SlideShare una empresa de Scribd logo

Share point encryption

C
csmith2009
Tecnología
1 de 6
Descargar para leer sin conexión
1 Executive Summary Popular collaboration platforms such as Microsoft SharePoint are making sharing and storing information easy. Private and confidential information is finding it’s way into SharePoint environments with increasing frequency. This ease of deployment and use introduces new data security and compliance concerns for organizations. With data security breaches and attacks on the rise, protecting sensitive information stored in SharePoint is a critical issue. Security researchers from the Ponemon Institute now put the average organizational cost of a data breach at $6.75M. According to Osterman Research, “the focus of SharePoint security concerns appears to be much more focused on protecting sensitive information than on traditional malware. ” Several approaches are available to provide for protection of the information stored in SharePoint sites. Each approach has its merits, and provides different levels of protection against different threats and attacks. The transparent data encryption approach implemented specifically to protect data on SharePoint servers provides the most comprehensive data security possible, addressing the broadest set of potential attack scenarios, including insider threats from administrators. Management staff responsible for securing SharePoint sites is advised to carefully consider the risks and threats to information, and implement an approach that effectively secures against these threats. WHITE PAPER Securing Sensitive Information in SharePoint
2 Introduction Usage of collaboration sites such as SharePoint is experiencing explosive growth, with analyst firm Infotrends projecting that the market for SharePoint will surpass $5B in product and services revenue by 2012. The overall market for content management systems is projected to grow to $10B by 2014, according to industry analyst firm Basex. Analysts at Gartner have estimated 30% of SharePoint deployments are being deployed outside the control of central IT and information security groups. The increasing use of SharePoint for all types of information coupled with relatively less oversight from IT security staff and a simple user interface that makes storing and sharing sensitive information easy, and you have potential for data security breaches. As SharePoint has grown in popularity, sites are increasingly being used to store all types of private and confidential information. Recent high profile (and high cost) privacy breaches involving sensitive corporate data and customer information have increased the importance of properly securing collaboration and enterprise content management platforms such as SharePoint. In addition, vulnerabilities recently disclosed in SharePoint software releases have heightened the need to treat data security for SharePoint as a critical matter. This white paper identifies some of the key concerns around data security for sensitive and regulated information stored in SharePoint. Several approaches are possible for organizations seeking to enhance the security of SharePoint sites, each with different threat protection capabilities. This paper describes various threat scenarios, the different approaches to data security in SharePoint, deployment and user interaction considerations, and the relative pros and cons of each data security approach. Big Picture Security Concerns and SharePoint Information stored in SharePoint tends to be unstructured, with users to some extent using SharePoint to replace file servers and network drives. This approach results in private and confidential information becoming widely dispersed, easily accessed, and poorly secured. High-level security concerns include malware prevention, access control, and data security and compliance. Specific threats to information stored in SharePoint can come from both external attackers and from insiders. Security concerns for SharePoint are exacerbated by the following realities: 1) SharePoint is extremely easy to setup, and many sites are created outside of central IT organizations. Because of this, there is little governance over what should and should not be stored in SharePoint. In many cases there have not been adequate security controls deployed to protect sensitive data in SharePoint sites. 2) The platform is also very easy for end users to use, and as a result it tends to be used to facilitate document storage and collaboration of all sorts of private and confidential data. And users rarely understand the data security issues affected by storing private and confidential data in SharePoint. 3) The security capabilities that exist natively in SharePoint (largely access controls coupled to Active Directory identities, with a document permission inheritance scheme) have a reputation for quickly becoming very complex to administer and are not distinctly designed to secure private and confidential data. 4) The hierarchy of administrators required to configure and manage SharePoint (including SharePoint administrators, site administrators, and SQL database administrators) provides multiple insider threats with privileged user access to private and confidential data. The simple fact is that when lower level security approaches (such as disk encryption or SQL database encryption) are taken to protect data in SharePoint sites, the data is still accessible and viewable by these multiple administrators. Implicitly trusting all privileged users represents too much risk for most organizations.
3 As a platform that leverages standard web protocols, SharePoint is susceptible to vulnerabilities that could cause security issues including things such as cross-site scripting, cross-site request forgery, and SQL injection. Recent patches for SharePoint (SharePoint Security Updates KB 983444 and KB 979445) have included fixes for some of these vulnerabilities. A security bug was recently reported in SharePoint for an escalation of privilege problem which is highly problematic for sites being used to store and share private and confidential information. Native security controls in SharePoint provide some ability to secure access to files through access control lists. However, in practice, the permissions inheritance is difficult to setup and maintain over time. Lack of synchronization, ongoing management, and general proliferation of static access control lists is a serious challenge with SharePoint. Beyond technical security considerations, the use of SharePoint as a repository and a means to collaborate can cause issues for data