I have met a lot of customers who have hesitated to enable the possibility to invite external guests into Teams (and SharePoint/OneDrive). In all cases the concern is about information leakage. “What if our users invite others that are getting access to sensitive information”?
The solution in all these scenarios are classification and protection.
If the information is classified correctly with protection for sensitive information, we can mitigate the risks of information leakage.
Let’s take an example with this scenario.
The business requirements
This organization wants to be able to invite external guests.
They have a couple of projects that needs to include external users that also need to be able access sensitive project information.
They also have internal information that needs to be blocked for the external users. There are also internal SharePoint and Team sites that can’t allow external guests at all.
Let’s start with the last business requirement where we need to define which sites that should allow external invites.
Based on Classification of the site itself we are able to define if external invites are allowed or not. In this scenario, Confidential sites allow external invites while Secret sites do not.
More about what’s behind the scene can be read in my previous post
Let’s focus on an example for a sensitive project that should only be accessible for the project members (both internal and external users).
This is Project Delta
Project leader, Peter can invite members (because this is classified Confidential site) and in this case he invites an external account via Azure AD B2B.
The external users get an invite and are able to access this Team site.
When we look at all stored information on this Teams site the user can easily see how each of these files are classified.
Based on the classification we also have protection and access control of these files.
The external user is able open information classified and protected to Project Delta
If he downloads these documents the local copy will be protected and only accessible for Project Delta members
The external user will also have access to default classified Business documents but will be restricted from accessing classified Confidential or secret information that is protected for internal use only
In the background we have the following setup
There is an Office 365 group that was created in the back end by default when the Project Delta Team was created.
This group also gives access to the same SharePoint site that is used for this Project Delta Team.
This group is then used to give access to information protected by the Project Delta label
With this setup we support the project leader to follow the business requirements.
Based on the site classification he can create a Teams site that allows invites of external guests. Hi can also make sure that information for the Delta project is limited only for the project members that also include his invited guest. By classifying information as Confidential Peter can choose if information should be available for Project Delta.
Peter can also classify information as Confidential and define if the information should be restricted to “Internal” users. This prevent all external guests to access any of this content.
In the next article we going to go through how we can support Project Delta, to automatically identify and protect their information as soon as it being stored in Microsoft/Office 365. This with the recently released “Auto Classification” that helps us act on data-at rest in the cloud. Stay tuned!
Pingback: Auto-labeling for Office Online services | IT-Säkerhetsguiden