Cloud Apps Security, Protect your files in a Secure MultiCloud World

After the rise of hybrid cloud within a single vendor, we have reached the next step of complexity with multicloud. It is not realistic to believe in a single vendor cloud world. There is going to be a continuous battle between cloud service for new customers, convert existing customers to their platform and in some ways, integration needs to happen between different cloud services. Microsoft knows that too. Look at what they are trying to do around the integration of DropBox and Box in Microsoft Teams, around Azure Information Protection to on-premises systems and their plans to extend AIP  or rather MIP towards non-Microsoft platforms.

Cloud Apps Security (CAS)  is another example that shows that Microsoft understands that it can hope for Cloud Service Domination but reality might be different or the timeframe for that domination might be a bit longer than anticipated. So what is this CAS thing? Well, look at CAS as a centralized dashboard you can use to identify, control, protect and do threat analysis of your cloud services. Supported at this time are Box, DropBox, GoogleDrive, OneDrive for Business and SharePoint Online. CAS can be found as a separate entity in your Office 365 Admin, that is, if you have an existing license for it. You can trial it for 30 days.

A limitation I want to start with from the beginning is the fact that CAS only supports Enterprise versions of the existing cloud services. It will not support personal Dropbox, Box or OneDrive. So this is something to keep in mind.

As it is is today, CAS can identify which cloud services are being used based on traffic logs. You upload your traffic logs from your local connection and CAS will identify any cloud services are being used as Shadow IT. Since this is based on traffic logs, you need a device that will capture those. If you are a fully remote employee, whose traffic is not going through a BlueCoat or SonicWall or other appliances, the discovery can only do so much.

The second functionality is the investigation. Investigation allows you to do deep dive analysis of what is going on your cloud services. It can retrieve everything from an activity log, user interactions, and any file investigations. Since this was a test for me, identifying what the potential is of CAS so I really focused on files and the ability to detect and protect the content of files. I created a policy (which I will discuss in detail later in this post) to detect and protect files containing PII like an SSN. When a document triggers that policy, this will be reported in the investigation option under files.

Screen Shot 2018-02-12 at 10.32.03 AM

The third part of CAS is control. It is in this section where you are going to define policies to protect your content in your files. We are going to create a policy to protect all files in my Box, GoogleDrive, OneDrive for Business and SharePoint online when they contain PII information like SSN. There are multiple ways to create policies, start from scratch, start from a template, etc. I always try to go for the minimal path of resistance, so not a surprise here, I will start with a template.

Screen Shot 2018-02-12 at 10.50.41 AM.png

Now, what was striking to me is that it said built-in-DLP engine. So that means (at least for now) CAS is not using the same DLP Engine as Office 365. It uses its own DLP engine to identify certain sensitive types of data. Later on, you will see that the options for specific PII are very limited in comparison with what Office 365 already has built-in. To create the policy based on a template, just click the + attached to it.

A policy has a number of settings you can choose to define or not. Some are mandatory, some are optional, they define the reach and actions of your policy. In my policy, I want to protect my SSN numbers. In the first section, I can define the severity of the policy, any potential filters, pretty much the reach of your policy. In my policy where I want to protect everything, I don’t have to define any filters.

Screen Shot 2018-02-12 at 10.59.09 AM

In the second section, I am going to define what exactly I am looking for. I want to identify files that contain US: PII: Social Security Number. Those are loaded through a preset in the setting, you can define your own regular expression if you want to look for something that isn’t covered. You also need to define where to look exactly, you can let the engine look in the content, metadata, and filename. Last part is to define how many occurrences will trigger the policy.

Screen Shot 2018-02-12 at 11.25.33 AM

Next part is to set up how your alerts need to be generated. You can create an alert for each matching file, send an email or even a text message, like in my example.