subject to compliance regulations. Numerous compliance regulations are now requiring effective controls and encryption for sensitive information types (non-public personal information in GLBA, electronically protected healthcare information in HIPAA, personally identifiable information in state data privacy laws, and cardholder data in PCI DSS). In addition, many of the now 43+ state data privacy laws strongly encourage the use of encryption by allowing organizations experiencing a security breach of sensitive information to avoid having to publicly disclose the breach (and to avoid having to incur expensive notification costs to individuals), if the data was encrypted. Other compliance regulations such as ITAR and FISMA have severe fines associated with the disclosure of sensitive data. Threat Scenarios and Attack Vectors for Information Stored in SharePoint Sites As with most IT platforms, attacks against the SharePoint platform and data resident in SharePoint sites can come from external attackers, as well as from insiders. Attacks and misuse by insiders, especially those with privileged user access rights, can oftentimes be the most damaging security incidents. A survey by a leading database user group regarding top security concerns bears this out. The 2009 studyi found that the top two greatest risks and threats to enterprise data were “internal hackers or unauthorized users” (32%), and “abuse of privileges by IT staff” (26%). Both of these risks represent the insider threat, and taken together they far surpass concerns around loss of media (25%), and malicious code or viruses (20%). While the platforms are obviously different, the insider threat is consistent across both databases and collaboration platforms with respect to sensitive information. One could argue that the insider threat problem is likely more acute in collaboration platforms, given the ease with which sensitive unstructured information can deposited, indexed and accessed, and the relative lack of mature data governance processes. An example of an insider attack (a malicious database administrator) resulting in public disclosure of sensitive customer information occurred at Fidelity National Information Services. This insider attack in early 2010 resulted in $975,000 in fines against the firm by the Florida Attorney General, and another $375,000 in fines from the Financial Industry Regulatory Agency. Clearly, managing access to sensitive information in collaboration sites is a key concern. SharePoint provides some native tools which can be used to restrict access to files and libraries. These controls include permissions that can be applied at the site, group, or document library level. However, these capabilities suffer from an inherent configuration complexity that restricts most organizations from effectively applying authorization and access control capabilities at a useful level. In addition, the staff assigned to design and implement security controls using these mechanisms are generally insiders: administrators, site administrators, and farm administrators in the hierarchy of SharePoint management. The native SharePoint access controls do not provide adequate separation of duties. Providing for separation of duties is a basic security principle, and it is required by many compliance regulations.
4 Data Security Approaches for SharePoint Protecting against the insider threat on IT platforms has generally involved encrypting data at rest, and providing an effective key management capability that restricts access to sensitive information to those with a true “need to know”. In SharePoint implementations, there are four possible places to insert encryption to protect information: 1) Disk encryption using Microsoft Encrypting File System or Bitlocker. These technologies seem simple to implement, given that the encryption technologies are provided with the operating system. However, the key management is extremely cumbersome and they only provide protection against threats such as loss of media. They do nothing to protect against insider threats and are not specifically designed to protect data in a SharePoint environment. 2) Use Transparent Database Encryption in the MS SQL 2008 database platform. This approach also provides protection against threats such as loss of media. TDE implemented at the database level provides no threat protection against Database or SharePoint administrators. 3) Implement client software that provides the ability for end users to invoke encryption. While this approach can deliver a capability to encrypt sensitive files, history has shown that end users make poor security administrators, and when given this level of decision-making authority, they almost always choose convenience over security. Security works best when users do not have to make decisions about what files to secure. 4) Implement data encryption directly and transparently on the SharePoint server. This approach provides complete threat protection against all insiders (including DBAs, SharePoint administrators, and site/farm administrators), as well as against media loss, and lower level threats. The figure on the next page shows the relative threat protection for different encryption options.
5 Key management is a critically important capability regardless of which approach your organization opts for. With a centralized key management capability providing for secure key distribution and storage, automatic key changes, and separation of duties for security administrators, organizations can be assured that sensitive information being stored in SharePoint sites is secure. Conclusion Data security in SharePoint is becoming a significant concern. Look to encryption, implemented directly and transparently on the SharePoint server, as the most effective threat protection, addressing the widest range of attack scenarios and threats.
6 About CipherPoint Software, Inc. CipherPoint Software is the first provider of transparent content encryption software for Microsoft SharePoint, and was founded by IT security industry veterans with deep experience in building security technology companies. CipherPoint Software, Inc., 1000 Heritage Center Circle, Round Rock, TX 78664 888-657-5355, info@cipherpointsoftware.com Copyright CipherPoint Software, Inc., 2010 All rights reserved. CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft. Doc. ID:CPWP001 i 2009 Independent Oracle User Group Data Security Study                                   Copyright CipherPoint Software, Inc., 2010 All rights reserved. CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft. Doc. ID:CPWP001  

