Protecting SharePoint and OneDrive with Safetica ONE

Learn how to control upload and synchronization with cloud drives, particularly with SharePoint online, SharePoint on-prem, OneDrive Personal, and OneDrive for Business.

Safetica ONE allows you to control multiple SharePoint instances connected to one computer and configure each of them separately. You can control not only upload to SharePoint and OneDrive via web browsers, but also synchronization of files via local synchronized folders and OneDrive Sync Client.

This might come in handy for example when you have several different SharePoint instances and one of them contains sensitive files. You can protect these files from being transferred to another SharePoint instance.

In this article, you will learn:

 

Controlling SharePoint and OneDrive

SharePoint (both online and on-prem) and OneDrive (both Personal and Business) can be allowed, logged, or blocked either in general as a whole channel, or specifically as individual instances.

How to control SharePoint and OneDrive in general

Using general DLP policies, you can configure different levels of protection for OneDrive Personal that your employees may use for private purposes and OneDrive Business used by your company.

To control OneDrive Personal, OneDrive Business, or SharePoint as whole communication channels for a specific user, a group of users, or the whole company:

  1. Go to Protection > DLP policies and click New policy.
  2. In Policy type, select General.
  3. Set the Policy mode as needed.
  4. In Policy rules, click Customize and select OneDrive Personal, OneDrive Business, or SharePoint.
  5. Click the Custom link next to the Cloud drives slider, and configure as needed.

 

How to control individual SharePoint instances

If your company uses several different SharePoint instances and you want to control each of them separately, you need to use Safetica Zones in Safetica Management Console.

Go to Protection > Zones and add the address of the desired SharePoint or OneDrive instance into a zone. Each zone is a list that you can later use to create DLP policies.

 

How to add a SharePoint into a zone

  1. Go to Protection > Zones and click Add zone.
  2. Name the zone and decide whether you will consider the SharePoint instances added to it to be safe. Then click OK.
  3. In the list on the left, select the newly created zone and click Add item.
  4. Add each individual SharePoint instance by clicking Web address.
  5. Fill in the needed information and confirm with Finish.
   6.  Click the confirmation button in the upper right corner of the screen.

 

How to use zones to control SharePoint instances

The created zone can be used when setting up DLP policies to control SharePoint.

Both upload via web browsers and synchronization via local synchronization folders and OneDrive Sync Client will be controlled:

  1. Go to Protection > DLP policies and click New policy.
  2. In Policy rules, use the Upload slider and choose Safe zones allowed.
  3. Decide whether you want to allow all safe zones or whether you want to set each zone individually.

 

What will the admin see in logs

If you want to find out for which file uploads or synchronizations to cloud were allowed or blocked, go to Protection > DLP logs. In the Records table, filter out Cloud drive in the Destination type column. You will see the name of the file, who initiated the upload/sync, whether upload/sync was allowed, blocked, or logged, whether the file contained sensitive data and many other details.

  

FAQ

What SharePoint versions does Safetica ONE support?

We support SharePoint Online and SharePoint on-prem 2019. For older SharePoint versions support is not guaranteed.

When I want to control individual instances of SharePoint, why do I need to set up the Upload policy rule instead of the Cloud drives rule?

The Cloud drives policy rule does not have the Allow safe zones option. Therefore, to control individual instances of SharePoint, you must use the Upload option.

How do I set up different rules for SharePoint instances and other cloud drives?

It is not possible to block specific SharePoint instances and allow other cloud drives (and vice versa) within one policy. The reason is that policy rules are matched from top to bottom of the list and the first matched rule always applies. Therefore, the Cloud drives rule always has higher priority than the Upload rule, matches first, and stops the evaluation.

To set different rules for SharePoint instances and other cloud drives, you must create 2 separate policies – one for blocking SharePoint instances and one for allowing other cloud drives (or vice versa). In the list of DLP policies, the SharePoint blocking policy must be placed higher than the policy for allowing other cloud drives.