How SharePoint and OneDrive can be Safer than S3 for File Storage

Be in the Secure 5% - Read below

Anthem, Verizon, Dow Jones, all are in the news about breeches to data that they had uploaded without Amazon S3’s proper security controls. This data loss isn’t Amazon's fault, but it reinforces Gartner's prediction that 95% of breaches will be the customer's fault.

How could these organizations have set up governance and controls in advance to keep human error from causing such damaging data loss?  The individuals who uploaded this data certainly missed a security setting or two, but the data loss could have been avoided by storing data in platforms with inherent data loss prevention and compliance controls. Two such systems?  SharePoint Online and OneDrive for Business.

Both apps (along with Exchange Online) are under the control of Office 365’s Compliance Center.  There, policies can be set up in advance to detect specific content within files that are stored, shared, or sent.  These policies find and restrict sensitive data that matches specific criteria through defined industry templates, and thus avoid breaches of corporate data leaving the company.  For instance, there is an out of the box policy created for HIPAA which looks for Social Security numbers and credit card numbers within the files that are uploaded. These policies can either warn or block users from uploading or sharing if the content is at risk.  The data is encrypted in transit and at rest, and Microsoft provides business associate agreements and other affirmations that the data is safe within O365 data centers.

Now, how to be in Gartner’s top 5%?  Administrators looking to protect confidential data within SharePoint should:

  • Set the permissions on the SharePoint document library so that only certain people can access the library at all
  • Modify site or library permissions so that only certain personnel can share documents from SharePoint
  • Implement conditional access policies so that only personnel with domain-joined machines or on a specific subnet can access content (using Azure Active Directory)
  • Create different access policies for data that needs to be segregated (Internal Only vs. External Authenticated Users vs. Anonymous File Access)
  • Create a policy to keep files from leaving the SharePoint document library, if appropriate. Or, if it’s appropriate for files to be downloaded, set a Data Loss Prevention policy to protect specific files, or all files in the library.
  • If desired, the file itself can have Azure Information Protection / Rights Management applied to it, which will protect the file through its life cycle (keeping it from being saved, printed, forwarded, etc.)

And unlike the data stored in general cloud storage containers like S3 or Azure, when a user uploads, updates, or downloads a file that flags a policy, a notification of the incident can be sent to the IT or compliance manager. 


  • These DLP capabilities are not a replacement for the document and records management features of SharePoint that organizations have been using for many years.
  • If looking to find files already on SharePoint that are in violation of newly created policies, the files must be crawled and indexed. To recover or minimize risk from such existing documents leaking, Administrators can set a policy to block normal users from viewing the content in the SharePoint library that may be in breach of the policy. Only the content owner and site owners could see the item that is in breach of the policy and it would not be viewable for all users until the content in question is edited or changed.

Helpful Resources:

How Office 365 DLP works:

SharePoint Online DLP details:

Interested in this Topic?  Attend our Secure Score Webinar tomorrow!


Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.