{"id":3119,"date":"2025-05-09T04:14:14","date_gmt":"2025-05-09T04:14:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3119"},"modified":"2025-05-09T04:14:14","modified_gmt":"2025-05-09T04:14:14","slug":"microsoft-onedrive-move-may-facilitate-accidental-sensitive-file-exfiltration","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3119","title":{"rendered":"Microsoft OneDrive move may facilitate accidental sensitive file exfiltration"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Microsoft\u2019s (Nasdaq:MSFT<\/a>) upcoming OneDrive sync change will give enterprise users an easy way to sync both their personal and corporate OneDrive accounts on business devices. But cybersecurity officials do not want<\/em> to make syncing easier, as it can create lots of security and IT headaches.<\/p>\n

The rollout was originally scheduled for this weekend (May 11), but sometime late on Thursday, the Microsoft page about the feature was changed to say that it was being pushed out in June.\u00a0<\/p>\n

Microsoft did not immediately explain the delay, but discussions on LinkedIn and other social media platforms expressed serious misgivings from IT and security professionals about the rollout.<\/p>\n

The apparent intent of the Microsoft plan is to facilitate corporate workers who want to conduct a little personal activity while at work, something to help slightly with work-life balance. But IT leaders are not thrilled about having employee medical records, tax documents and private\u2014sometimes very <\/em>private\u2014photos and videos on enterprise systems.\u00a0<\/p>\n

The problem is potentially worse when the dataflow is reversed. Once those personal and corporate datasets are synced, it becomes inevitable that someone will accidentally save a sensitive corporate file to their personal OneDrive, which will then save the file on their personal computer.<\/p>\n

To be fair, Microsoft has made it easy for IT to disable these abilities, but the default is that it will be allowed.\u00a0<\/p>\n

Microsoft\u2019s official description<\/a> of the new feature notes: \u201cThis feature enables the OneDrive Sync client on Windows to detect known Microsoft personal accounts associated with business devices and prompt users to sync their personal OneDrive files. If the user accepts the prompt, their personal files will begin syncing alongside their work files. No action is required to enable this behavior by default. Admins can suppress or disable it using the DisableNewAccountDetection<\/em> or DisablePersonalSync<\/em> policies.\u201d<\/p>\n

Opportunity for data leaks<\/h2>\n

\u201cThe asymmetric element of this feature seems to actually make it easier for data leakage to happen. If corporate information ends up in personal accounts just from the sync, it exacerbates the problem\/concern of insider risk<\/a>,\u201d said IDC Research Director Jennifer Glenn<\/a>. \u201cNow you have corporate secrets, intellectual property and even potentially sensitive information from customers or other employees. This is both a data leakage situation and a potential compliance and\/or privacy violation. Although the settings could and should be adjusted to prevent this, there are likely still vulnerabilities there [because] data classification and policy adjustments are not always perfect.\u201d<\/p>\n

Glenn offered a hypothetical example.<\/p>\n

\u201cSay you have a copy of your passport or a PDF listing your prescriptions stored in your personal drive and that is synced with your corporate drive. Now that information is technically under the purview of the corporate IT\/Security team,\u201d Glenn said. \u201cThis adds more data that the security team does not need or want to protect. They have too much data to protect already. And this is a potential violation of privacy\u2014aka liability\u2014if corporate data access controls are not adequate. To be honest, adequate data access control is a constant work in progress.\u201d<\/p>\n

Security consultants were more blunt.<\/p>\n

\u201cMaking it the default without giving admins a chance to get ahead of it, that is going to piss off a lot of admins, which Microsoft is pretty good at,\u201d said Jordan Wiseman, a security risk assessment consultant with Online Business Systems.\u00a0<\/p>\n

\u2018Compliance nightmare waiting to happen\u2019<\/h2>\n

Christian Khoury, CEO of Toronto-based AI company Easy Audit, which sells compliance automation platforms, also saw the Microsoft change as highly problematic.<\/p>\n

\u201cThis setting is a compliance nightmare waiting to happen. It blurs the line between personal and corporate data in a way that undermines every DLP<\/a> policy and access control enterprises have in place,\u201d Khoury said. \u201cI\u2019ve seen firsthand how hard it is for early-stage SaaS startups to keep enterprise data clean and compliant, and they don\u2019t have the resources to untangle this kind of mess. OneDrive now effectively opens the door for corporate IP to end up in someone\u2019s personal Dropbox or iCloud. Good luck proving to an auditor that your customer data didn\u2019t walk out the door.\u201d<\/p>\n

