Employees are the source of corporate information. They constantly create documents and data records, generating gigabytes of corporate information every single day. And this corporate information needs to be protected. Many organizations trust Office 365 and SharePoint Online as a secure platform to run their corporate intranet. This puts some pressure on Office 365 to ensure that sensitive corporate information is not just securely stored, but also that it complies with stringent regulations and laws (like FINRA). The new Information Barriers policies for Office 365 (Microsoft Teams and soon SharePoint) help administrators achieve just that.
Before we dive into the new Information Barriers feature in Office 365, let’s first spend a few moments on Information Protection and examine what it means for organizations. The obvious choice to protect information within a corporate intranet is using access permissions. With access permissions, organizations can decide which user has access to which site. For example, in an organization with a legal department, only a narrow group of users will need access to the sites of this department.
Besides access permissions, Office 365 and SharePoint Online provide additional options to protect sensitive corporate information such as Retention Policies, Data Loss Prevention, Azure Information Protection, and Compliance Sensitivity Labels. These features ensure that corporate information stays protected within the organization and control access to specific documents.
When they are well configured, organizations are in an excellent position to keep data and documents safe. However, for some organizations, that might not be enough.
Although security options provide a significant level of protection, there are some limitations you need to be aware of. The most apparent threat to Information Protection is what I like to call the human factor. For instance, there is no technical way to protect corporate information if employees meet outside of the organization and, for example, verbally share sensitive information.
And even when it is available, technology comes with some limitations too.
For instance, a user who does not have access to a specific site may obtain sensitive files from a user who does. And while a sharing invite does not provide access to the entire site, the user who receives an invite can open, download or potentially edit the document. This means that even though strict compliance policies regarding access permissions are in place, the SharePoint Sharing mechanism can be used to bypass those policies quite effortlessly. Of course, external sharing can be disabled in SharePoint Online, but since SharePoint was built around sharing information initially, internal sharing can’t be disabled. This is just one example of how corporate compliance policies can be sidestepped.
Another example is online chats and remote meetings initiated via Microsoft Teams. Even if a user does not have access to a particular site, this user may still be invited to join the team chat, thus getting information that shouldn’t be shared with anyone else outside of the defined team.
Finally, access permissions can sometimes be accidentally given to the wrong person. This happens surprisingly often when a couple of people in the organization share the same name. Mistakes are a part of human nature, and sometimes, they are hard to avoid.
For many companies, these restrictions are not necessarily critical. If there are trust and appropriate employee education about the importance of the company’s compliance policies, companies can do a lot to protect their sensitive information. However, some organizations need to follow stringent Compliance and Security stipulations and laws. For those, being able to bypass policies by just sharing a document is a severe threat.
This is when the new Information Barriers come into play. With Information Barriers, organizations can encapsulate or separate specific corporate entities from the rest of the organization, even though all corporate entities share the same corporate intranet and technically, the same Office 365 tenant.
Let’s see what this means. At the beginning of this blog post, I explained why even strict access permissions might not be enough for some organizations. Sharing, the feature that makes SharePoint great, can be used as a loophole to bypass policies.
Information Barriers policies in SharePoint and OneDrive for Business go much further. Specifically, because they prevent users from sharing documents with others outside of a specific corporate entity. But that’s not all. Users of an encapsulated corporate entity won’t even be able to lookup users of a different department.
This is because Information Barriers in SharePoint and OneDrive for Business acts as a separate (logical) tenant, even though the organization technically uses just a single tenant. The following screenshot shows an example of how this might look like in SharePoint:
Now that we know how Information Barriers will work in SharePoint and OneDrive for Business, let’s see how these Information Barrier Policies can be configured.
Information Barriers rely on user account attributes defined in Azure Active Directory. These attributes can include information like department, job title, location, and team name. Organizations can create segments based on these user account attributes. Those segments can be entire corporate entities, but also groups of users (like all users with the job title ‘Financial Advisor’). The concept of segments is very flexible as it is based on user account attributes. User account attributes are defined in Azure Active Directory, but segments will be defined in the Office 365 Security & Compliance Center. With segments defined, Information Barrier policies can be created based on two kinds of policies. Companies can create policies to Block access or to Allow access. There is a significant limitation, though: a user can only be part of one (1) segment (as of December 2019), and the segments must not overlap.