Screen Shot 2018-02-12 at 11.25.57 AM.png

And now comes the cool part, in my opinion, the governance rules. If a file is matched against the policy what needs to happen. These actions as you can see in the next image are defined per cloud service. Some cloud services will support different governance actions. They can go from removing the shared link, restrict permissions and my favorite, put the file in quarantine. For the Box environment, I choose the user quarantine while for OneDrive for Business and SharePoint Online are going to go for an admin quarantine.

Screen Shot 2018-02-12 at 11.26.05 AM

Screen Shot 2018-02-12 at 11.26.13 AM

Let’s start by explaining what quarantine means. When a document is put quarantine it is replaced by a text file like e.g. TEST SSN copy.docx.QUARANTINE.txt and when you open the document this is shown.

Screen Shot 2018-02-12 at 6.38.46 PM

Depending on the fact if the quarantine is admin or user based, the quarantine folder will be either be created in a centralized location or within in the user’s environment. If it is a user based, the end-user will still have the option to go into the quarantine folder and get the document. In an admin based quarantine, the document is stored in a centralized location and based on the permissions of that location the user still has access or not.

When an alert is created, it will be part of the alert section in CAS. At the same time, if you defined for an email or text message to be sent, that will happen as well.

Screen Shot 2018-02-12 at 6.45.18 PM

When you go to the CAS dashboard, you will see the alert based on your configuration.

Screen Shot 2018-02-12 at 6.44.17 PM.png

Alerts can be left open, they also can be dismissed and resolved. This way you can keep track of which alerts you still have to act on and which ones are resolved. When we go more into detail of a single alert you will see that it will tell you all the information you need. It also allows you to perform certain actions on it. E.g. if this was a false positive, you can use the restore from admin quarantine to put the document back to its original location.

Screen Shot 2018-02-12 at 6.44.47 PM

So, this is only specific use case. Even with this basic version of CAS, a lot of possibilities are available. There are however a number of limitations that CAS has, that are pretty significant.

  • Only Enterprise versions of Cloud Services are covered in CAS.
  • Only Cloud Services are covered after all this is still a hybrid world, so what do we do with legacy ECMS like FileNet, OpenText, etc.
  • Very limited sensitive data classification, which is weird to me, since Microsoft has done such a great job in other services in Office 365, why this separate engine

I am looking forward to seeing more of this in the next few months. Keep posted…

Advertisements

AZURE ACTIVE DIRECTORY AND OFFICE 365: CONDITIONAL ACCESS

When I talk about security within cloud services, I always like to start with identities. And within Office 365 that is not different. One of the most overlooked parts of security is making sure you have your authentication process set up correctly. We try to educate end-users to make sure they are not distributing their username and password, we implement password policies to support them in keeping their information safe. Sometimes we might even consider -and if we are lucky implement- multi factor authentication.

And that is it?! It doesn’t have to be. In this post, I am going to address conditional access in Office 365. To be able to setup this up you need Azure Active Directory P2 license, there are multiple ways to enable this, either standalone or as a part of a more extensive SKU. Microsoft even provides a 30-day trial you can spin up to test it and see if it is something you like/need or not.

Click on the following link to read the complete article.

Azure Active Directory and Office 365: Conditional Access

Microsoft Teams Truly The HUB for Teamwork

When Microsoft launched Teams, they made some bold statements around what the service should be in their eyes. The boldest one, in my opinion, was the HUB for teamwork. What Microsoft was saying, is that no matter what you needed or what service you are using, you would have some way of interacting with it. The first step, immediately available at release time, were tabs. Even though they were a good first step, tabs are tabs. Even Google Chrome, with all due respect for Google Chrome, has tabs but I wouldn’t call it my HUB for teamwork.

Now Microsoft Teams introduced the concept of Apps. And this is where, in my opinion, things get interesting. People love apps, people need apps, people are controlled by apps. We have apps today that start your car remotely by using your phone. Too cold for you to get out and start your car, no worries, we have an app. You want to change the color of your living room lights based on your mood, we have an app for that. So apps within Microsoft Teams. I am impressed, to be honest. But let’s dig a bit deeper into what type of apps we have available. So here is where it becomes apparent again that Microsoft for a large part is still lead by developers but I guess that is nothing new. Apps = Apps + Tabs + Bots + Connectors + Messaging. Let’s dissect!

