Five tips for securing SharePoint data

SharePoint’s ability to function as a data repository and a collaboration platform has made it popular with many organisations. SharePoint does include some basic security building blocks - like permissions and auditing - but successfully harnessing these, and addressing some of the gaps in native SharePoint, is critical for achieving effective data security.

Not only can SharePoint store an organisation’s sensitive business data, it can help automate business processes around that data. When organisations begin to leverage SharePoint as a core business system, the importance of securing SharePoint data and applications comes into focus.

It is advisable to adopt the following five best practices for securing your SharePoint environment. These five best practices can help your organisation get the most out of SharePoint’s existing permissions system and fill some of SharePoint’s security gaps.

1. Getting permissions right

Microsoft’s advice for securing SharePoint itself begins with permissions. Its technical paper ‘Security and protection for SharePoint Server 2010’ starts with this guidance:

“Some of the sites in your enterprise probably contain content that should not be available to all users ... [some] information should be accessible only on a need-to-know basis. Permissions control access to your sites and site content. You can manage permissions by using Microsoft SharePoint Server 2010 groups, which control membership, and fine-grained permissions, which help to secure content at the item and document level.”

Native SharePoint permissions are, in fact, an excellent access control mechanism. SharePoint Access Control Lists (ACLs) are directly associated with SharePoint items and documents, and SharePoint automatically enforces access control when users attempt to access data.

What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that rights remain aligned with business needs. The challenge here is twofold.

First, it’s difficult to effectively track and manage all of the permissions in SharePoint. Unstructured data is estimated to be growing at 60% per year. As more unstructured data is added to SharePoint, additional permissions are created - either through inheritance or assignment - and must be managed.

The second challenge is that access rights are in a constant state of flux as the organisation itself grows and changes. Each new employee, contractor or consultant that joins the company has access needs and restrictions, as do users who are starting new work projects, changing job roles or leaving the company.

Access rights are constantly growing and changing. SharePoint administrators have to work hard to stay on top of permissions.

2. Automate compliance reporting

SharePoint adoption has been successful in large part because of its ease of use and its unique combination of features, especially its portal, workflow and enterprise content management capabilities. These features make SharePoint a natural platform for storing, managing and presenting sensitive business data.

If you store business-critical data in SharePoint, then demonstrating compliance with regulations, industry mandates or internal risk controls will most likely be an essential part of SharePoint administration and governance for your organisation.

Organisations that maintain sensitive data in SharePoint will be well served by automating SharePoint compliance reporting. Why automate compliance reporting? One of the greatest operational challenges of compliance is demonstrating that your organisation is, in fact, meeting compliance mandates.

Unfortunately, for many organisations, this means manually collecting and organising relevant information to generate reports. Manual compliance reporting is typically a significant burden on businesses that disrupts normal operational activities. IT administrators have to locate relevant information, collate it and assemble reports, a process which is both time-consuming and error-prone.

For two major areas of IT compliance reporting - user rights and access activity - SharePoint leaves organisations wanting. The first section of this article highlighted the challenge of establishing permissions visibility in SharePoint, which is obviously a prerequisite for being able to generate reports.

SharePoint’s built-in capabilities for access activity auditing and reporting are similarly limited. SharePoint does not provide readily usable information and you cannot simply look them up in the SharePoint user interface. You need an understanding of the SharePoint object model and then you need to write a program to do the decoding, and piece the various parts together.

3. Respond to suspicious activity in real time

SharePoint’s most popular uses are web portals, workflow management and enterprise content management. Many organisations are sharing their information with a broad range of internal and external groups and openly provide access to this information. Organisations should be complementing this degree of trust, access and openness in their SharePoint deployments with the ability to detect and alert on suspicious access activity.

Given the basic level of activity auditing available in SharePoint, it is not surprising that SharePoint does not provide the ability to automatically analyse access activity and respond with alerts or other follow-on actions. But, this is exactly what organisations should be doing to reduce the risk to their shared data.

Organisations need to implement a solution which layers a policy framework on top of its audit record that allows it to build rules that identify suspicious behaviour and complement native access controls.

Additionally, organisations need to establish and provide policies that monitor access to the Microsoft SQL database at the heart of many SharePoint deployments and block any unauthorised access. Not only does this prevent security threats, it also helps organisations adhere to Microsoft’s support conditions.

Specifically, Microsoft places restrictions on what actions organisations can perform directly on the SQL database. For example, adding new stored procedures or directly adding, changing or deleting any data in any table of any of the SQL databases used by SharePoint is not supported.

4. Protect web applications

Internet accessible web applications are a common threat vector for hacker attacks such as SQL injection and cross site scripting, among others. SharePoint sites accessible to partners, customers, suppliers, etc via the internet have to be protected just like other web apps. According to an in-depth 2011 study of data breaches (Verizon 2011 Data Breach Investigations Report), web application attacks are one of the top ways hackers get data records.

An October 2011 Forrester study estimated that approximately 30% of organisations have externally facing SharePoint sites. This same study indicates that nearly 60% of organisations have augmented SharePoint with a third-party add-on for tasks such as workflow, web parts and administration. The popularity of SharePoint add-ons reinforces the need to defend against web application attacks. Organisations using these add-ons simply don’t have control over the security of these components.

Organisations that develop their own SharePoint applications and extensions face similar challenges. SharePoint developers must allocate time and resources to ensure that applications are written according to secure coding best practices, applications have to be tested for weaknesses and then any discovered vulnerabilities have to be fixed.

5. Take control when migrating data

SharePoint migrations provide organisations with an opportunity to rein in two key areas of SharePoint that easily get out of control: permissions and data storage. These areas are typically challenges in both the source and destination migration environments.

For example, organisations that use Microsoft Windows file servers as their unstructured data repository today face the same permissions challenges outlined in the first section of this article. Active Directory users and groups and file server ACLs easily fall out of sync with business requirements, leaving data open to the risks of over accessibility.

If you are migrating data to SharePoint from either Windows file servers or an earlier version of SharePoint, you should use the migration project as a time to remediate access controls that no longer reflect a business need-to-know level of access. If not, you will simply migrate the permissions chaos from the source environment to your new SharePoint deployment.

SharePoint includes basic security capabilities such as ACLs and activity logs to help secure data and monitor access activity. As organisations use SharePoint to store sensitive business data and extend access and collaboration to partners, customers and suppliers, security requirements outpace native SharePoint security capabilities.

Following these five recommendations, organisations will be able to overcome operational challenges and close security gaps to secure their SharePoint deployments against both internal risks and external threats.

*Kane Lightowler is the Regional Director for Imperva Australia & New Zealand. Over the past decade, he has held numerous roles within the information security sector and has consulted to hundreds of organisations across many market segments including banking and finance, telecommunications, government, mining, defence and more.