Data Protection

Information Protection in Windows 10 and OneDrive

Paul Thurrott’s analysis of the soon-to-be-available Windows 10 update – Version 1809 (Redstone 5) – included this snippet that caught my eye:

Storage Sense now integrates with OneDrive and can automatically change any downloaded files to online-only if you haven’t used them in a configurable number of days (in Settings > System > Storage > Storage Sense).

Every vendor struggles with the balance between releasing tools that enable productivity through information availability and protecting information from too much disclosure / availability. What should this person have access to based on their job role and their tasks is a governance question for organisations, that’s enabled by technical capabilities offered by vendors. Data loss prevention stops people from flowing information to other people when it’s sensitive or confidential and the other party doesn’t have access rights. Access control lists on collaborative workspaces, shared folders, and systems of all kinds provide another form of information protection – it lets those who need the content in, and keeps those who don’t have the right to the content out. Role-based access control goes a step further and adds the nuance of who can and cannot take specific actions within a system.

Choosing to sync your OneDrive contents to a local machine is great for productivity – everything is immediately available whether you are connected to the network or not. But the risk is that unauthorised access to your machine – directly by a person or indirectly by a security threat executing and exfiltrating the data on your disk – will enable access to content by people who do not have authorisation. To information that is sensitive, confidential, or in need of special protections. The above forthcoming integration with Storage Sense in Windows 10 will mean that content from OneDrive that is not used often can be removed from local storage, reducing the potential information protection disclosure surface. If it’s not there directly, it can’t be accessed directly … and thus there’s another action required to gain access, which can be evaluated against up-to-the-second security policies.

1 reply »