Apps, the applications that you can make available for a team or for you personally. When you make applications available to you or your team, you will find them under the ellipsis (…)

Screen Shot 2018-02-06 at 6.54.06 AM

 

Some applications can be added as a Tab, not all of them. E.g. as it is today, you can add Twitter as an App but not as a Tab. HootSuite, however, can be added as both. So as expected, not all apps are created equally. When you install an application that can be added as a tab you can do that immediately when you activate the app or later on in the channel. However, you can only for one Team, the rest needs to be done within the team itself.

Screen Shot 2018-02-06 at 7.00.23 AM

If you want to activate a tab from within a Team, just go into the right channel and click the +sign on top. Select the tab you want to add and follow the instructions. Each app/tab will have different requirements, depending if you need have an account for the service you are trying to access or not.

Screen Shot 2018-02-06 at 7.02.36 AM

Screen Shot 2018-02-06 at 7.04.08 AM

The next one is Bots. I love bots, Alexa, Google Home, they are all bots to me, I ask them something, they give me the answer, amazing. The only bot I have tested so far is the default Who bot. You can find it under the ellipsis. The Who bot knows a lot about you, like who you messaged, emailed, the topics of those conversations, your organizational structure, etc. So instead of searching through your mailbox, conversation, files, etc, you can just ask the Who bot. Of course, at this point, the Who bot only knows what it has connectors for and has only access data of data within Office 365.

Screen Shot 2018-02-06 at 7.14.58 AM

Connectors, if I am being honest, I am a huge fan of integrations. Connecting multiple systems together so people only have to be at one place to get updates is huge if you want to be the HUB for teamwork. So in this example, I created a connector to a Facebook Page I own, called Office 365 Tip of The Day. In my environment, my marketing team needs to keep track of any updates on those pages, any unanswered messages, etc. So I set up my connector to pull updates directly into my conversation feed in Microsoft Teams. Refresh rate can be configured as you see fit.

Screen Shot 2018-02-06 at 8.31.03 AM

When somebody posts a message on your page, you get this notification.

Screen Shot 2018-02-06 at 9.39.22 AM

The last one is messaging. Apps related to messaging allow you to create rich content in your conversation. Two examples, I am going to add News content to my posts. While I was getting the latest News, I saw that Dow Jones was taking some hits. I wanted to share that article with my team, but more importantly, I also wanted to see what the effect was of that drop on one specific Stock, e.g. Chipotle, which is a $4.51 drop or 1.50%.

Screen Shot 2018-02-06 at 8.57.04 AM

Screen Shot 2018-02-06 at 8.56.32 AM

 

So apps make absolutely an improvement on Microsoft Teams claim to be the HUB Transport in team collaboration. I love what I am seeing so far … keep it coming

Integration of Teams with other cloud services?

When you follow Microsoft and their ecosystem, you’ll have noticed there is a lot of buzz around Microsoft Teams. Microsoft Teams is the latest service within the Office 365 suite to collaborate with the different teams in your company. Like with any new, shiny service within Office 365, you must ask yourself if this is something you need as an organization, and why it is so different from what you have today.

Why Teams? Most everyone can agree that collaboration is the key to success within any organization. Sharing knowledge, working together, putting the right resources together increases the chances for the desired outcome on whatever the project may be. So why is Microsoft Teams so different than any other collaboration system? Well, actually, it isn’t. To explain that statement a bit better, let us take a closer look at what the approach is for Microsoft Teams to collaboration and more important what is under the hood of this new service.

