The Three Monthly Questions to Ask, and Answer, About Your SharePoint Data Security
CipherPoint is a partner of Concept Searching. This blog is well worth the read and provides value to any SharePoint organization concerned with security.
The following blog was posted on the CipherPoint web site. CipherPoint identifies, encrypts, controls and audits access to sensitive and regulated data on-premises and in cloud file sharing and collaboration systems. CipherPoint’s patented technology is unique in preventing privileged IT administrators and outside attackers that target IT-level access from accessing sensitive information. The CipherPoint Eclipse solution suite secures data across file servers, on-premises Microsoft SharePoint, Microsoft SharePoint Online, Microsoft Office 365 and other cloud collaboration systems from a central data security console. A winner of the SINET 16 award as a top security company in 2012 and Cyber Defense Magazine’s Most Innovative Cloud Security Solution for 2014, CipherPoint is headquartered in Denver, Colorado.
The author, Coby Royer serves as CipherPoint’s Director of Product Management where he sets product strategy and requirements, as well as supporting customer needs. He is a seasoned veteran in cyber security, having broad and deep experience in product development and enterprise security. Coby’s experience includes entrepreneurial ventures, consulting, and work with several Fortune 1000 companies. Projects have spanned many fields, including Cloud Computing, Internet security products, financial services, social networking, intellectual property, open source, and software development tools. Coby’s previous roles include CTO, Senior Manager, Enterprise Architect, Product Manager, QA Specialist, and Software Developer. Coby holds over a dozen US patents for security and financial instruments, many as primary or sole inventor.
This is meant to be a quick guide, a starting place, to get you thinking about regularly checking up on the state of your data. A good time to work on these questions may be whenever you’ve annoyed your loved one and you need something to do while hiding out, or if you just need a bit of time alone. No matter what the trigger, about once a month, grab a keyboard, pull up a chair, and see what you can find.
What type of data do I have in SharePoint, and where is it?
This is a straightforward question, but sometimes a hard one to answer. Because SharePoint is specifically designed for simple collaboration, data can and will easily flows into, and around, the system. Regular monitoring is essential to ensure that your data security policies are being followed.
Once you have located sensitive or restricted data, you need to ensure that it is where you expect it to be. Probably on an internal-only site. In my research, approximately 40% of the data that appeared to be a breach of some sort (often marked something like ‘internal-use only’) was either miss-filed or copied to an external site. The other 60% consists of the accidental exposure of entire libraries which should not have been open to the public.
While finding and locating sensitive data can be done in a number of ways, including SharePoint’s native search functionality, I recommend a tool like the content scanner found at http://sharepointdefenseindepth.com. This is a free-to-use / add-free tool specifically designed for the SharePoint community to address this very question. It will find data based on regular expressions, and it produces a report on where the files were found. It has canned searches for various credit card types, US social security numbers, and an easy to use mechanism for building your own plain-text or regular expression searches.
How much of my data is exposed?
This is one of the easiest to answer. Google is a great tool for this. The fastest way to get an idea of what you are facing to the outside world is to simply type ‘site:.com’ (without the quotes, and replacing the bracketed text with your own domain) into a Google search. An example might be; ‘site:cipherpoint.com’. This will give you a good idea of the pages potentially exposed to the public. From there you can add search terms to narrow in on the interesting data. Maybe add the term “visa”, “master card”, “social security”, or “top secret”; whatever makes sense for your organization.
Please not that I said, “Potentially exposed to the public.” Just because you see the document name in the search results does not mean that the data in the file is exposed. It does, however, mean that one layer of protection (your firewall) has been bypassed. If you find a file you believe has sensitive data please try to open it. If you get a user ID/password prompt, the data may still be protected by the SharePoint ACLs. For each file like this, be sure to try to access the file, but click ‘Cancel’ without entering any login information. In my research for this paper, I found that just under 20% of the sites that prompted for a user ID and password would give access to the file after I clicked ‘Cancel’. This segues well into the next question, “Are the exposed sites configured properly?”
Are the exposed sites appropriate, and configured properly?
By default SharePoint is configured to be pretty secure. Unfortunately the ACL controls can be a bit confusing, potentially leading to configurations that are less than optimal from a security point of view. From here, you should have a small list of sites that are exposed to the public, and a good idea of what sort of data exists on said sites. Now would be a good time to correct any inappropriate content, notify the correct authorities (if confidential data was found to be exposed to the public), and pay any necessary fines.
Don’t worry, I’ll wait…
Right, now that the checks are written, let’s look at what is actually exposed to the public. The following is a list of sites that should never be exposed. If you do find these titles coming up in your Google search, you need to take action. Either make sure they are nicely tucked away behind your firewall or, if you find one that is just a regular list or library that should be open to the public, please consider re-naming it to something else. Ok, now, here’s the list of names you should not see on your Google search:
“view all site content” “sign in” and “people and group”
Try the following Google search:
site:.com “view all site content” “sign in” and “people and group”
Make sure nothing shows up, or that they are no longer reachable.
Now, run a content scanner and/or the ‘site:.com’ Google search one more time, and ensure there is no sensitive data hanging out where you don’t expect it.
Regularly scanning your data for any anomalies in the exposed content is an important part of maintaining the overall health of your SharePoint installation. Mistakes will happen, and files will get moved to libraries where they do not belong. That is simply the nature of collaboration systems like SharePoint.
In many cases I would recommend an additional layer of protection, like transparent file encryption, to help safeguard against such mistakes. In this case, if a file containing sensitive data is accidentally moved or copied to an open site, or if a protected library is exposed to the public, any unauthorized access would only reveal encrypted file(s), not the important data inside.