Too much information. In the working world, it’s a good way to describe the sprawl of data that overwhelms us every day. In our personal lives, “TMI” is a snarky way to signal that someone’s revealed more than they needed to.
In the world of M365, too much information is a little of both. The data in your environment has a habit of skyrocketing during the course of day-to-day business. And without the right guardrails in place, it also tends to get shared indiscriminately.
So what’s an IT admin to do about sensitive data leaking out both to employees that shouldn’t have access and to the public at large? The answer to that—and a number of other security and governance concerns—is Orchestry’s Intelligent Recommendations feature. It does exactly what the name implies—gives you guidance on actions you can take to make your M365 environment more efficient and, perhaps more importantly, more secure. And today, we’re going to dive into three recommendations we’ve added to Orchestry.
Curious how Orchestry’s Recommendations feature can help with management, governance, adoption, and security? Download our Recommendations features sheet
Sometimes, when you’re creating a shared link, you want to make it as easy as possible for someone to retrieve a file. In many cases, that’s not a problem. You may have an RFP template that doesn’t contain any sensitive info and gets shared outside your company regularly. These kinds of shares are well-served by “anyone” links, which grant access to, well, anyone who clicks on the link. So if an email containing one of these links gets forwarded to someone new, there’s no harm in them seeing the linked file.
But what if someone wants to share a financial report with someone else in your company? Anyone links are not the best idea. In fact, they’re a downright awful idea.
Without thinking twice, the recipient could forward an email with information they do want to share, save for the link pasted at the bottom. Now they’ve opened up sensitive information not just to the person they’ve emailed, but also anyone that person chooses to forward the email to. It can cause all kinds of nightmare scenarios, from trade secret theft to compliance woes to security breaches.
Clearly, there’s a lot at stake with creating anyone links. So if you absolutely need them, we’ve added a recommendation that they should require restricted access and an expiration date by default to minimize potential damage.
We’ve also added a separate recommendation that will appear whenever recently created anyone links appear in a new workspace. We’ll encourage you to review these links regularly to make sure only non-confidential information is being shared.
While anyone links are one of the most obvious security gaps, other sharing issues can crop up. We’ve addressed two more of these with new recommendations. First up is one for workspaces with an unsafe default sharing link type. If your environment sets access for newly created shared links to a large audience, we’ll encourage you to make the default more restrictive. As with anyone links, security best practice is to always limit data access to the smallest audience necessary.
Yet another sharing problem that can rear its ugly head is the ability of guests to share items they don’t own. It’s fairly easy to see why this is a problem. Generally speaking, guests aren’t as aware of your security policies as internal users. Especially when you’re subject to regulatory compliance, keeping a tight grip on who is allowed to share is critical. So when Orchestry detects that guests can share others’ items, we’ll suggest you adjust settings accordingly.
There should always be someone in charge of enforcing organizational rules and policies for every corner of your M365 environment. That means that every workspace in your tenant should have an owner, full stop. But as people leave your company—and get deprovisioned—you’ll likely end up with orphaned workspaces.
In addition to the lack of accountability for these workspaces, any content in them that’s accessible via shared links are trouble. Without someone watching over the workspace, these links can give access to people that shouldn’t have access.
Now, if someone creates a shared link for a file or folder in an ownerless workspace, we’ll recommend you assign an owner. By calling your attention to them, we’re helping you prioritize the ownerless workspaces most in need of owners.
That’s not all. Microsoft considers the use of sensitivity labels a best practice. They’re an efficient way to automatically apply security policies to data at scale. So when we notice a workspace with no container-level sensitivity label in place, we’ll recommend adding one. It's a good habit to have and will only grow in importance as M365 adds new features, like one rarely mentioned one called Copilot.
Want to know more about Orchestry’s Recommendations feature, and how it can help with management, governance, adoption, and security? We highly recommend you download our Recommendations features sheet for a deeper dive.