Recomendados

K Ziai Share Point At Ut
K Ziai Share Point At UtK Ziai Share Point At Ut
K Ziai Share Point At UtArt Upton
 
Universal Search for Legal Enterprises
Universal Search for Legal EnterprisesUniversal Search for Legal Enterprises
Universal Search for Legal EnterprisesAdhereSolutions
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterCraig Jahnke
 
Communication Compliance in Microsoft 365
Communication Compliance in Microsoft 365Communication Compliance in Microsoft 365
Communication Compliance in Microsoft 365Joanne Klein
 
File Security in Microsoft SharePoint and OneDrive
File Security in Microsoft SharePoint and OneDriveFile Security in Microsoft SharePoint and OneDrive
File Security in Microsoft SharePoint and OneDriveDavid J Rosenthal
 
SharePoint Saturday Belgium 2014 - A practical guide for navigating the clouds
SharePoint Saturday Belgium 2014 - A practical guide for navigating the cloudsSharePoint Saturday Belgium 2014 - A practical guide for navigating the clouds
SharePoint Saturday Belgium 2014 - A practical guide for navigating the cloudsBIWUG
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
SharePoint Saturday NL 2016 - Security & Compliance
SharePoint Saturday NL 2016 - Security & ComplianceSharePoint Saturday NL 2016 - Security & Compliance
SharePoint Saturday NL 2016 - Security & ComplianceAlbert Hoitingh
 

Recomendados

K Ziai Share Point At Ut
K Ziai Share Point At UtK Ziai Share Point At Ut
K Ziai Share Point At UtArt Upton
 
Universal Search for Legal Enterprises
Universal Search for Legal EnterprisesUniversal Search for Legal Enterprises
Universal Search for Legal EnterprisesAdhereSolutions
 
Intro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterIntro to Office 365 Security & Compliance Center
Intro to Office 365 Security & Compliance CenterCraig Jahnke
 
Communication Compliance in Microsoft 365
Communication Compliance in Microsoft 365Communication Compliance in Microsoft 365
Communication Compliance in Microsoft 365Joanne Klein
 
File Security in Microsoft SharePoint and OneDrive
File Security in Microsoft SharePoint and OneDriveFile Security in Microsoft SharePoint and OneDrive
File Security in Microsoft SharePoint and OneDriveDavid J Rosenthal
 
SharePoint Saturday Belgium 2014 - A practical guide for navigating the clouds
SharePoint Saturday Belgium 2014 - A practical guide for navigating the cloudsSharePoint Saturday Belgium 2014 - A practical guide for navigating the clouds
SharePoint Saturday Belgium 2014 - A practical guide for navigating the cloudsBIWUG
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsLindaWatson19
 
SharePoint Saturday NL 2016 - Security & Compliance
SharePoint Saturday NL 2016 - Security & ComplianceSharePoint Saturday NL 2016 - Security & Compliance
SharePoint Saturday NL 2016 - Security & ComplianceAlbert Hoitingh
 
Cloud Computing for Legal Administrators
Cloud Computing for Legal AdministratorsCloud Computing for Legal Administrators
Cloud Computing for Legal AdministratorsPatrick R. Wiley
 
