Securing Collaboration: Office 365 Governance in an Always Online World

Post Date: 09/10/2020
feature image

Learn how to streamline your day-to-day management tasks with our free ebook “The Value of Automated Office 365 & Microsoft Teams Governance.” Download here!

Read the other posts in our Securing Collaboration series below:

I recently wrote a blog post about trying to find the “Signal in the noise” of our new data-driven society in order to make good cybersecurity decisions based on actionable intelligence. In an effort to provide more and more value to customers, technology providers like Microsoft continue to subscribe to the idea that “more is better,” providing vast arrays of new functionality that allow businesses to parse and analyze their data.

But in truth, when this data is unmanaged it simply becomes more noise and more work. That being said, I have a strong belief that not knowing something is happening is always worse than figuring it out. So using the Microsoft technology stack, how do we prioritize our efforts, focus our attention, and pinpoint the issues that we really need to address? How do we find the signal we have been looking for in the noise of our information society?

office 365

Trust-and-Verify Approach to Compliance

It’s all about the data. Every organization has sensitive data, but it’s a question of what it is, where it is, who can access it, what they’re doing with it, where it’s flowing, and with whom it is being shared. All of this needs to be proactively managed as part of a good data governance and data life cycle management program.

However, many organizations have data governance policies that are theoretical rather than operational. In other words, there’s a corporate policy that is unenforced or left to the business users to implement. The challenges presented by a trust-driven system include key questions that need to be verified including:

  • Is data being properly tagged?
  • Are inappropriate discussions happening?
  • Is sensitive or confidential information being shared with internal or external users?
  • Are privacy and compliance policies being circumvented, either deliberately or inadvertently?

Making it easier for your employees to do their job successfully while building a more secure environment includes implementing a culture and technology systems where privacy and security controls are not limited to “once a year” training sessions, but rather an ever-present “culture of compliance” where it’s easier for your employees to do the right thing than to do the wrong thing. Companies must create a transparent security organization to discourage employees from working around security. For this reason, AvePoint’s approach supplies a trust-and-verify method to ensure users are doing the right thing, while preventing inadvertent breaches from occurring.

AvePoint’s Approach to Compliance

AvePoint takes a pragmatic approach in ensuring data-centric audit and protection delivers business value. We empower organizations to effectively establish and implement a data governance framework.

Discovery and Classification

Many companies worry about “dark data” (data that is not properly understood) or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks). Understanding what and where this data is and properly classifying it will allow organizations to set the appropriate levels of protection in place.

For example, many companies apply their security controls in broad terms using the same security procedures for everything. But logically, do you need to put the same security protocols around pictures from your company picnic as you do towards your customer’s critical infrastructure design, build information, or credit card information?

Data discovery will allow you to determine the origin and relevance of the data you hold, and establish a suitable retention schedule. You’ll be more equipped to effectively implement Data Loss Prevention in a tactical way. Data-aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense.

AvePoint Compliance Guardian discovery solutions analyze, index, search, track and report on file content and metadata, enabling organizations to take action on files according to what was identified. Compliance Guardian Data discovery capabilities allows you to discover where “dark data” lives no matter if it’s in an on-premises or cloud environment.

office 365

Define Data Governance Policies

Proactively Enforce Policies

One of the biggest challenges organizations face as it pertains to data governance and information lifecycle management is actually enforcing corporate rules that govern how users interact with and share data across the enterprise. As part of AvePoint’s best practice approach to implementing a data governance strategy, technology is an important factor that shouldn’t be overlooked to help incorporate an automation layer that will proactively enforce the policies and rule you put in place.

An effective technology strategy to enforce these policies is one that takes into account the following areas:

  1. Privacy and Security by Design
  2. Data-Centric Audit and Protection
Looking for good data governance tips for M365? Give this post a read: Click To Tweet

Privacy and Security by Design

The basis for any solid Data Protection strategy is to ensure that data privacy and security is incorporated into the design of the governance framework. AvePoint’s AOS platform is designed with this methodology in mind. As organizations implement/enhance their data governance programs, they can leverage AvePoint technology, like Cloud Governance, to build into their collaboration systems policies that can carry out the management of the data lifecycle from its origination point through its disposition with automation. This includes:

  • Categorization of Data Repositories – Provides organizations with a way to determine the business need or use of data repositories which in turn drive the governance policies that need to be enforced on the data.
  • Automated Information Lifecycle Management – Automated management and enforcement of data destruction and disposition rules based on the content and/or the data repository categorization with business stakeholder input.
  • Recertification and Audit – Proactive and automated periodic review of data ownership and access credentials in an effort to reduce the risk of data leaks and unapproved access to content.
  • Built-in Governance – As the end user community continues to collaborate and originate content, governance policies are automatically provisioned into collaboration containers at the time of onboarding in an effort to ensure proactive enforcement.

office 365

Data-Centric Audit and Protection

AvePoint Policy and Insights “PI” helps you monitor Microsoft 365 platform so you can easily answer critical questions for your security team such as “Who has access to sensitive data?” “Have they accessed it?” “Are any external users a threat?”

PI provides insights to answer critical security questions about your Teams, Groups, Sites, and OneDrives. You define what risk means to you by selecting the regulations or permissions controls you care about most! PI does the work of combining, parsing, and prioritizing your potential issues so that you can cross-reference access controls with sensitivity and activity data. Easily identify issues including over-exposed sensitive content, over-active external users, shadow users, and other security concerns. Then, take action where it has the most impact.

Want more best practices for managing data in the cloud? Check out these resources:

For more on Microsoft 365 management be sure to subscribe to our blog!


Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities. Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School. LinkedIn: Twitter:

View all posts by Dana S.

Subscribe to our blog