Chat for today’s teams, Microsoft Teams allows you to spin up threaded and persistent group chats. This is functionality Microsoft tried already with Yammer and was proven to customers and their end-users. However, instead of relying on Yammer, Microsoft decided to go with one of their most successful core services, Exchange Online, to store personal and group conversations. Additionally, Microsoft decided to bring a modern approach to conversations. Microsoft Teams allows you to add another level of communication to your collaboration by adding memes, stickers and emoji’s. This persistent threading functionality is a huge benefit for teams because it allows new members to come in and read up on existing threads, catch up on conversations and discussions that happened in that past. This is a huge improvement on the traditional use of distribution lists.

Working together on the right information, fast and easy. For a long time, documents and document management systems have been considered to be the beating heart of collaboration. Microsoft has invested lots of time and energy to bring the SharePoint platform to a level where everyone can agree it is pretty amazing when you look at its capabilities. However, during the process, SharePoint became a system that caused mixed emotions with its users; both loved and hated at the same time. People love it for the robustness, capabilities around record and document management, the ability to share documents and coauthor documents on the fly. However, end-users didn’t like the result. People weren’t able to find information on the platform, or weren’t using it because it wasn’t set up intuitively. You had to be an expert to use to the system, hence the popularity of SharePoint conferences and SharePoint community events. Microsoft tried to make it easier by introducing Delve, an intelligent service that should be able to provide you with all the information you needed based on meetings, connections with coworkers, etc. Ultimately, I think Microsoft may have finally realized that SharePoint was not the tool for collaboration, however, SharePoint was the perfect platform to enable collaboration as long as the application on top is easy and intuitive to use. That is exactly what Microsoft Teams brings to the table.

Built-in voice and video. The world has become a smaller place thanks to cloud services focusing on voice and video. You need to set up a meeting with somebody from Johannesburg, Atlanta, Melbourne, and Paris? No worries, with Skype for Business, we already have a cloud service able to connect all these people in a heartbeat. Well, Teams takes that same service to the next level. Do you want to keep a recording in your team files? You want to people to discuss later the meeting content through a group chat? You want in your team a meeting calendar with direct connections to the Skype Bridge? Done, done and done. Microsoft is so convinced of the added value of the Teams functionality that they announced the deprecation of Skype For Business Online in favor of Microsoft Teams.

Collaboration Hub. Microsoft wants Teams to be the application where all collaboration starts. Within a specific team, you can add different applications in tabular view. Is your team using Salesforce, Kanban, an online time management service, etc? Teams can visually integrate all these applications. Teams can be used as your collaboration and application hub allowing you a centralized location where everyone in your team exactly knows how to get to all their line of business applications.

Enjoy the security of Office 365. As you can see, Microsoft Teams is built on top of Microsoft’s most established cloud services like Exchange Online, SharePoint Online and Skype for Business. Besides the stability and value, they also guarantee that your data is safe and secure. Finally, Microsoft Teams provides the advanced security and compliance capabilities that Office 365 customers expect. Data is encrypted in transit and at rest. Like the other services in Office 365, Microsoft has a transparent operational model with no standing access to customer data. Microsoft Teams supports key compliance standards including EU Model Clauses, ISO 27001, SOC 2, HIPAA and more. And, as customers would expect, Microsoft Teams is served out of our hyper-scale global network of data centers, automatically provisioned within Office 365 and managed centrally, just as any other Office 365 service.

Integration with other cloud services. As most of you know, there are other cloud services used in the workforce that people like to use for multiple reasons. To name just a few of them, Box, Dropbox, Egnyte, etc. are familiar and well-liked names in the industry. Is there a way to make Teams play nicely with those services or not? Microsoft Teams supports multiple cloud services as their storage. OneDrive, Box, Dropbox, ShareFile and Google Drive are the ones Microsoft support natively in the application. How does it work? Just go into the files section of Microsoft Teams, click on add cloud storage and select the cloud storage service you want to use. The application will redirect you to a login screen, you provide a username and password. Additionally, you can add a directory to a specific Team or a Channel in a Team. This cloud service storage will be represented as a virtual folder in your files section.