Microsoft 365 Compliance
Microsoft 365 ComplianceMicrosoft 365 Compliance
Microsoft 365 ComplianceDavid J Rosenthal
 
Intro to Data Loss Prevention in SharePoint 2016
Intro to Data Loss Prevention in SharePoint 2016Intro to Data Loss Prevention in SharePoint 2016
Intro to Data Loss Prevention in SharePoint 2016Craig Jahnke
 
Virtual Medicolegal Documents
Virtual Medicolegal DocumentsVirtual Medicolegal Documents
Virtual Medicolegal DocumentsChristopher Brigham MD
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
Information management and data governance in Office 365
Information management and data governance in Office 365Information management and data governance in Office 365
Information management and data governance in Office 365Joanne Klein
 
Protecting your Teams Work across Microsoft 365
Protecting your Teams Work across Microsoft 365Protecting your Teams Work across Microsoft 365
Protecting your Teams Work across Microsoft 365Joanne Klein
 
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionaMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionAlbert Hoitingh
 
Where in the world is your Corporate data?
Where in the world is your Corporate data?Where in the world is your Corporate data?
Where in the world is your Corporate data?Ashish Patel
 
SPFest Chicago - Information Management and Data Governance in Office 365
SPFest Chicago - Information Management and Data Governance in Office 365SPFest Chicago - Information Management and Data Governance in Office 365
SPFest Chicago - Information Management and Data Governance in Office 365Joanne Klein
 
SharePoint Saturday Cambridge: Security & compliance
SharePoint Saturday Cambridge: Security & complianceSharePoint Saturday Cambridge: Security & compliance
SharePoint Saturday Cambridge: Security & complianceAlbert Hoitingh
 
Using IT to deliver HR
Using IT to deliver HRUsing IT to deliver HR
Using IT to deliver HRfionahinds
 
Azure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachAzure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachJoanne Klein
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Christian Buckley
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureEuropean Collaboration Summit
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
2014 trend in file sharing
2014 trend in file sharing2014 trend in file sharing
2014 trend in file sharingGlobal Social Law Net
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachGlobal Business Events - the Heart of your Network.
 
CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALCSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALSatchit Dokras
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...Richard Harbridge
 
Practical Perspectives On Dealing With SharePoint Complexity
Practical Perspectives On Dealing With SharePoint ComplexityPractical Perspectives On Dealing With SharePoint Complexity
Practical Perspectives On Dealing With SharePoint ComplexityRichard Harbridge
 

Más contenido relacionado

La actualidad más candente

Cloud Computing for Legal Administrators
Cloud Computing for Legal AdministratorsCloud Computing for Legal Administrators
Cloud Computing for Legal AdministratorsPatrick R. Wiley
 
Intro to Data Loss Prevention in SharePoint 2016
Intro to Data Loss Prevention in SharePoint 2016Intro to Data Loss Prevention in SharePoint 2016
Intro to Data Loss Prevention in SharePoint 2016Craig Jahnke
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideSatchit Dokras
 
Information management and data governance in Office 365
Information management and data governance in Office 365Information management and data governance in Office 365
Information management and data governance in Office 365Joanne Klein
 
Protecting your Teams Work across Microsoft 365
Protecting your Teams Work across Microsoft 365Protecting your Teams Work across Microsoft 365
Protecting your Teams Work across Microsoft 365Joanne Klein
 
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionaMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionAlbert Hoitingh
 
Where in the world is your Corporate data?
Where in the world is your Corporate data?Where in the world is your Corporate data?
Where in the world is your Corporate data?Ashish Patel
 
SPFest Chicago - Information Management and Data Governance in Office 365
SPFest Chicago - Information Management and Data Governance in Office 365SPFest Chicago - Information Management and Data Governance in Office 365
SPFest Chicago - Information Management and Data Governance in Office 365Joanne Klein
 
SharePoint Saturday Cambridge: Security & compliance
SharePoint Saturday Cambridge: Security & complianceSharePoint Saturday Cambridge: Security & compliance
SharePoint Saturday Cambridge: Security & complianceAlbert Hoitingh
 
Using IT to deliver HR
Using IT to deliver HRUsing IT to deliver HR
Using IT to deliver HRfionahinds
 
Azure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachAzure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachJoanne Klein
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Christian Buckley
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureEuropean Collaboration Summit
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving servicesCloudMask inc.
 
CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALCSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALSatchit Dokras
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 

La actualidad más candente (20)

Cloud Computing for Legal Administrators
Cloud Computing for Legal AdministratorsCloud Computing for Legal Administrators
Cloud Computing for Legal Administrators
 
Microsoft 365 Compliance
Microsoft 365 ComplianceMicrosoft 365 Compliance
Microsoft 365 Compliance
 
Intro to Data Loss Prevention in SharePoint 2016
Intro to Data Loss Prevention in SharePoint 2016Intro to Data Loss Prevention in SharePoint 2016
Intro to Data Loss Prevention in SharePoint 2016
 
Virtual Medicolegal Documents
Virtual Medicolegal DocumentsVirtual Medicolegal Documents
Virtual Medicolegal Documents
 
internal-cloud-audit-risk-guide
internal-cloud-audit-risk-guideinternal-cloud-audit-risk-guide
internal-cloud-audit-risk-guide
 
Information management and data governance in Office 365
Information management and data governance in Office 365Information management and data governance in Office 365
Information management and data governance in Office 365
 
Protecting your Teams Work across Microsoft 365
Protecting your Teams Work across Microsoft 365Protecting your Teams Work across Microsoft 365
Protecting your Teams Work across Microsoft 365
 
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss PreventionaMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
aMS SouthEast Asia 2021 - Microsoft 365 Data Loss Prevention
 
Where in the world is your Corporate data?
Where in the world is your Corporate data?Where in the world is your Corporate data?
Where in the world is your Corporate data?
 
SPFest Chicago - Information Management and Data Governance in Office 365
SPFest Chicago - Information Management and Data Governance in Office 365SPFest Chicago - Information Management and Data Governance in Office 365
SPFest Chicago - Information Management and Data Governance in Office 365
 
SharePoint Saturday Cambridge: Security & compliance
SharePoint Saturday Cambridge: Security & complianceSharePoint Saturday Cambridge: Security & compliance
SharePoint Saturday Cambridge: Security & compliance
 
Using IT to deliver HR
Using IT to deliver HRUsing IT to deliver HR
Using IT to deliver HR
 
Azure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachAzure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team Approach
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
 
Keep Student information protected while improving services
Keep Student information protected while improving servicesKeep Student information protected while improving services
Keep Student information protected while improving services
 
2014 trend in file sharing
2014 trend in file sharing2014 trend in file sharing
2014 trend in file sharing
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
 
CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINALCSX Megatrends Cloud Risk Assurance Oct 15 FINAL
CSX Megatrends Cloud Risk Assurance Oct 15 FINAL
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
 

Destacado

SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...Richard Harbridge
 
Practical Perspectives On Dealing With SharePoint Complexity
Practical Perspectives On Dealing With SharePoint ComplexityPractical Perspectives On Dealing With SharePoint Complexity
Practical Perspectives On Dealing With SharePoint ComplexityRichard Harbridge
 
SharePoint Saturday New Orleans - SharePoint In The Cloud
SharePoint Saturday New Orleans - SharePoint In The CloudSharePoint Saturday New Orleans - SharePoint In The Cloud
SharePoint Saturday New Orleans - SharePoint In The CloudRichard Harbridge
 
SPTechCon - San Francisco - Is Your SharePoint Healthy?
SPTechCon - San Francisco - Is Your SharePoint Healthy?SPTechCon - San Francisco - Is Your SharePoint Healthy?
SPTechCon - San Francisco - Is Your SharePoint Healthy?Richard Harbridge
 
SharePoint - Right Intro To Development
SharePoint - Right Intro To DevelopmentSharePoint - Right Intro To Development
SharePoint - Right Intro To DevelopmentMark Rackley
 

Destacado (6)

SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
SharePoint Conference .ORG - Is Your SharePoint Healthy? What's The Right Pre...
 