Creating segments and Information Barrier policies require thoughtful and thorough planning as Information Barriers are rigorous policies, which have a massive impact on users and the entire organization. Microsoft provides an Excel-based workbook, which organizations can use to create and configure policies. The workbook also offers support for managing policies via PowerShell. You can download the workbook here.
The following two screenshots show how you can create segments and policies in the Office 365 Security and Compliance Center:
In the previous section of this blog post, we looked at options to secure SharePoint and OneDrive for Business. Still, more applications in Office 365 allow communication and collaboration within users of different corporate entities – like Microsoft Teams. Since Microsoft Teams uses SharePoint Online technology under the hood, some protection already exists there, but it may not be enough. Information Barriers in Microsoft Teams offer added security.
Microsoft Teams allows users to communicate with each other. But in a strictly regulated environment, this kind of electronic communication needs to be secured by policies. Information Barriers in Microsoft Teams can be used to prevent team members from communicating with other teams and sharing documents. Also, Information Barriers can be used to encapsulate a team in Microsoft Teams entirely, restricting communication to that team only. All communication, including sharing with anyone outside of that team, can be blocked.
But, there’s more you can do to secure and monitor information exchange in Microsoft Teams. Information Barrier policies can also be applied to the following:
The next screenshot shows how Information Barrier policies are activated in Microsoft Teams:
Information Barriers can be very restrictive, and organizations should be fully transparent regarding the implementation of Information Barriers in Office 365. The entire staff (including new hires) need to know about the existence of Information Barrier policies and how these policies will affect their daily business. Educational workshops, recorded training sessions and tailored communication are an absolute must. Regarding the user experience, there are many areas where Information Barriers affect the regular usage of SharePoint. Here are some examples:
Technically, Information Barriers will affect employees when they are collaborating and trying to get in touch with each other. Basically, most, if not all, of the collaboration and information sharing possibilities in SharePoint, OneDrive for Business and Microsoft Teams will be affected or restricted by Information Barriers. A full list of what users will experience if another user is blocked by Information Barrier policies can be found here. The following screenshots show how this looks like in Microsoft Teams. The left screenshot shows the user experience when trying to add a blocked user to a channel, the right screenshot shows the user experience if you try to send a message to a blocked user directly:
To be able to use Information Barriers, organizations require an Office 365 E5 license. The following roles can create information Barrier policies:
My recommendation is to split administrative tasks in Office 365 to multiple roles. Each role in Office 365 (including the new Global Reader role) is supposed to be used for a specific task only. This is done to provide an additional layer of security to sensitive administrative activities in Office 365. I know that many organizations utilize the Global Administrator role for all configuration tasks, but that is definitely not best-practice and it threatens security. Organizations should associate the Compliance Administrator role or the IB Compliance Management role to specific users and use only those roles to manage Information Barrier policies.
Information Barriers are rolling out now, but they will only be available in Microsoft Teams for now (as of January 2020). Information Barriers for SharePoint and OneDrive for Business are still in development and are expected to roll out later in Q1/2020. If you are interested, there is a Preview Program you can subscribe to.
Information Barriers are a great addition to the existing Security and Compliance policies in Office 365. While they do contradict the original idea behind SharePoint (after all, it is called SharePoint), they come in response to a growing demand for advanced security policies. Once Information Barriers are fully supported in Office 365, they will be welcomed by organizations that need to follow strict Security and Compliance regulations.
Organizations should not underestimate the implications of Information Barriers as they will drastically impact the daily tasks of the entire staff. Reason enough to start planning now – even though Information Barriers won’t be available in SharePoint and OneDrive for Business until later in Q1/2020. Planning means not just thinking about potential policies. Implementing Information Barriers comes with an entire process of activities – beginning with checking potential legal regulations. The implementation process also includes roles and responsibilities, identifying segments, communication to the staff, reviewing existing business processes, defining policies, training, user adoption, change management, etc.
If your organization needs to implement Information Barrier policies, I recommend starting now to ensure, you have enough time to carefully and thoughtfully plan the entire implementation as Information Barriers will change how your organization is working today.
At DevFacto we are already working on guidelines, best practices, and recommendations to support our customers regarding Information Barriers in Office 365.