Where is my latest document? The integration is a perfect way to combine the core functionality of Microsoft Teams with different cloud services. Seems too good to be true? Probably — you might want to look at the problems this integration brings to the table. Confusion caused by two storage systems is by far the main one. Let’s illustrate this with a few examples. When you create a Team, the systems responsible to store the conversation and files are still there. When you add a Box account to a Team or Channel you will still be able to upload documents in Microsoft OneDrive attached to the Team. If you want to upload files in your Box account through collaboration within Microsoft Teams, you need to make sure you are in the virtual folder otherwise it will be uploaded to the OneDrive attached to the Team. Imagine the fallback when people realize that their new and updated data is not on their Box account but rather on OneDrive, a service that might be completely new to them. Additionally, one of the strengths of Microsoft Teams is the ability to have conversations around specific documents. When you, however, accidentally upload the document instead of using a link to a document from Box, again that document will be on OneDrive and all the changes made to that document will not be reflected to the Box account. Lastly, you can only attach one account of each cloud service to a Team or Channel. It is the owner of that Team or Channel that will decide what account is attached to it. If you have documents over multiple accounts that you want to use in a Team or Channel, this will require a consolidation of data into one account. That might not be necessarily the route you want to take.

But I really love the functionality of Teams! When you are really set on using Microsoft Teams combined with other cloud services, you will have to check out tools that support a bidirectional synchronization. SkySync can help you overcome the problems the native integration brings to your organization. With their Enterprise Content Integration tool, you can use Microsoft Teams and enjoy its full feature set. Behind the scenes, your data will be kept up-to-date with the master storage, whatever service or services that may be. When your data changes on the master storage, an update will be triggered to update your data in Microsoft Teams, making sure your data is also up-to-date in whatever service or application you might access it.

Check out the website on www.skysync.com to learn more about the solutions they offer.

Google Suite resources conversion to Office 365 resources

The world of cloud services has never been so competitive as it is today. Office 365 clearly is the big driver nowadays in cloud adoption, but that has not always been the case. Google Apps, now called Google Suite was way earlier on the market with a viable cloud service than Microsoft. You still going to see a lot of large enterprises who have their first cloud footprint on Google. The adoption of Google Apps/Suite was very similar to the adoption of Office 365. Mailboxes were a no-brainer, later Google Drive followed, Google Hangouts, etc.

So one of the features Google Suite offers you, like in Office 365 is resources. However that is where all comparison stops. In Office 365 all the resources get an email address within the vanity domain you chose to use. E.g. room1@jseghers.be or projector_1@jseghers.be .. All nice and clean. However when we look into the Google Suite side of things, that is a whole different thing. For some inexplicable reason Google creates an entity within its own domain @resource.calendar.google.com, and not in your own vanity domain. When we look at the structure you can extrapolate that all resources will look like this:

<vanity domain>_<hash/unique identifier>@resource.calendar.google.com

which results in: jseghers.be_3838313136363031333430@resource.calendar.google.com

When you use the Google Calendar and setup a meeting, you won’t even see that smtp address. You get the user friendly name in the rooms list. So why do we care? Well, one thing that cloud services have done to the industry is turning it into a competitive market. Mailboxes size increases, price drops, new features, etc are some of the incentives that all cloud service providers offer to their customers. Currently Office 365 is clearly leading but even so, when companies decide to move from Google Suite to Office 365, they are not doing a ‘start blank’ scenario. They want their new setup as best as possible to match their current setup. So in case of resources, new resources are created on Office 365 and data has to be migrated.

And here is where the issues start. Lets assume that we just migrate all the date from the resource within Google to Office 365. Calendar items within the resource would have jseghers.be_3838313136363031333430@resource.calendar.google.com in their invite list, same goes for people using the resource in their calendar items. So when a calendar item is updated, the updated version will not go the new Office 365 resource but will be redirected to the Google Resource domain. This means that updates are not going through in the resource mailbox. Big deal? Well if your resources are used frequently and you cherish the correctness of their availability, I would say so.