Practical Perspectives On Dealing With SharePoint Complexity
Practical Perspectives On Dealing With SharePoint ComplexityPractical Perspectives On Dealing With SharePoint Complexity
Practical Perspectives On Dealing With SharePoint Complexity
 
SharePoint Saturday New Orleans - SharePoint In The Cloud
SharePoint Saturday New Orleans - SharePoint In The CloudSharePoint Saturday New Orleans - SharePoint In The Cloud
SharePoint Saturday New Orleans - SharePoint In The Cloud
 
SPTechCon - San Francisco - Is Your SharePoint Healthy?
SPTechCon - San Francisco - Is Your SharePoint Healthy?SPTechCon - San Francisco - Is Your SharePoint Healthy?
SPTechCon - San Francisco - Is Your SharePoint Healthy?
 
Communities For SharePoint
Communities For SharePointCommunities For SharePoint
Communities For SharePoint
 
SharePoint - Right Intro To Development
SharePoint - Right Intro To DevelopmentSharePoint - Right Intro To Development
SharePoint - Right Intro To Development
 

Similar a Share point encryption

CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfCYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfJenna Murray
 
Online Focus Groups Privacy and Security Considerations
Online Focus Groups Privacy and Security ConsiderationsOnline Focus Groups Privacy and Security Considerations
Online Focus Groups Privacy and Security ConsiderationsAlfonso Sintjago
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data securityKeith Braswell
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...IJNSA Journal
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data LeakagePatty Buckley
 
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...Authentic8
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Ulf Mattsson
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET Journal
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedElastica Inc.
 
B2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam LevithanB2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam LevithanSPS Paris
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataOnline Business
 
The Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving ComplianceThe Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving CompliancePortalGuard
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSridhar Karnam
 
The Three Pitfalls of Data Security
The Three Pitfalls of Data SecurityThe Three Pitfalls of Data Security
The Three Pitfalls of Data SecurityMarkLogic
 

Similar a Share point encryption (20)

Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdfCYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
 
Online Focus Groups Privacy and Security Considerations
Online Focus Groups Privacy and Security ConsiderationsOnline Focus Groups Privacy and Security Considerations
Online Focus Groups Privacy and Security Considerations
 
3 guiding priciples to improve data security
3 guiding priciples to improve data security3 guiding priciples to improve data security
3 guiding priciples to improve data security
 
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...
 
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
Shadow Data Exposed
Shadow Data ExposedShadow Data Exposed
Shadow Data Exposed
 
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
IT vs. Users? How Law Firms Can Maximize Security While Granting Access to th...
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016
 
Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...Isaca global journal - choosing the most appropriate data security solution ...
Isaca global journal - choosing the most appropriate data security solution ...
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
 
Ciso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data ExposedCiso Platform Webcast: Shadow Data Exposed
Ciso Platform Webcast: Shadow Data Exposed
 
B2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam LevithanB2 - The History of Content Security: Part 2 - Adam Levithan
B2 - The History of Content Security: Part 2 - Adam Levithan
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdata
 
The Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving ComplianceThe Role of Password Management in Achieving Compliance
The Role of Password Management in Achieving Compliance
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
 
The Three Pitfalls of Data Security
The Three Pitfalls of Data SecurityThe Three Pitfalls of Data Security
The Three Pitfalls of Data Security
 

Último

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Último (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Share point encryption

