Microsoft Onedrive Move May Facilitate Accidental Sensitive File Exfiltration

The institution plans to connection users pinch individual Microsoft accounts connected business devices nan action to sync their individual OneDrive contented to nan instrumentality successful summation to their endeavor OneDrive files.

Microsoft’s upcoming OneDrive sync alteration will springiness endeavor users an easy measurement to sync some their individual and firm OneDrive accounts connected business devices. But cybersecurity officials do not want to make syncing easier, arsenic it tin create tons of information and IT headaches.

The rollout was primitively scheduled for this play (May 11), but sometime precocious connected Thursday, nan Microsoft page astir nan characteristic was changed to opportunity that it was being pushed retired successful June. 

Microsoft did not instantly explicate nan delay, but discussions connected LinkedIn and different societal media platforms expressed superior misgivings from IT and information professionals astir nan rollout.

The evident intent of nan Microsoft scheme is to facilitate firm workers who want to behaviour a small individual activity while astatine work, thing to thief somewhat pinch work-life balance. But IT leaders are not thrilled astir having worker aesculapian records, taxation documents and private—sometimes very private—photos and videos connected endeavor systems. 

The problem is perchance worse erstwhile nan dataflow is reversed. Once those individual and firm datasets are synced, it becomes inevitable that personification will accidentally prevention a delicate firm record to their individual OneDrive, which will past prevention nan record connected their individual computer.

To beryllium fair, Microsoft has made it easy for IT to disable these abilities, but nan default is that it will beryllium allowed. 

Microsoft’s charismatic description of nan caller characteristic notes: “This characteristic enables nan OneDrive Sync customer connected Windows to observe known Microsoft individual accounts associated pinch business devices and punctual users to sync their individual OneDrive files. If nan personification accepts nan prompt, their individual files will statesman syncing alongside their activity files. No action is required to alteration this behaviour by default. Admins tin suppress aliases disable it utilizing nan DisableNewAccountDetection aliases DisablePersonalSync policies.”

Opportunity for information leaks

“The asymmetric constituent of this characteristic seems to really make it easier for information leakage to happen. If firm accusation ends up successful individual accounts conscionable from nan sync, it exacerbates nan problem/concern of insider risk,” said IDC Research Director Jennifer Glenn. “Now you person firm secrets, intelligence spot and moreover perchance delicate accusation from customers aliases different employees. This is some a information leakage business and a imaginable compliance and/or privateness violation. Although nan settings could and should beryllium adjusted to forestall this, location are apt still vulnerabilities location [because] information classification and argumentation adjustments are not ever perfect.”

Glenn offered a hypothetical example.

“Say you person a transcript of your passport aliases a PDF listing your prescriptions stored successful your individual thrust and that is synced pinch your firm drive. Now that accusation is technically nether nan purview of nan firm IT/Security team,” Glenn said. “This adds much information that nan information squad does not request aliases want to protect. They person excessively overmuch information to protect already. And this is simply a imaginable usurpation of privacy—aka liability—if firm information entree controls are not adequate. To beryllium honest, capable information entree power is simply a changeless activity successful progress.”

Security consultants were much blunt.

“Making it nan default without giving admins a chance to get up of it, that is going to piss disconnected a batch of admins, which Microsoft is beautiful bully at,” said Jordan Wiseman, a information consequence appraisal advisor pinch Online Business Systems. 

‘Compliance nightmare waiting to happen’

Christian Khoury, CEO of Toronto-based AI institution Easy Audit, which sells compliance automation platforms, besides saw nan Microsoft alteration arsenic highly problematic.

“This mounting is simply a compliance nightmare waiting to happen. It blurs nan statement betwixt individual and firm information successful a measurement that undermines each DLP argumentation and entree power enterprises person successful place,” Khoury said. “I’ve seen firsthand really difficult it is for early-stage SaaS startups to support endeavor information cleanable and compliant, and they don’t person nan resources to untangle this benignant of mess. OneDrive now efficaciously opens nan doorway for firm IP to extremity up successful someone’s individual Dropbox aliases iCloud. Good luck proving to an auditor that your customer information didn’t locomotion retired nan door.”

Khoury was besides very unhappy pinch Microsoft’s determination to alteration this by default.

“Microsoft flipping this connected by default feels reckless. It puts nan load connected information teams to announcement and unopen it down earlier harm is done,” Khoury said. “Most won’t drawback it successful time.”

Microsoft declined a petition for an interview. Microsoft officials promised to email a statement, but it was not received earlier we published. 

There are various tools, specified arsenic Microsoft’s InTune, and policies that could negate each of these problems. But if an situation is not sufficiently managed, this sync action could make things worse.

Dennis Xu, a investigation VP pinch Gartner, said nan information problems this alteration poses already, to a ample degree, beryllium successful nan emblematic endeavor threat landscape.

Although Xu stressed that admins “need to disable this” and that they “need to support an oculus connected caller features and support disabling these things,” he said that he didn’t consciousness that this was meaningfully expanding nan consequence vulnerability of nan emblematic enterprise. 

“It’s a debased consequence because location are already truthful galore ways to bring successful individual files to a firm laptop,” Xu said. 

Xu added that, though he does not spot this Microsoft alteration creating “an contiguous exposure,” he thinks that “it does summation nan likelihood that firm files mightiness extremity up successful a individual OneDrive relationship successful nan unreality if users do not salary adjacent attraction to which section OneDrive synced files they are using.”

Risk for labor too

Matthew Rosenquist, CISO astatine Mercury Risk, said galore labor do not admit nan consequence that they are taking by bringing individual information into their employer’s environment.

Whatever an worker brings into their activity systems is adjacent crippled for nan endeavor to usage nevertheless it wants, Rosenquist said. 

“You are granting them entree for immoderate business decisions, specified arsenic whether they are going to beforehand you. And if they get breached, your backstage records besides get breached,” Rosenquist said.

Rosenquist besides said that extremity users will often click connected Windows prompts absent-mindedly. 

“It’s for illustration erstwhile a institution says ‘Read our EULA [End-User License Agreement]. Nobody does,” Rosenquist said. “They will simply click and move on. They don’t cognize nan ramifications of that click.”

Online Business Systems’ Wiseman said location are ways to prime only circumstantial individual files to stock connected institution systems, but moreover excluding a record from nan transportation doesn’t needfully shield it from IT eyes. 

“Even if you configure OneDrive to only sync definite folders, nan customer still enumerates nan afloat names of nan objects it’s not syncing. This is portion of really it determines what it needs to database successful nan filesystem and  perchance download,” Wiseman said, “and that intends your firm instrumentality whitethorn incorporate accusation astir immoderate of your location OneDrive contents.”