Microsoft’s (Nasdaq:MSFT) upcoming OneDrive sync change will give enterprise users an easy way to sync both their personal and corporate OneDrive accounts on business devices. But cybersecurity officials do not want to make syncing easier, as it can create lots of security and IT headaches.
The rollout was originally scheduled for this weekend (May 11), but sometime late on Thursday, the Microsoft page about the feature was changed to say that it was being pushed out in June.
Microsoft did not immediately explain the delay, but discussions on LinkedIn and other social media platforms expressed serious misgivings from IT and security professionals about the rollout.
The apparent intent of the Microsoft plan is to facilitate corporate workers who want to conduct a little personal activity while at work, something to help slightly with work-life balance. But IT leaders are not thrilled about having employee medical records, tax documents and private—sometimes very private—photos and videos on enterprise systems.
The problem is potentially worse when the dataflow is reversed. Once those personal and corporate datasets are synced, it becomes inevitable that someone will accidentally save a sensitive corporate file to their personal OneDrive, which will then save the file on their personal computer.
To be fair, Microsoft has made it easy for IT to disable these abilities, but the default is that it will be allowed.
Microsoft’s official description of the new feature notes: “This feature enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices and prompt users to sync their personal OneDrive files. If the user accepts the prompt, their personal files will begin syncing alongside their work files. No action is required to enable this behavior by default. Admins can suppress or disable it using the DisableNewAccountDetection or DisablePersonalSync policies.”
Opportunity for data leaks
“The asymmetric element of this feature seems to actually make it easier for data leakage to happen. If corporate information ends up in personal accounts just from the sync, it exacerbates the problem/concern of insider risk,” said IDC Research Director Jennifer Glenn. “Now you have corporate secrets, intellectual property and even potentially sensitive information from customers or other employees. This is both a data leakage situation and a potential compliance and/or privacy violation. Although the settings could and should be adjusted to prevent this, there are likely still vulnerabilities there [because] data classification and policy adjustments are not always perfect.”
Glenn offered a hypothetical example.
“Say you have a copy of your passport or a PDF listing your prescriptions stored in your personal drive and that is synced with your corporate drive. Now that information is technically under the purview of the corporate IT/Security team,” Glenn said. “This adds more data that the security team does not need or want to protect. They have too much data to protect already. And this is a potential violation of privacy—aka liability—if corporate data access controls are not adequate. To be honest, adequate data access control is a constant work in progress.”
Security consultants were more blunt.
“Making it the default without giving admins a chance to get ahead of it, that is going to piss off a lot of admins, which Microsoft is pretty good at,” said Jordan Wiseman, a security risk assessment consultant with Online Business Systems.
‘Compliance nightmare waiting to happen’
Christian Khoury, CEO of Toronto-based AI company Easy Audit, which sells compliance automation platforms, also saw the Microsoft change as highly problematic.
“This setting is a compliance nightmare waiting to happen. It blurs the line between personal and corporate data in a way that undermines every DLP policy and access control enterprises have in place,” Khoury said. “I’ve seen firsthand how hard it is for early-stage SaaS startups to keep enterprise data clean and compliant, and they don’t have the resources to untangle this kind of mess. OneDrive now effectively opens the door for corporate IP to end up in someone’s personal Dropbox or iCloud. Good luck proving to an auditor that your customer data didn’t walk out the door.”
Khoury was also very unhappy with Microsoft’s decision to enable this by default.
“Microsoft flipping this on by default feels reckless. It puts the burden on security teams to notice and shut it down before damage is done,” Khoury said. “Most won’t catch it in time.”
Microsoft declined a request for an interview. Microsoft officials promised to email a statement, but it was not received before we published.
There are various tools, such as Microsoft’s InTune, and policies that could negate all of these problems. But if an environment is not sufficiently managed, this sync option could make things worse.
Dennis Xu, a research VP with Gartner, said the data problems this change poses already, to a large degree, exist in the typical enterprise threat landscape.
Although Xu stressed that admins “need to disable this” and that they “need to keep an eye on new features and keep disabling these things,” he said that he didn’t feel that this was meaningfully increasing the risk exposure of the typical enterprise.
“It’s a low risk because there are already so many ways to bring in personal files to a corporate laptop,” Xu said.
Xu added that, although he does not see this Microsoft change creating “an immediate exposure,” he thinks that “it does increase the likelihood that corporate files might end up in a personal OneDrive account in the cloud if users do not pay close attention to which local OneDrive synced folder they are using.”
Risk for employees too
Matthew Rosenquist, CISO at Mercury Risk, said many employees do not appreciate the risk that they are taking by bringing personal data into their employer’s environment.
Whatever an employee brings into their work systems is fair game for the enterprise to use however it wants, Rosenquist said.
“You are granting them access for any business decisions, such as whether they are going to promote you. And if they get breached, your private records also get breached,” Rosenquist said.
Rosenquist also said that end users will often click on Windows prompts absent-mindedly.
“It’s like when a company says ‘Read our EULA [End-User License Agreement]’. Nobody does,” Rosenquist said. “They will simply click and move on. They don’t know the ramifications of that click.”
Online Business Systems’ Wiseman said there are ways to select only specific personal files to share on company systems, but even excluding a file from the transfer doesn’t necessarily shield it from IT eyes.
“Even if you configure OneDrive to only sync certain folders, the client still enumerates the full names of the objects it’s not syncing. This is part of how it determines what it needs to list in the filesystem and possibly download,” Wiseman said, “and that means your corporate device may contain information about any of your home OneDrive contents.”
Update: On Friday, Microsoft responded with this emailed statement:
The ability to use both personal and corporate OneDrive accounts on the same device has existed for some time. Administrators who have already restricted personal accounts on corporate devices can continue to manage this as before. The update introduces a new prompt for users who are already using their personal account on a device with their corporate OneDrive, prompting them to sign in. Importantly, this prompt does not automatically combine or transfer files between personal and corporate accounts. Users must take deliberate action to move or save files between accounts, and Microsoft blocks the move of known folders to personal OneDrive accounts from domain joined devices by default.
This update does not “sync” personal files with corporate accounts or vice versa. It simply allows access to separate OneDrive accounts on the same device without merging content – similar to checking both work and personal emails on one device without combining inboxes. Organizations that have already disabled personal OneDrive accounts on corporate devices will not see any change in their settings.
No Responses