology and it may be affected by the deprecation of Internet Explorer in August 2021". What would be the equivalent alternative?
I understand there are pretty good controls over OneDrive with group policy, however, some of our Windows computers that will be using these document libraries are not joined to AD.
I understand "Search and offline availability" can be disabled, but users want to be able to access the documents through Windows File Explorer, and not via the web interface. Users also need to work directly on spreadsheets using their local Excel app installations, not limited online Excel. Is it possible to use locally installed Excel on Windows to edit spreadsheets in a document library when "search and offline availability" is disabled?
Any recommendations of how to best secure document libraries when a requirement is for users to access the files through Windows File explorer?
May 16 2021 10:55 PM - edited May 16 2021 11:20 PM
This is an area not many folks are concerned about but they should be. Good to see you are aware of this.
Summary: this is not an easy problem to fix.
Paul | SLIM Applications
May 23 2021 05:55 PM
Thanks for your advice @Paul_HK_de_Jong
I think we will have to joined those laptops that need access to an AD domain and then use OneDrive sync domain restriction: https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains, plus the many group policy options to secure it.