Microsoft OneDrive Security Issues and Risks

Ann Rosen, Director, Product Marketing

Have you ever been lulled into a false sense of security?

Once upon a time, when I lived in a hot and humid climate, I thought my air conditioner was covered by warranty. My AC, quite attuned to Murphy’s law, promptly broke down right in the heat of summer. Then I found out that to maybe recover my AC, I had to go through seven chambers of hell. Only a specific company could fix it and they had to come repeatedly, with no success. Meanwhile, it’s 90+ degrees and humid in August, I have a newborn at home, and no AC for over a week. Boy was I wrong about my coverage for this service. There is a  lesson to be learned here — read the fine print. Things aren't always what they appear to be, and you don’t want to find out the hard way.

The OneDrive small print

Similarly, some end users may say, “I’m backing up my laptop files to Microsoft OneDrive.” In fact, I used to think like that, long ago and far away, before I joined Druva. However, a seasoned IT expert would not  fall into that trap.

For sake of comparison, would you ever consider backing up your business-critical data center applications into a backup solution that you knew had these deficiencies:

  • Data is not isolated
  • Data can be modified by end-users
  • Provides limited or inconsistent retention
  • Susceptible to corruption and ransomware spread
  • Can provide only partial recovery, at best
  • Relies on  user-led recovery, with limited granularity
  • Provides no central visibility to backup success or failures.

Anybody who considers Microsoft OneDrive a “backup” for their end-user devices, is agreeing to backup end-user business-critical data in a manner that is subject to risks like these.

Perhaps you agree with my premise, but are thinking to yourself, “My end-users shouldn’t have business critical data on their devices.” And you are right. They shouldn’t. But they will.  And they will have files outside of OneDrive folders. Can you honestly tell yourself that you can control all of that?

And here is another question for your consideration: Do you want to be the one having that conversation with an executive who just lost their laptop along with all of their data?  I can just imagine how that plays out:

Executive: “My laptop crashed.  I need it for a board meeting in one hour.”

IT manager: “No problem, we will recover all your files from OneDrive.  You saved them in the OneDrive folder, right?”

Executive: “What OneDrive folder?”

IT manager: “Uh oh” 

At the end of the day, humans will be human. Human behavior is unpredictable. With OneDrive, we put a lot of responsibility on the end users, and hope for the best. But we don’t really know which files are downloaded or saved and where. Plus, we don’t know if files get synchronized or not.  We have no way to centrally monitor any of that.

So, the important question to ask here is, what is your risk tolerance?  Only you know if your organization can afford to assume certain vulnerabilities in protecting end-user devices, whether working remotely or on site.  As you make these decisions, please be aware of inherent gaps in relying on OneDrive as your only protection for user devices.

Device loss, theft, and corruption

If an end-user device is lost, stolen, or completely corrupted, you will lose any file that has not been synchronized with OneDrive. This can be caused by either user actions or because certain files are not covered by OneDrive. Relying only on OneDrive to recover the entire content of that device can be very time-consuming and result in only partial recovery. On the other hand, a Druva customer, Angelo State University, had an executive laptop hard drive failure. IT recovered all of the data within minutes to a “loaner” laptop, with zero impact to productivity, even though “he thought he was going to lose his data completely, and would have to start from scratch.” I bet that the IT manager was quite relieved. Additionally, another security issue is that Microsoft OneDrive does not provide data loss prevention (DLP) in the event of device loss or theft. Druva provides critical DLP capabilities such as remote device wipe and geotracking, so you can minimize data leaks.


Ransomware protection requires a two-pronged strategy: prevention and recovery. When it comes to prevention, Microsoft provides robust capabilities.  However, no prevention is full-proof, as we all can see ransomware attacks repeatedly featured in the news. The bad guys heavily rely on social engineering and fear-mongering to infiltrate your environment. If you are hit by ransomware, it is widely agreed upon that recovering to a clean backup is your best defense.

However, not just any backup will do. Experts point out that your backup solution must be isolated from your primary data, or else your backup may also get infected by ransomware, leaving you with no recovery options. There was a great, recent article on ZDNet ‘Ransomware victims thought their backups were safe. They were wrong’, which showcases the latest recommendations from the UK National Cyber Security Center (NCSC). NCSC warned that “cloud-syncing services (like Dropbox, OneDrive and SharePoint, or Google Drive) should not be used as the only backup, in case they automatically synchronise immediately after files have been 'ransomwared,' at which point the synchronised copies are lost as well.”

Additional OneDrive vulnerabilities and resources

I want to briefly mention a few other key vulnerabilities and resources:

Accidental data loss: If your users accidentally delete their own files or overwrite their colleagues’ files in the course of collaboration using OneDrive, these files may be lost forever, depending on your Office 365 edition and your retention settings. If a file gets corrupted or overwritten in the course of OneDrive synchronization, it may or may not be recoverable. In all of these instances, with Druva, data is never lost, with isolated, immutable snapshots, indefinite and customizable retention and proven backup technology with 99.99999% data durability. Users can restore files themselves or involve IT.

Departing employees: Many customers turn to Druva because they find themselves hanging on to departing employees’ Office 365 accounts, or worse, quarantining their entire laptops and collecting dust in cabinets to the tune of $1M-$2M/year. Companies have different reasons for implementing these measures, but they are only able to eliminate these hefty costs, when they use Druva to backup departing employees' devices.

eDiscovery and compliance: Microsoft offers legal hold and compliance capabilities for OneDrive data, in some Office 365 editions. However, companies must undertake a more holistic approach. This includes any and all data residing on employees’ devices. Only a comprehensive solution like Druva can enable central management of legal hold or proactive compliance monitoring, across end-user workloads, including all device data.

OS migrations and device refresh 

Finally, here is another aspect to consider — OS migration and device refreshes. The National Cancer Institute was facing issues with device refreshes, prior to becoming a Druva customer. With a three-year refresh cycle and thousands of devices, IT was refreshing more than 3,000 devices a year — a never-ending task, which was also fraught with challenges around retaining the integrity of critical device data. Unlike OneDrive, Druva’s solution includes built-in capabilities to automate and accelerate the device restore post OS migration and device refresh, which greatly reduces cost and time, while ensuring data integrity in the process.

To learn more about the imperative of a dedicated endpoints backup, even if you are using Microsoft OneDrive, please check out this eBook. You can also access our free trial to find out for yourself how quick and easy it is to set up comprehensive endpoint protection with Druva.