So what is the solution? We know that coming from Google the Microsoft migration tools are not that great. Even Fast Track, the migration service of Microsoft does not cover resources for this specific reason. So, when you have a customer or you are the customer who is thinking about doing Google Suite to Office 365 mailboxes, make sure you ask about resources. If they are a part of the scope know that you will need a migration tool that is capable of doing recipient mapping, this means that the tool will take e.g. jseghers.be_3838313136363031333430@resource.calendar.google.com and translate it into meeting1@jseghers.be . This is the only way to cover for this.

I am not going to tell you which tool to use but bases on my experience, I go MigrationWiz every single time.

Office 365, know your secure score

Office 365, cloud services in general and security, lengthy debates have been conducted. Cloud services have proven their reliability in security and the safety of our data. Many security papers and thesis’s have been written about the topic, all saying the same thing, your data is safe when using the established cloud services like Office 365, GSuite, Dropbox, etc.

But how about the administrator side of the story, how are we doing in securing our data on Office 365? Do we put in the same amount of effort as Microsoft and other providers or are we, the Office 365 administrators the weakest link in the security chain? Well, with Secure Score (https://securescore.office.com/) you can verify how well protected your Office 365 tenant is. The only thing you need to do is login to your tenant with a global administrator and let the Secure Score report be generated.

Immediately you will receive a score that represents how well your Office 365 tenant is configured when it comes to security. The dashboard will show your score and also the necessary actions you can take to increase that score.

It will also show your targeted score when your perform all the suggested actions. In my test case, performing the 24 actions would allow me to increase my score from 72 to 333. Some actions are some basic actions that everyone should be using, like MFA for global administrators, audit logging, etc. but some suggestions also include more in depth and business driven actions like Data Loss Prevention, reviews of Exchange security reports, etc.

On the Score Analyzer, you will notice a nice graph that shows how your Secure Score has improved (or not) over time when you start applying the different rules suggested in the Secure Score Dashboard. Additionally you get a detailed overview of the actions you have implemented and how they are calculated in your Secure Score. In the tab ‘Incomplete Actions’ you get a full overview again -as on the Dashboard- of the actions you should complete to maximize your Security Score. What is really neat is the learn more button.

It shows you what you are about to change, which users to change it on and what the effect will be for the users.

So even if security is not your main driver in your Office 365 setup, these free security assessment is definitely worth your time and trouble to check it out.

 

Mailboxes after life, what to do with mailboxes after the employee leaves.

When an user wants to use a service in Office 365, no matter what services is, a license needs to be assigned. When a license is used, a license cost needs to be paid. This whole concept, which is called pay what you use, makes totally sense for active data. But what about mailboxes of users who are not active anymore. Of course you can chose to keep these mailboxes active, but that will result in license costs. Microsoft released a concept of inactive users very early in the Office 365 roadmap to deal with deleted mailboxes.

How does it work?

To make a mailbox inactive, it must be assigned an Exchange Online (Plan 2) license so that a Litigation Hold or an In-Place Hold can be placed on the mailbox before it’s deleted. Exchange Online (Plan 2) licenses are part of an Office 365 365 Enterprise E3 and E5 subscriptions. If a mailbox is assigned an Exchange Online (Plan 1) license (which is part of an Office 365 365 Enterprise E1 subscription), you would have to assign it a separate Exchange Online Archiving license so that a hold can be placed on the mailbox before it’s deleted.

So it is important to understand that you need an advanced license for this.

Source: https://technet.microsoft.com/en-us/library/dn144876(v=exchg.150).aspx

External recipients don’t receive email messages that are send to a distribution group in Exchange Online.

During one of my recent migrations from an on premise Exchange to Office 365 some people complained to me that some distribution group members didn’t receive messages send to this distribution group.