  • 1. 1 Executive Summary Popular collaboration platforms such as Microsoft SharePoint are making sharing and storing information easy. Private and confidential information is finding it’s way into SharePoint environments with increasing frequency. This ease of deployment and use introduces new data security and compliance concerns for organizations. With data security breaches and attacks on the rise, protecting sensitive information stored in SharePoint is a critical issue. Security researchers from the Ponemon Institute now put the average organizational cost of a data breach at $6.75M. According to Osterman Research, “the focus of SharePoint security concerns appears to be much more focused on protecting sensitive information than on traditional malware. ” Several approaches are available to provide for protection of the information stored in SharePoint sites. Each approach has its merits, and provides different levels of protection against different threats and attacks. The transparent data encryption approach implemented specifically to protect data on SharePoint servers provides the most comprehensive data security possible, addressing the broadest set of potential attack scenarios, including insider threats from administrators. Management staff responsible for securing SharePoint sites is advised to carefully consider the risks and threats to information, and implement an approach that effectively secures against these threats. WHITE PAPER Securing Sensitive Information in SharePoint
  • 2. 2 Introduction Usage of collaboration sites such as SharePoint is experiencing explosive growth, with analyst firm Infotrends projecting that the market for SharePoint will surpass $5B in product and services revenue by 2012. The overall market for content management systems is projected to grow to $10B by 2014, according to industry analyst firm Basex. Analysts at Gartner have estimated 30% of SharePoint deployments are being deployed outside the control of central IT and information security groups. The increasing use of SharePoint for all types of information coupled with relatively less oversight from IT security staff and a simple user interface that makes storing and sharing sensitive information easy, and you have potential for data security breaches. As SharePoint has grown in popularity, sites are increasingly being used to store all types of private and confidential information. Recent high profile (and high cost) privacy breaches involving sensitive corporate data and customer information have increased the importance of properly securing collaboration and enterprise content management platforms such as SharePoint. In addition, vulnerabilities recently disclosed in SharePoint software releases have heightened the need to treat data security for SharePoint as a critical matter. This white paper identifies some of the key concerns around data security for sensitive and regulated information stored in SharePoint. Several approaches are possible for organizations seeking to enhance the security of SharePoint sites, each with different threat protection capabilities. This paper describes various threat scenarios, the different approaches to data security in SharePoint, deployment and user interaction considerations, and the relative pros and cons of each data security approach. Big Picture Security Concerns and SharePoint Information stored in SharePoint tends to be unstructured, with users to some extent using SharePoint to replace file servers and network drives. This approach results in private and confidential information becoming widely dispersed, easily accessed, and poorly secured. High-level security concerns include malware prevention, access control, and data security and compliance. Specific threats to information stored in SharePoint can come from both external attackers and from insiders. Security concerns for SharePoint are exacerbated by the following realities: 1) SharePoint is extremely easy to setup, and many sites are created outside of central IT organizations. Because of this, there is little governance over what should and should not be stored in SharePoint. In many cases there have not been adequate security controls deployed to protect sensitive data in SharePoint sites. 2) The platform is also very easy for end users to use, and as a result it tends to be used to facilitate document storage and collaboration of all sorts of private and confidential data. And users rarely understand the data security issues affected by storing private and confidential data in SharePoint. 3) The security capabilities that exist natively in SharePoint (largely access controls coupled to Active Directory identities, with a document permission inheritance scheme) have a reputation for quickly becoming very complex to administer and are not distinctly designed to secure private and confidential data. 4) The hierarchy of administrators required to configure and manage SharePoint (including SharePoint administrators, site administrators, and SQL database administrators) provides multiple insider threats with privileged user access to private and confidential data. The simple fact is that when lower level security approaches (such as disk encryption or SQL database encryption) are taken to protect data in SharePoint sites, the data is still accessible and viewable by these multiple administrators. Implicitly trusting all privileged users represents too much risk for most organizations.
  • 3. 3 As a platform that leverages standard web protocols, SharePoint is susceptible to vulnerabilities that could cause security issues including things such as cross-site scripting, cross-site request forgery, and SQL injection. Recent patches for SharePoint (SharePoint Security Updates KB 983444 and KB 979445) have included fixes for some of these vulnerabilities. A security bug was recently reported in SharePoint for an escalation of privilege problem which is highly problematic for sites being used to store and share private and confidential information. Native security controls in SharePoint provide some ability to secure access to files through access control lists. However, in practice, the permissions inheritance is difficult to setup and maintain over time. Lack of synchronization, ongoing management, and general proliferation of static access control lists is a serious challenge with SharePoint. Beyond technical security considerations, the use of SharePoint as a repository and a means to collaborate can cause issues for data subject to compliance regulations. Numerous compliance regulations