Misuse of the newly announced Microsoft OneDrive synchronization feature puts corporate security and personal privacy at serious risk in ways not likely understood by the users. Microsoft wants people to connect their personal OneDrive file share with their work systems, synchronizing potentially private files onto their enterprise managed PCs.
The problem is having these files copied to enterprise machines could be an avenue for attackers, by bringing in malware, a means to exfiltrate corporate data, and also undermine the personal privacy of unsuspecting users! Evan Schuman has written a timely article in CSO, articulating many of the risks that both users and employers should avoid.
The industry pushback was immediate and it looks like Microsoft is listening. They are delaying the release, probably to better understand the potential risks. I expect they will now do an internal review with security minded people — which is what should have happened beginning at the architecture phase!
My guess is when the dust settles, they will not enable the synchronization feature by default, but require enterprise admins to turn it on before the users see the approval prompt.
Well, that is my hope anyways!
Microsoft’s approach in not fully understanding the cybersecurity ramifications of new features is not new. The highly controversial This article has been indexed from Security Boulevard