1

Executive Summary Popular collaboration platforms such as Microsoft SharePoint are making sharing and storing information easy. Private and confidential information is finding it’s way into SharePoint environments with increasing frequency. This ease of deployment and use introduces new data security and compliance concerns for organizations. With data security breaches and attacks on the rise, protecting sensitive information stored in SharePoint is a critical issue. Security researchers from the Ponemon Institute now put the average organizational cost of a data breach at $6.75M. According to Osterman Research, “the focus of SharePoint security concerns appears to be much more focused on protecting sensitive information than on traditional malware. ” Several approaches are available to provide for protection of the information stored in SharePoint sites. Each approach has its merits, and provides different levels of protection against different threats and attacks. The transparent data encryption approach implemented specifically to protect data on SharePoint servers provides the most comprehensive data security possible, addressing the broadest set of potential attack scenarios, including insider threats from administrators. Management staff responsible for securing SharePoint sites is advised to carefully consider the risks and threats to information, and implement an approach that effectively secures against these threats.

WHITE PAPER

Securing Sensitive Information in SharePoint

2

Introduction Usage of collaboration sites such as SharePoint is experiencing explosive growth, with analyst firm Infotrends projecting that the market for SharePoint will surpass $5B in product and services revenue by 2012. The overall market for content management systems is projected to grow to $10B by 2014, according to industry analyst firm Basex. Analysts at Gartner have estimated 30% of SharePoint deployments are being deployed outside the control of central IT and information security groups. The increasing use of SharePoint for all types of information coupled with relatively less oversight from IT security staff and a simple user interface that makes storing and sharing sensitive information easy, and you have potential for data security breaches. As SharePoint has grown in popularity, sites are increasingly being used to store all types of private and confidential information. Recent high profile (and high cost) privacy breaches involving sensitive corporate data and customer information have increased the importance of properly securing collaboration and enterprise content management platforms such as SharePoint. In addition, vulnerabilities recently disclosed in SharePoint software releases have heightened the need to treat data security for SharePoint as a critical matter. This white paper identifies some of the key concerns around data security for sensitive and regulated information stored in SharePoint. Several approaches are possible for organizations seeking to enhance the security of SharePoint sites, each with different threat protection capabilities. This paper describes various threat scenarios, the different approaches to data security in SharePoint, deployment and user interaction considerations, and the relative pros and cons of each data security approach. Big Picture Security Concerns and SharePoint Information stored in SharePoint tends to be unstructured, with users to some extent using SharePoint to replace file servers and network drives. This approach results in private and confidential information becoming widely dispersed, easily accessed, and poorly secured. High-level security concerns include malware prevention, access control, and data security and compliance. Specific threats to information stored in SharePoint can come from both external attackers and from insiders. Security concerns for SharePoint are exacerbated by the following realities:

1) SharePoint is extremely easy to setup, and many sites are created outside of central IT organizations. Because of this, there is little governance over what should and should not be stored in SharePoint. In many cases there have not been adequate security controls deployed to protect sensitive data in SharePoint sites.

2) The platform is also very easy for end users to use, and as a result it tends to be used to facilitate document storage and collaboration of all sorts of private and confidential data. And users rarely understand the data security issues affected by storing private and confidential data in SharePoint.

3) The security capabilities that exist natively in SharePoint (largely access controls coupled to Active Directory identities, with a document permission inheritance scheme) have a reputation for quickly becoming very complex to administer and are not distinctly designed to secure private and confidential data.

4) The hierarchy of administrators required to configure and manage SharePoint (including SharePoint administrators, site administrators, and SQL database administrators) provides multiple insider threats with privileged user access to private and confidential data. The simple fact is that when lower level security approaches (such as disk encryption or SQL database encryption) are taken to protect data in SharePoint sites, the data is still accessible and viewable by these multiple administrators. Implicitly trusting all privileged users represents too much risk for most organizations.

3

As a platform that leverages standard web protocols, SharePoint is susceptible to vulnerabilities that could cause security issues including things such as cross-site scripting, cross-site request forgery, and SQL injection. Recent patches for SharePoint (SharePoint Security Updates KB 983444 and KB 979445) have included fixes for some of these vulnerabilities. A security bug was recently reported in SharePoint for an escalation of privilege problem which is highly problematic for sites being used to store and share private and confidential information. Native security controls in SharePoint provide some ability to secure access to files through access control lists. However, in practice, the permissions inheritance is difficult to setup and maintain over time. Lack of synchronization, ongoing management, and general proliferation of static access control lists is a serious challenge with SharePoint. Beyond technical security considerations, the use of SharePoint as a repository and a means to collaborate can cause issues for data subject to compliance regulations. Numerous compliance regulations are now requiring effective controls and encryption for sensitive information types (non-public personal information in GLBA, electronically protected healthcare information in HIPAA, personally identifiable information in state data privacy laws, and cardholder data in PCI DSS). In addition, many of the now 43+ state data privacy laws strongly encourage the use of encryption by allowing organizations experiencing a security breach of sensitive information to avoid having to publicly disclose the breach (and to avoid having to incur expensive notification costs to individuals), if the data was encrypted. Other compliance regulations such as ITAR and FISMA have severe fines associated with the disclosure of sensitive data.

