Securing Your Data in OneDrive for Business

---

OneDrive is available as a consumer product for personal use. If you have a personal account, take care that you don’t inadvertently use it while at work. 

Be sure to select the “OneDrive – The University of Colorado Denver” account when saving or sharing work-related files.

Separate and organize files into folders according to topic, sensitivity, etc. Doing so will allow you to more easily identify files that need to be maintained or shared more securely due to the nature of their content.

IMPORTANT NOTE: Sharing too broadly can lead to security incidents, statutory/regulatory compliance problems, etc. Only share with those who are authorized and need access.  Do not use links such as "Anyone with the link can edit” or “Anyone within The University of Colorado Denver can edit” because these will not protect confidential and highly confidential data from unauthorized access or use.

• Only grant access to people who are authorized to view it!

• Individual files, as well as folders, can be shared with other users or with groups of users. When you share a file or folder, you can also specify what the user can do—e.g., edit, view only, block download, etc. If you share a folder, the permissions granted will apply to every file within that folder unless they are specifically changed.

• Files can be shared as attachments to emails, or you can send a link to the file location in OneDrive. 

• When sharing links, you can specify if the link will only work for a particular person, will work for anyone with the link (do NOT use with Confidential or Highly Confidential data!), will work for anyone within “The University of Colorado Denver” account who has the link (do NOT use with Confidential or Highly Confidential data!), will work for people with existing access, etc. 

• Do not set a link to “Anyone with the link” because it will work for anyone that you send the link to AND anyone they forward the link to, etc.

Understanding this sharing/permission hierarchy will help you to ensure that your file/folder sharing is appropriately controlled.

There are several ways to share files (e.g., from the list of files/folders in OneDrive, from a document, spreadsheet, etc. that you have open, etc.) Regardless of how you start, the options are very similar. 

• From the list of files/folders in OneDrive, select the folder or file you want to share

• Click the three dots to the right of the file name

• From the drop-down menu, select “Share”. The resulting screen looks like this:

• Begin typing the name of the person you want to add, then select from the list.

• The default permission is “People you specify can edit”.  If you click this text, you can change not only the permissions you are granting, but also who the link works for:

• “Specific People” is the most restrictive type of access link since it will only work for the specific people that you add. This is the proper method for sharing confidential or highly confidential data.  

• Do not set a link to “Anyone with the link can edit” or view because it will work for anyone that you send the link to, anyone they forward the link to, etc.

Periodically review who a file or folder has been shared with, particularly for older files. It is a good way of making sure that the file continues to be shared appropriately and meets expectations for protecting data. You can check these permissions by:

• Selecting the folder or file you want to review

• Click the three dots to the right of the file name

• From the drop-down menu, select “Manage access”

• Review the resulting screen to see individuals and groups with access. 

• In the screenshot below, you can see that three types of links have been generated — “Anyone with the link can edit”, “People you specify can edit” and “People you specify can view”. 

• For each list, you can see who has been given the link (click “Anyone with the link can edit” to see a list of users for that link type.)

• From this screen, you can do several things:
  • Share with new users by clicking Share in the top right corner of the screen and then following the How To Share instructions in the tab above.
  • Remove access for any user by clicking the X to the right of their name/email address.

   

  

   

• Remove an entire link type by clicking the three dots to the right of the link name and then clicking the X to the right of the link name on the following screen.

NOTE: If you remove a link type, it will automatically remove access for everyone who has that link.

If you had generated a link allowing “Anyone with the link can edit”, for example, and then discovered during a review that it was being used by several people (some appropriately; some not), removing the link will remove access for all users. For appropriate users to continue to have access, you will need to re-share access using a different type of link (e.g., “People you specify can edit”) and then remove the “Anyone with the link can edit” link.