Understanding Data Exposure Risk in SharePoint and OneDrive
Posted on April 1, 2025 by Lawrence wilkinson
Welcome to our technical blog, where we share insights and expertise on a variety of technical topics. This post is part of our ongoing series, specifically aimed at professionals in technical roles, providing in-depth information and practical tips.
As organisations increasingly embrace Microsoft 365, tools like SharePoint and OneDrive have revolutionised collaboration by enabling seamless access and sharing of data. However, with greater flexibility comes increased responsibility. Understanding the risks of data exposure in these platforms is crucial, particularly as new technologies like Generative AI rapidly change the threat landscape.
The Challenge
OneDrive and SharePoint were designed inherently to foster collaboration, enabling multiple users to easily access and co-edit files. Out-of-the-box, they favour openness and sharing, which, while beneficial for productivity, can inadvertently lead to sensitive information becoming overly accessible. Without strict governance, organisations risk exposing critical data.
Real-World Issues
Consider the scenario where an employee, leveraging Generative AI tools like Copilot, asks seemingly innocuous questions. For example, querying “What is our CEO’s salary?” If file permissions aren’t correctly configured, the AI may inadvertently surface confidential information. Another common issue is ‘permissions creep’—an employee transitions to a new role within the organisation but retains access to files and resources relevant only to their previous position, thereby increasing risk exposure over time.
Drivers Behind Understanding Data Risk
Historically, the drive to manage data exposure risk has predominantly stemmed from compliance and regulatory requirements. Organisations had to ensure data governance to comply with frameworks like GDPR or industry-specific regulations. However, with the advent of Generative AI technologies, a new urgency has emerged. AI’s ability to swiftly sift through large datasets and surface information means incorrect permissions can result in significant data leaks more easily and more quickly than ever before.
Under the Hood: How OneDrive and SharePoint Manages Data
At its core, SharePoint permissions and security structures are complex, but three main areas require careful attention:
a) Permissions and Inheritance
Permissions inheritance is a fundamental approach to access control in SharePoint. For instance, the Finance department may have exclusive access to the Finance SharePoint site. All content within that site—including libraries and subfolders—typically inherits the permissions defined at the top level. Proper management of inherited permissions ensures that data access remains aligned with organisational roles.
b) Sharing Functionality
SharePoint add complexity through their powerful sharing capabilities. For example, when User A in Finance shares a document with “organisation-wide” access, this act breaks the existing inheritance structure. A shareable link is generated, potentially allowing unintended recipients to access sensitive data. These links, if shared carelessly, can quickly lead to broad, uncontrolled data exposure.
c) Sensitivity Labels
While permissions and inheritance apply at the folder and site levels, Sensitivity Labels offer additional granularity. They apply directly to documents, embedding security and compliance directly into files themselves. For example, files tagged with a “Finance Only” sensitivity label retain protection wherever they travel, independent of their original location.
Strategies for Managing Data Exposure Risk
Managing data risk in SharePoint and OneDrive requires a holistic approach, combining clear governance, user education, and robust technical controls:
- Business Processes and Policies: Clearly documented policies that guide end-users on proper data handling, storage, and sharing are foundational. Users must understand which tools to use, when, and how.
- Technical Access Controls: Implement strict access control policies, clearly defined permissions, and inheritance structures. Regularly audit permissions and sharing links to avoid creep.
- Data Classification and Ringfencing: Use Sensitivity Labels effectively to categorise and protect data, ensuring critical information remains secured regardless of how it is shared or where it moves within or outside your organisation.
Thoughts for the Future
Organisations should consider formally assigning someone the role of a “Data Steward” internally, who is explicitly responsible for regular checks, compliance monitoring, and overall data governance strategy. Additionally, leveraging advanced technologies such as Microsoft Purview or other third-party data governance tools can significantly enhance visibility, proactively manage data risks, and ensure continued compliance in an increasingly complex digital landscape.
How can we help you?
We’d love to talk to you about your specific IT needs, and we’d be happy to offer a no obligation assessment of your current IT set up. Whether you are at a point of organisational change, unsure about security, or just want to sanity check your current IT arrangements, we’re here to help.
