In 2017, voting machine maker Election Systems and Software publicly exposed data of close to 2 million voters in Illinois – names, addresses, birth dates and registered party. The data leak, unlike some, was not intentional. Instead, an Amazon Web Services (AWS) cloud container was somehow misconfigured – leaving it wide open.
Data leakage is similar, and in some ways overlaps with IP theft – but instead of the data stolen by an external entity, it is leaked by an insider – either for nefarious reasons or through accident, neglect, poor configuration or lack of security oversight. For instance, a fired employee may post confidential or even damaging data online.
This is a particularly critical issue for Office 365, as a study shows that 58.4% of sensitive data held in the cloud is stored in Office documents. Another issue is mistakes made by admins. “There has been a notable increase in errors caused by system administrators publishing sensitive data in public cloud spaces open to everyone,” found the Verizon 2019 Data Breach Investigations Report.
In too many cases, users who normally have access to data as part of their jobs, such as client account spreadsheets, aren’t triggering DLP rules. Fortunately, CoreView records this access for review at critical events such as legal requests and HR events such as separation.
CoreView Knows Where Critical Data is – and How to Protect it
CoreView knows where sensitive data rests, who has access and what they do with it. “The first thing I show about security is the landing page in the CoreView dashboard, and explain how we collect security-related data. The real power of the platform is not that we have pretty charts and graphs, it is the security data we collect in a unique way that nobody else can do,” said Matt Smith, CoreView Solution Architect. “We connect to Office 365 via every available API. There is a Graph API, most IT professionals working with Office 365 know about that. We also take the audit log push from Microsoft and that allows us to gather and analyze the same data as Splunk and the new Microsoft Azure Sentinel.”
CoreView dives into every one of the application APIs. Exchange has Exchange web services for example. Skype has activity logs, and SharePoint and Teams all have their own APIs. Finally, CoreView gets data from Azure Active Directory (Azure AD). All this data is stored externally in a Microsoft Azure subscription. “The data never leaves the Microsoft platform. You are not pulling it across the internet, not pulling it down to the desktop, not sending it over to Amazon Web Services. It all stays within Azure.”
Because Office 365 runs on Azure, and CoreView runs on Azure, everything stays in the Microsoft data centers. “You can store that data for as long as you want, and enrich the data as it comes in. Since you have data from all these different sources, you can use the audit log to get a deep view. For instance, you will not just know that it was ‘Joe User’ who accessed a file in OneDrive, but understand the complete path to the file – how he accessed it, with what mobile device, and what MDM policy his mobile device had, including who ‘Joe User’ was: department, country, company as well as administrative roles in the tenant. Also when did he do it, and from what IP address,” Smith said.
With CoreView, IT knows every single transaction that occurs within the Microsoft platform, and the configuration information. That means IT knows when a document is created, when it is replicated to Office 365, when it is accessed, and when it is changed. CoreView stores all of that information externally in an immutable (meaning it cannot be changed) database. That, in essence, is the complete block chain information for every single transaction in Office 365.
Protect Your O365 Tenant With CoreView
Or sign up for a personalized CoreView demo.