WH

ITEP

APE

R

Securing Sensitive Information in SharePoint

e

EXECUTIVE SUMMARY The adoption of SharePoint provides business users an improved platform to exchange information and collaborate more efficiently. Moving to a centralized platform such as SharePoint also allows IT teams to better backup, restore, and manage information. For SharePoint to continue to grow as a business platform it must be suitable for highly sensitive areas of the business that handle trade secrets, military intelligence, healthcare records, or personnel files. End users in these areas often have special requirements regarding the confidentiality of their information and will resist change, and resist using a collaboration platform such as SharePoint, until their security concerns are adequately addressed. An informed approach to security for SharePoint, including transparent encryption of sensitive content, can address concerns relating to sensitive information being stored in SharePoint sites. Beyond addressing current security concerns, proper security can also be the catalyst for expanding the use cases for SharePoint, to include new areas such as HR, executive teams, and as a platform to store and process regulated information. Security programs that directly lead to reduced costs and increased efficiencies are a huge benefit for Information Security and SharePoint champions within organizations. PROBLEM OVERVIEW To enable SharePoint for use for executive staff, boards of directors, human resources departments and more, an organization must go beyond common SharePoint security mechanisms such as permissions and security for the network session. Specifically, the organization needs to iteratively find, classify, protect, and audit sensitive information usage – none of which are core features of SharePoint. Further, use cases that touch on highly confidential areas of the business such as Human Resources require that IT administrators cannot mistakenly or maliciously access sensitive content. An additional requirement is that security controls must not hamper the end users’ productivity nor require additional training that distracts them from the value they bring to the company. In short, the security controls must be transparent and automated. Security and compliance requirements include:

1. Strong authentication of end users and administrative staff 2. Access control to protect from unauthorized access and enforce business need to know 3. Protecting access to sensitive information through use of transparent content encryption 4. Activity auditing to track permitted and denied access requests 5. Separation of duties among IT administrators, the various tiers of SharePoint and storage

administrators, and information security teams

Requirement 5 is especially challenging for SharePoint deployments as the departments that are responsible for the security and compliance for the business cannot have privileged access to SharePoint, SharePoint administrators are not responsible for security, and end users rarely accept the burden of securing their own information. Businesses need to be able to secure content in a way that empowers information security, allows the SharePoint administrators to maintain the platform, and is effectively invisible to end users. Native SharePoint platform security controls provide well-documented options for user authentication. SharePoint’s role-based access control is customizable to facilitate most any combination of permissions. Most organizations already have a trusted authentication mechanism in place and will prefer to use it.

Securing Sensitive Information in SharePoint

CipherPoint Software, Inc. 1730 Blake St., Suite 400, Denver, CO 80202 | +1.888.657.5355 | www.cipherpoint.com

The internal SharePoint team must then configure basic role-based access controls to ensure only intended end-users have authorized access to the site or library. This task is straightforward but for SharePoint sites, it is too often left to the discretion of end users, with the frequent result that too many users (or all to often all users) are provided with full access. Enabling audit trails for SharePoint user login activity, and for administrative changes to the groups that control access to data in SharePoint is also important. By completing these tasks, organizations can address requirement 1 above. However, these measures do not fully address requirements 2 and 4. Using SharePoint permissions to enforce business need to know is insufficient because, in most organizations, SharePoint administrators themselves control group membership and permissions. In the case of requirement 4, enabling audit logging for SharePoint sites is also typically a function that is controlled by SharePoint administrators. If the threat that is of concern is insiders and administrators, then it follows that separating duties in these areas is critical. For requirements 3 and 5 above, there are no effective security controls that are native to SharePoint that address this issue. Organizations wishing to deploy SharePoint to user communities including executive teams, HR, and Boards of Directors will need to look beyond the capabilities provided in SharePoint to fully address their security requirements.

CIPHERPOINT ECLIPSE SOLUTION The CipherPoint Eclipse for SharePoint solution is specifically architected to maintain the confidentiality of information stored in SharePoint. CipherPoint Eclipse allows organizations to identify sensitive and regulated data, secure it, and audit access to it. CipherPoint provides the ability to find sensitive information such as credit card numbers and Social Security Numbers and also allows customers to transparently encrypt, monitor, and control access to and audit access for sensitive content. The solution is unique in that it can ensure that accounts with privileged IT rights cannot be used to maliciously or mistakenly view protected information. This is a major concern not only for highly sensitive data but also for SharePoint portals exposed to the public Internet. The native SharePoint authentication and access controls described above are still in effect and provide meaningful layers of defense. CipherPoint’s solution complements SharePoint’s existing capabilities and provides additional layers of security and separation of duties. CipherPoint’s solution includes a centralized management console, CipherPointKM. CipherPointKM allows for the configuration and management of the security and encryption of SharePoint content from outside the SharePoint farm. This architecture provides true separation of duties as the SharePoint administrators can manage the platform without being able to circumvent security, the security team can administer the security controls without requiring access to SharePoint, and the authorized end-users are the only ones that can access their sensitive information. In addition, the CipherPoint technology inserts at the SharePoint web front end server, resulting in a user experience that is truly seamless. Transparent operation is critical for end user adoption of a SharePoint encryption solution.

CipherPoint Software, Inc. 1730 Blake St., Suite 400, Denver, CO 80202 | +1.888.657.5355 | www.cipherpoint.com

Securing Sensitive Information in SharePoint

Securing Sensitive Information in SharePoint

CONCLUSION The combination of CipherPoint’s transparent encryption, access control, and activity logging technology and key management capabilities with native SharePoint authentication and access controls fully addresses the requirements outlined above. As SharePoint becomes more of a mission-critical business platform, organizations will require additional security controls to maintain the confidentiality of sensitive information stored in SharePoint sites. Expanding the secure use of SharePoint to include senior executives, boards of directors, human resources staff, and other owners of sensitive content can be accomplished through the thoughtful deployment of appropriate security controls, including transparent encryption, access controls, strong authentication, audit trails, and separation of duties. As a SharePoint architect or administrator, CipherPoint’s solutions and SharePoint’s native security features allow you to provide a secure platform and enable collaboration within your organization. In doing so, you will provide a more efficient and secure way of doing business, increase SharePoint’s visibility in your organization, and increase your value to your enterprise. About CipherPoint CipherPoint identifies, encrypts, and controls and audits access to sensitive and regulated data on-premises and in cloud file sharing and collaboration systems. CipherPoint’s solution is unique in preventing privileged IT administrators and outside attackers that target IT-level access from accessing sensitive information. The CipherPoint Eclipse solution suite secures data across file servers, on-premises SharePoint, SharePoint Online/Office365 and other cloud collaboration systems from a central data security console. CipherPoint’s products are easy to deploy and manage, and scalable to meet the needs of large enterprises. A winner of the SINET 16 award as a top security company in 2012, CipherPoint is headquartered in Denver, Colorado, and was founded by IT security experts with deep experience in building successful security technology companies. Customers in healthcare, financial services, manufacturing, government, and other industries, in Europe, North America, and Asia rely on CipherPoint to protect access to sensitive and regulated information. Contact CipherPoint at info@cipherpoint.com or at +1-888-657-5355. CipherPoint Software, Inc. 1730 Blake St., Suite 400, Denver, CO 80202 | +1.888.657.5355 | www.cipherpoint.com