Khoury was also very unhappy with Microsoft\u2019s decision to enable this by default.<\/p>\n

\u201cMicrosoft flipping this on by default feels reckless. It puts the burden on security teams to notice and shut it down before damage is done,\u201d Khoury said. \u201cMost won\u2019t catch it in time.\u201d<\/p>\n

Microsoft declined a request for an interview. Microsoft officials promised to email a statement, but it was not received before we published.\u00a0<\/p>\n

There are various tools, such as Microsoft\u2019s InTune, and policies that could negate all of these problems. But if an environment is not sufficiently managed, this sync option could make things worse.<\/p>\n

Dennis Xu<\/a>, a research VP with Gartner, said the data problems this change poses already, to a large degree, exist in the typical enterprise threat landscape.<\/p>\n

Although Xu stressed that admins \u201cneed to disable this\u201d and that they \u201cneed to keep an eye on new features and keep disabling these things,\u201d he said that he didn\u2019t feel that this was meaningfully increasing the risk exposure of the typical enterprise.\u00a0<\/p>\n

\u201cIt\u2019s a low risk because there are already so many ways to bring in personal files to a corporate laptop,\u201d Xu said.\u00a0<\/p>\n

Xu added that, although he does not see this Microsoft change creating \u201can immediate exposure,\u201d he thinks that \u201cit does increase the likelihood that corporate files might end up in a personal OneDrive account in the cloud if users do not pay close attention to which local OneDrive synced folder they are using.\u201d<\/p>\n

Risk for employees too<\/h2>\n

Matthew Rosenquist, CISO at Mercury Risk, said many employees do not appreciate the risk that they <\/em>are taking by bringing personal data into their employer\u2019s environment.<\/p>\n

Whatever an employee brings into their work systems is fair game for the enterprise to use however it wants, Rosenquist said.\u00a0<\/p>\n

\u201cYou are granting them access for any business decisions, such as whether they are going to promote you. And if they get breached, your private records also get breached,\u201d Rosenquist said.<\/p>\n

Rosenquist also said that end users will often click on Windows prompts absent-mindedly.\u00a0<\/p>\n

\u201cIt\u2019s like when a company says \u2018Read our EULA [End-User License Agreement]\u2019. Nobody does,\u201d Rosenquist said. \u201cThey will simply click and move on. They don\u2019t know the ramifications of that click.\u201d<\/p>\n

Online Business Systems\u2019 Wiseman said there are ways to select only specific personal files to share on company systems, but even excluding a file from the transfer doesn\u2019t necessarily shield it from IT eyes.\u00a0<\/p>\n

\u201cEven if you configure OneDrive to only sync certain folders, the client still enumerates the full names of the objects it\u2019s not syncing. This is part of how it determines what it needs to list in the filesystem and\u00a0 possibly download,\u201d Wiseman said, \u201cand that means your corporate device may contain information about any of your home OneDrive contents.\u201d<\/p>\n

Update<\/strong>: On Friday, Microsoft responded with this emailed statement:<\/p>\n

The ability to use both personal and corporate OneDrive accounts on the same device has existed for some time. Administrators who have already restricted personal accounts on corporate devices can continue to manage this as before. The update introduces a new prompt for users who are already using their personal account on a device with their corporate OneDrive, prompting them to sign in. Importantly, this prompt does not automatically combine or transfer files between personal and corporate accounts. Users must take deliberate action to move or save files between accounts, and Microsoft blocks the move of known folders to personal OneDrive accounts from domain joined devices by default.<\/em><\/p>\n

This update does not \u201csync\u201d personal files with corporate accounts or vice versa. It simply allows access to separate OneDrive accounts on the same device without merging content \u2013 similar to checking both work and personal emails on one device without combining inboxes. Organizations that have already disabled personal OneDrive accounts on corporate devices will not see any change in their settings<\/em>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Microsoft\u2019s (Nasdaq:MSFT) upcoming OneDrive sync change will give enterprise users an easy way to sync both their personal and corporate OneDrive accounts on business devices. But cybersecurity officials do not want to make syncing easier, as it can create lots of security and IT headaches. The rollout was originally scheduled for this weekend (May 11), […]<\/p>\n","protected":false},"author":0,"featured_media":3098,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3119","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3119"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3119"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3119\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3098"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}