During my tests I’ve noticed that the external Anti-Spam solution didn’t accepted the messages he received for the external recipients. I also noticed that the sender was not getting any non-delivery reports.

After some investigation I found out that the distribution group parameter “ReportToOriginatorEnabled” in Exchange Online by default is set to False, which is different from the on premise Exchange version where this parameter is by default set to True.

To fix this behavior I used PowerShell:

Set-DistributionGroup “<DistributionGroupName>” – ReportToOriginatorEnabled $true

More info: http://support.microsoft.com/kb/2723654/en-us

 

Submitted by Bart Roels – https://twitter.com/FomeZ – @FomeZ

Time to patch your Office 2013/Pro Plus: ms13-104

The token security issue reported in May 2013 (Read the full story on http://adallom.com/blog/severe-office-365-token-disclosure-vulnerability-research-and-analysis/), that Office Pro Plus could be tricked in sending out it’s token for Office 365 while talking to a malicious site. Through that mechanism users tokens could be collected and be used for easy access to the users data, mailbox, …

The resolution is finally released as a part of the automatic updates of Windows/Office. You can download the patch on http://technet.microsoft.com/en-us/security/bulletin/ms13-104 if you only want to deploy this one.

I urge you to install it as soon as possible.

Read also Paul Robichaux’ blog post about the topic: http://paulrobichaux.wordpress.com/2014/01/02/office-365-token-disclosure-flaw-patch-your-desktops-now/?utm_content=buffer0f5ae&utm_source=buffer&utm_medium=twitter&utm_campaign=Buffer

The influence of Activating SharePoint Server Publishing Infrastructure on Security Trimmed Navigation

Security and Navigation, it’s something we need to be really careful with. it’s really frustrating seeing navigation items where you don’t have access to and it’s even more annoying to not see your navigation even though you have access to the library or to one of the items in it. According to the technet article http://technet.microsoft.com/en-us/library/dn169567.aspx giving access to an item is a SharePoint Library for a certain user will result in the assignment of Limited Access on the top levels to

“is to allow enough access to the object hierarchically above the uniquely permissioned item so that the Object Model (OM), master pages, and navigation can display when the user attempts to navigate to the item. Without the Limited Access permissions at the parent scopes, the user wouldn’t be able to successfully browse to or open the item that has unique permissions.”

This results in:

IIustrates object hierarchy for a document library, in which all objects but one inherit their scope from their parents.

or

IIustrates how the hierarchical depth of scopes can affect the amount of work required to add Limited Access users to parent scopes.

Let me transform this into a Real Case Scenario:

We have a Document Library Finance where only the CFO and his team have access to. In the current navigation (left side menu) only the CFO and his team will see the Document Library Finance. Every other employee will not see it since they don’t have access to the Library or to any document in that Library.

One document Expenses.xlsx must be editable for every user since they have to add their expenses in that spreadsheet. So the CFO assigns everyone with Contribute rights. As mentioned in the technet article everyone will receive Limited Access rights on the Library. In SharePoint 2013 limited access rights are not shown in the Permission Overview to avoid any confusion like we had in SharePoint 2010. So Far So Good, everyone can see the library Finance.

Since we want to incorporate some publishing features like Master Pages, Page Layouts, … we need to activate SharePoint Server Publishing Infrastructure. At that exact moment the library Finance disappears from the Current Navigation. It is only visible to the CFO and his team. The document Expenses.xlsx is only available through a direct link or when used by the WebPart/AppPart Finance. 

Deactivating the feature doesn’t rollback the damage. So Be Very Careful. Since it occurs in SP On Premises & Online I doubt it that it’s a bug but a change/feature/opportunity in the platform. In my humble opinion a bad one. I’m still hoping it’s a bug. I’m also hoping pigs can fly and hell freezes over, …

I’ve made a screen cast of a similar process which you can find on YouTube : http://youtu.be/6WCqqbOE53k ..