Unmanaged Cloud Sharing Is Your Biggest Security Blind Spot. It’s Time to Retake Control.

Over the past decade, cloud collaboration tools like Microsoft 365 have become an integral part of office life. From one-on-one chats to video calls, cloud documents and live editing, it’s never been easier to share information with others. In fact, transitions such as the shift towards remote work and hybrid setups would not have been possible without the help of technologies like these to keep us connected.

Yet for all the benefits of this radical transformation, cloud sharing comes with its own set of risks. By giving your staff the means to freely share documents with coworkers, clients, and business partners, Microsoft 365 has put incredible power in the hands of end users – at the cost of IT oversight. Your security team simply cannot keep up with the hundreds of files being shared back and forth each day, nor does Microsoft 365 provide them the tools to do so. The result is that in most organizations, cloud sharing goes entirely unmanaged.

The Risks of Unmanaged Sharing

Even if your users are acting with the best of intentions, an environment without effective safeguards inevitably leads to unwanted access that endangers sensitive information. Problematic sharing often starts out innocently, with access that was granted for a clear reason, but persists longer than intended.

For example, say you bring in a freelancer to help on a project and share the project folder with them. Their contract ends, but nobody remembers to remove their access. And that folder? It continues to be used and filled with more and more internal company data.

Perhaps you’ve run into similar situations yourself:

• You book an event planning agency and set up a spreadsheet to coordinate. Later on, you switch to a different agency but keep using the same spreadsheet.
• Your accounting team uploads documents to their Teams channel, including sensitive contracts. They do not realize that when new members are added to this team, they can access all uploaded documents through the Files tab.
• You set up a SharePoint folder to share files with one of your business partners. Over time, team members begin storing other files in this folder, forgetting who else has access to it.
• You ask a client to look over an agreement and send a sharing link via email. The link is open to anyone and they mistakenly forward it to the wrong person. 

Whether it’s a sharing link accessed by the wrong person or a guest account that never gets removed, the end result is the same: Sensitive data is left exposed, leaving your organization vulnerable to cloud data leakage. In order to control this risk, organizations need to know what is being shared across their entire M365 tenant.

No Suitable Reporting Tools Within M365

One major driving force behind unmanaged cloud sharing is the lack of suitable reporting tools. While Microsoft 365 makes it very easy to share content with others, figuring out what your users are sharing is much more challenging. Information is split across SharePoint sites, Teams channels and users’ personal OneDrives with no centralized reporting options.

Microsoft 365 offers no suitable controls to govern cloud sharing in-depth. Organizations can set up generic restrictions such as blocking external sharing, but this goes against the core use case of a cloud collaboration suite. Audit and access review features, which are included in the paid addon Entra ID Governance, focus only on licenses and group memberships, not shared content. This leaves organizations in the dark as to what their users are sharing – conditions ripe for unwanted access and leaked data.

Short-term Remedies: Sharing Policies, Link Settings, Raising Awareness

While visibility into shared content is sadly missing from the Microsoft 365 toolbox, the cloud suite offers some basic guardrails for its sharing features. To make the most of these available options, organizations should:

• Make sure users understand how different modes of sharing affect who has access (sharing links, one-on-one chat, Teams channel, SharePoint site etc.).
• Block the creation of Anyone-links and require external users to verify their identity prior to accessing shared files.
• If Anyone-links are necessary, adjust sharing policies to restrict their permissions and set a fixed expiration time.
• Encourage users to set expiration times on all sharing links, even though mandatory enforcement is currently limited to Anyone-links.

The Long-term Solution to Sharing Risks: In-depth Visibility and Automated Audits

Unfortunately, the restrictions Microsoft 365 offers for its cloud sharing features are a band-aid solution and not fine-grained enough to address the larger problem. To effectively protect their cloud data, organizations need in-depth visibility into what is being shared, as well as the right tools to identify and revoke outdated cloud access.

A comprehensive approach to shared content governance would require:

• A centralized reporting hub for content shared through Teams, OneDrive, & SharePoint
• Highlighting for notable permissions such as access outside of the current Team/channel
• Detailed filters allowing orgs to focus on specific apps or external/internal sharing
• Access reviews for shared content to determine whether access is still needed
• A streamlined review process with personalized dashboards and automated enforcement
• A full audit trail of all changes, requests and reviewer decisions

With tenfold, we have built the first Identity Governance solution to offer this level of in-depth control over Microsoft 365 sharing. Alongside classic IGA features such as Lifecycle Management and Role-based Access, our platform offers detailed controls for shared content in M365 – from a central overview showing you exactly what is being shared to customizable access review policies requiring users or team leads to confirm if cloud access is still relevant. To learn more about this groundbreaking approach to M365 governance, book a personal demo of our cloud sharing controls today.