Threat Scenarios and Attack Vectors for Information Stored in SharePoint Sites As with most IT platforms, attacks against the SharePoint platform and data resident in SharePoint sites can come from external attackers, as well as from insiders. Attacks and misuse by insiders, especially those with privileged user access rights, can oftentimes be the most damaging security incidents. A survey by a leading database user group regarding top security concerns bears this out. The 2009 studyi found that the top two greatest risks and threats to enterprise data were “internal hackers or unauthorized users” (32%), and “abuse of privileges by IT staff” (26%). Both of these risks represent the insider threat, and taken together they far surpass concerns around loss of media (25%), and malicious code or viruses (20%). While the platforms are obviously different, the insider threat is consistent across both databases and collaboration platforms with respect to sensitive information. One could argue that the insider threat problem is likely more acute in collaboration platforms, given the ease with which sensitive unstructured information can deposited, indexed and accessed, and the relative lack of mature data governance processes. An example of an insider attack (a malicious database administrator) resulting in public disclosure of sensitive customer information occurred at Fidelity National Information Services. This insider attack in early 2010 resulted in $975,000 in fines against the firm by the Florida Attorney General, and another $375,000 in fines from the Financial Industry Regulatory Agency. Clearly, managing access to sensitive information in collaboration sites is a key concern. SharePoint provides some native tools which can be used to restrict access to files and libraries. These controls include permissions that can be applied at the site, group, or document library level. However, these capabilities suffer from an inherent configuration complexity that restricts most organizations from effectively applying authorization and access control capabilities at a useful level. In addition, the staff assigned to design and implement security controls using these mechanisms are generally insiders: administrators, site administrators, and farm administrators in the hierarchy of SharePoint management. The native SharePoint access controls do not provide adequate separation of duties. Providing for separation of duties is a basic security principle, and it is required by many compliance regulations.

4

Data Security Approaches for SharePoint Protecting against the insider threat on IT platforms has generally involved encrypting data at rest, and providing an effective key management capability that restricts access to sensitive information to those with a true “need to know”. In SharePoint implementations, there are four possible places to insert encryption to protect information:

1) Disk encryption using Microsoft Encrypting File System or Bitlocker. These technologies seem simple to implement, given that the encryption technologies are provided with the operating system. However, the key management is extremely cumbersome and they only provide protection against threats such as loss of media. They do nothing to protect against insider threats and are not specifically designed to protect data in a SharePoint environment.

2) Use Transparent Database Encryption in the MS SQL 2008 database platform. This approach also provides protection against threats such as loss of media. TDE implemented at the database level provides no threat protection against Database or SharePoint administrators.

3) Implement client software that provides the ability for end users to invoke encryption. While this approach can deliver a capability to encrypt sensitive files, history has shown that end users make poor security administrators, and when given this level of decision-making authority, they almost always choose convenience over security. Security works best when users do not have to make decisions about what files to secure.

4) Implement data encryption directly and transparently on the SharePoint server. This approach provides complete threat protection against all insiders (including DBAs, SharePoint administrators, and site/farm administrators), as well as against media loss, and lower level threats.

The figure on the next page shows the relative threat protection for different encryption options.

5

Key management is a critically important capability regardless of which approach your organization opts for. With a centralized key management capability providing for secure key distribution and storage, automatic key changes, and separation of duties for security administrators, organizations can be assured that sensitive information being stored in SharePoint sites is secure. Conclusion Data security in SharePoint is becoming a significant concern. Look to encryption, implemented directly and transparently on the SharePoint server, as the most effective threat protection, addressing the widest range of attack scenarios and threats.

6

About CipherPoint Software, Inc. CipherPoint Software is the first provider of transparent content encryption software for Microsoft SharePoint, and was founded by IT security industry veterans with deep experience in building security technology companies.

CipherPoint Software, Inc., 1000 Heritage Center Circle, Round Rock, TX 78664 888-657-5355, info@cipherpointsoftware.com

Copyright CipherPoint Software, Inc., 2010 All rights reserved. CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft. Doc. ID:CPWP001 i 2009 Independent Oracle User Group Data Security Study

                                 Copyright CipherPoint Software, Inc., 2010 All rights reserved. CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft. Doc. ID:CPWP001