are now requiring effective controls and encryption for sensitive information types (non-public personal information in GLBA, electronically protected healthcare information in HIPAA, personally identifiable information in state data privacy laws, and cardholder data in PCI DSS). In addition, many of the now 43+ state data privacy laws strongly encourage the use of encryption by allowing organizations experiencing a security breach of sensitive information to avoid having to publicly disclose the breach (and to avoid having to incur expensive notification costs to individuals), if the data was encrypted. Other compliance regulations such as ITAR and FISMA have severe fines associated with the disclosure of sensitive data. Threat Scenarios and Attack Vectors for Information Stored in SharePoint Sites As with most IT platforms, attacks against the SharePoint platform and data resident in SharePoint sites can come from external attackers, as well as from insiders. Attacks and misuse by insiders, especially those with privileged user access rights, can oftentimes be the most damaging security incidents. A survey by a leading database user group regarding top security concerns bears this out. The 2009 studyi found that the top two greatest risks and threats to enterprise data were “internal hackers or unauthorized users” (32%), and “abuse of privileges by IT staff” (26%). Both of these risks represent the insider threat, and taken together they far surpass concerns around loss of media (25%), and malicious code or viruses (20%). While the platforms are obviously different, the insider threat is consistent across both databases and collaboration platforms with respect to sensitive information. One could argue that the insider threat problem is likely more acute in collaboration platforms, given the ease with which sensitive unstructured information can deposited, indexed and accessed, and the relative lack of mature data governance processes. An example of an insider attack (a malicious database administrator) resulting in public disclosure of sensitive customer information occurred at Fidelity National Information Services. This insider attack in early 2010 resulted in $975,000 in fines against the firm by the Florida Attorney General, and another $375,000 in fines from the Financial Industry Regulatory Agency. Clearly, managing access to sensitive information in collaboration sites is a key concern. SharePoint provides some native tools which can be used to restrict access to files and libraries. These controls include permissions that can be applied at the site, group, or document library level. However, these capabilities suffer from an inherent configuration complexity that restricts most organizations from effectively applying authorization and access control capabilities at a useful level. In addition, the staff assigned to design and implement security controls using these mechanisms are generally insiders: administrators, site administrators, and farm administrators in the hierarchy of SharePoint management. The native SharePoint access controls do not provide adequate separation of duties. Providing for separation of duties is a basic security principle, and it is required by many compliance regulations.
  • 4. 4 Data Security Approaches for SharePoint Protecting against the insider threat on IT platforms has generally involved encrypting data at rest, and providing an effective key management capability that restricts access to sensitive information to those with a true “need to know”. In SharePoint implementations, there are four possible places to insert encryption to protect information: 1) Disk encryption using Microsoft Encrypting File System or Bitlocker. These technologies seem simple to implement, given that the encryption technologies are provided with the operating system. However, the key management is extremely cumbersome and they only provide protection against threats such as loss of media. They do nothing to protect against insider threats and are not specifically designed to protect data in a SharePoint environment. 2) Use Transparent Database Encryption in the MS SQL 2008 database platform. This approach also provides protection against threats such as loss of media. TDE implemented at the database level provides no threat protection against Database or SharePoint administrators. 3) Implement client software that provides the ability for end users to invoke encryption. While this approach can deliver a capability to encrypt sensitive files, history has shown that end users make poor security administrators, and when given this level of decision-making authority, they almost always choose convenience over security. Security works best when users do not have to make decisions about what files to secure. 4) Implement data encryption directly and transparently on the SharePoint server. This approach provides complete threat protection against all insiders (including DBAs, SharePoint administrators, and site/farm administrators), as well as against media loss, and lower level threats. The figure on the next page shows the relative threat protection for different encryption options.
  • 5. 5 Key management is a critically important capability regardless of which approach your organization opts for. With a centralized key management capability providing for secure key distribution and storage, automatic key changes, and separation of duties for security administrators, organizations can be assured that sensitive information being stored in SharePoint sites is secure. Conclusion Data security in SharePoint is becoming a significant concern. Look to encryption, implemented directly and transparently on the SharePoint server, as the most effective threat protection, addressing the widest range of attack scenarios and threats.
  • 6. 6 About CipherPoint Software, Inc. CipherPoint Software is the first provider of transparent content encryption software for Microsoft SharePoint, and was founded by IT security industry veterans with deep experience in building security technology companies. CipherPoint Software, Inc., 1000 Heritage Center Circle, Round Rock, TX 78664 888-657-5355, info@cipherpointsoftware.com Copyright CipherPoint Software, Inc., 2010 All rights reserved. CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft. Doc. ID:CPWP001 i 2009 Independent Oracle User Group Data Security Study                                   Copyright CipherPoint Software, Inc., 2010 All rights reserved. CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft. Doc. ID:CPWP001