Best Practices for External Sharing

As it hints at in the name, SharePoint is great for sharing documents. 

Emailing attachments is quick and easy, but it has limitations. In the world of GDPR these can be quite significant. Once an attachment has been emailed, you’ve lost control of its security. It can be forwarded, modified, left hanging around in people’s inboxes. When you need people to comment on the document, they might all add updates/ comments and send the copies back. This would leave you wading through the copies one by one,  to update it. What a waste of time.

Sharing a document, especially externally, can feel quite scary.

You’re giving somebody access directly into your SharePoint site to look at your live document, which just kind-of feels wrong! What if they share the link with other people? What if they download the document and send it to other people, or see some changes that you’ve made forgetting that they can see them?

From a security point of view, sharing is better than sending attachments. Generally, when you create a link to send externally, it will have a built-in expiry date. After a couple of weeks, the link will stop working. Links can be restricted to specific people who log in to your site using their own Office 365 username and password, and are then prevented from downloading the file. You can even track where your file is being opened from and revoke access if anything looks suspicious. However, you will need to have the correct licence to be able to do this.

How many times have you sent a document on an email and immediately seen a glaring spelling mistake?

That’s fine with sharing – you simply correct the mistake and save the document – by the time your colleagues click the link and open the document, all is well. And when they add their comments, they can see everybody else’s comments at the same time and properly collaborate with them.

So, when you the time comes for you to enter into the world of external sharing, here are some tips on how to manage and control what people see and do.

How to manage External Sharing

In SharePoint, you have a lot of control over how sharing is set up. Sharing policies are set up at an organisation-wide level, and these top-level settings will determine what can and can’t be done further down. Various settings can then be made at a Site Collection and Site level.

At the organisation level, you need to decide your overall policy. You can:

• Totally turn off External sharing for SharePoint and OneDrive.
• Allow sharing, but only for external people who you have pre-authorised.
• Allow sharing using single-use links that require people to validate who they are.
• Create anonymous links. These can only be to documents or libraries, not to whole sites.

You can’t give looser controls than these top-level settings for any site. Because of this, you need to be careful not to be too restrictive. Users will always find a workaround if the technology they are given doesn’t allow them to do their job. If you are too restrictive, it will be difficult to wean people off sending attachments.

Fine-Grained Control

Most organisations will have documents that they really don’t want shared outside. This can be for sensitive business information, or to protect client and staff confidentiality. The easiest way to manage this is to create separate Site Collections that have more restrictive rules applied.

Similarly to managing SharePoint permissions, the higher up you can impose rules, the easier it will be to manage the rules in the future. You can set rules for individual sites, but you must be careful to keep good documentation as to what rules are in place and where.

Allowing Specific Users to Share

As well as managing how users can share things, you can specify ‘who’ can share documents. If allowing all users of a site to share documents is a worry, you can define a SharePoint Security Group. You can then give people, in this group, permission to do the sharing. This can be a good way to control access to sensitive documents.

You can even limit sharing to specific Office 365 domains. For example, if you are a school and need to share sensitive information with the county’s Children’s Services department, you can add the county’s tenancy to the list of accepted domains for a site collection. This prevents recipients from sharing documents any further.

Using SharePoint, it is easy to set up an Extranet for 1-1 collaboration with a partner company. People from 2 or more companies can work seamlessly without worrying about unauthorised people gaining access. This is done by creating a Site Collection just for collaboration with partners, and using domain sharing.

Assess the Risk

The key to all of this is to carefully look at what sort of files you are storing and what your business needs are. We like to look at this from a risk analysis point of view. The first principle is to enable people to do their work as easily as possible. You look at what loose controls look like, assess the risk of people abusing these controls versus the risk of people finding workarounds, and then tighten the controls appropriately. And remember, this is all from the starting point that most companies have of having effectively no control at all on who can email what to whom!

Other tools

By using SharePoint sharing settings wisely, you can go a long way to keeping your important information safe. It also allows users to do their jobs efficiently.

But there is some data that you will not want to leave the walls of your company in any circumstances. Even if External Sharing is off, a rogue employee can download a batch of files and put them on a USB drive, or email them to a personal account. You might be able to trace this after the event, but by then the damage would be done.

This is where Azure Rights Management comes in. When you apply Azure Rights Management to a document, it is encrypts it onto the server. This means that nobody can open it without validating against your Active Directory. You can still share it outside to named people. However, if the file does fall into the wrong hands accidentally, it simply won’t open. Also, if you decide you have lost control over who has access to a file, you can block all access. Another reason to block access would be if the information that it contains becomes out of date.