How to Secure Your SharePoint Deployment

WHITE PAPER
How to Secure Your
SharePoint Deployment
“Some of the sites in your
enterprise probably contain
content that should not
be available to all users…
[some] information should
be accessible only on a
need-to-know basis.”
Microsoft SharePoint’s ability to function as both a data repository and a
collaboration platform has accelerated its adoption in companies of all sizes
and across multiple industries. Not only can it store an organization’s sensitive
business data, but it can help automate business processes around that data.
When organizations begin to leverage SharePoint as a core business system,
the importance of securing SharePoint data and applications comes into focus.
SharePoint does include some basic security building blocks—like permissions
and auditing—but successfully harnessing these, and addressing some of the
gaps in native SharePoint, is critical for achieving effective data security.
This paper presents five best practices for securing your SharePoint environment.
It discusses how SecureSphere for SharePoint can help organizations get
the most out of SharePoint’s existing permissions system, and fill some of
SharePoint’s security gaps.
1. Getting Permissions Right
Microsoft’s advice for securing SharePoint begins with permissions. Their technical paper “Security and protection for SharePoint Server
2010”1 starts with this guidance:
“Some of the sites in your enterprise probably contain content that should not be available to all users... [some] information should be
accessible only on a need-to-know basis. Permissions control access to your sites and site content. You can manage permissions by using
Microsoft SharePoint Server 2010 groups, which control membership, and fine-grained permissions, which help to secure content at the
item and document level.”
Native SharePoint permissions are, in fact, an excellent access control mechanism. SharePoint Access Control Lists (ACLs) are directly
associated with SharePoint items and documents, and SharePoint automatically enforces access control when users attempt to
access data.
What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that rights remain
aligned with business needs. The challenge here is twofold. First, it’s difficult to effectively track and manage all of the permissions in
SharePoint. Unstructured data is estimated to be growing at 60% per year. As more unstructured data is added to SharePoint, additional
permissions are created—either through inheritance or assignment—and must be managed. The second challenge is that access rights
are in a constant state of flux as the organization itself grows and changes. Each new employee, contractor or consultant that joins the
company has access needs and restrictions, as do users who are starting new work projects, changing job roles, or leaving the company.
Access rights are constantly growing and changing, but without an automated way to keep access rights aligned with business needs,
SharePoint administrators have to work hard to stay on top of permissions. For example, access rights information is not available
across multiple sites or site collections. Without an aggregated, centralized view of rights information, SharePoint permissions for each
site collection must be extracted to an Excel spreadsheet and then combined by hand before they can be analyzed in any depth.
And, that analysis must be done manually within Excel or exported—yet again—to a third-party analytics platform.
SecureSphere for SharePoint overcomes the limitations of native SharePoint permissions visibility by automatically aggregating
permissions across your entire SharePoint deployment. This delivers the insight necessary to keep rights aligned with business needs.
For example, using SecureSphere it’s easy to understand who has access to what data or, conversely, what data any given user or group
can access, and how that access was assigned or inherited. SecureSphere also simplifies the process of identifying where excessive
access rights have been granted, if there are dormant users, and who owns data.
To further simplify the process of keeping access rights aligned with business needs, SecureSphere for SharePoint provides permissions
review tools, such as those shown in Figure 1. These help administrators and data owners establish a baseline snapshot of access rights,
and conduct rights reviews.
Figure 1. A review of SharePoint access permissions in Imperva SecureSphere for SharePoint.
http://technet.microsoft.com/en-us/library/cc263215.aspx (May 12, 2010)
1
2
2. Automate Compliance Reporting
SharePoint adoption has been successful in large part because of its ease of use and its unique combination of features, especially
its portal, workflow, and enterprise content management capabilities, as highlighted in Figure 2. These features make SharePoint
a natural platform for storing, managing and presenting sensitive business data. If you store business-critical data in SharePoint,
then demonstrating compliance with regulations, industry mandates or internal risk controls will most likely be an essential part
of SharePoint administration and governance for your organization.
How are you currently using, or plan to use, your SharePoint investment?
Content Repository Only
ECM
Portal/Web Content
Workflow
BPM
Social, community, collaboration
B.I. / Dashboards
Custom Apps
0
10
20
30
40
50
60
70
80
Figure 2. The top uses of SharePoint are Web portals, workflow management and enterprise content management.2
Organizations that maintain sensitive data in SharePoint will be well served by automating SharePoint compliance reporting.
Why automate compliance reporting? One of the greatest operational challenges of compliance is demonstrating that your
organization is, in fact, meeting compliance mandates. Unfortunately, for many organizations, this means manually collecting
and organizing relevant information to generate reports. Manual compliance reporting is typically a significant burden on businesses
that disrupts normal operational activities. IT administrators have to locate relevant information, collate it, and assemble reports,
a process which is both time consuming and error prone.
For two major areas of IT compliance reporting—user rights and access activity—SharePoint leaves organizations wanting. The first
section of this paper highlighted the challenge of establishing permissions visibility in SharePoint, which is obviously a prerequisite for
being able to generate reports.
SharePoint’s built in capabilities for access activity auditing and reporting are similarly limited. A quick review of the built in audit trail,
pictured below in Figure 3, reveals that it does not provide readily usable information. For example, look at a “Site ID” and an “Item ID”
in one of the rows below. These long strings of numbers must be decoded to provide meaningful information. And, you cannot simply
look them up in the SharePoint user interface. You need an understanding of the SharePoint object model, and then you need to write
a program to do the decoding, and piece the various parts together.
Figure 3. Native SharePoint activity monitoring details.
How are Businesses using Microsoft SharePoint in the Enterprise? Market Survey Update for 2011
2
3
Ultimately, for operationally efficient and scalable activity monitoring, organizations turn to third-party solutions. For example, compare
the native SharePoint audit details of Figure 3 with the audit information pictured in Figure 4, a screen capture of SecureSphere for
SharePoint. With SecureSphere, information is presented in an easily understandable format, and it can be augmented with other
relevant information, such as the type of data (“Data Type” in Figure 4), and the name of the data owner. This level of information
simplifies the process of identifying relevant details for compliance reporting.
Figure 4. Viewing access activity details in SecureSphere for SharePoint.
SecureSphere for SharePoint automates compliance reporting by combining permissions and activity details with enterprise-class
reporting capabilities such as scheduling, formatting and broad range of report delivery options. This blend of content and structure
ensures compliance reports are generated with the right information, on-time, and tailored to each recipient’s needs.
3. Respond to Suspicious Activity in Real Time
Figure 2 highlighted that SharePoint’s most popular use is as a portal—a place to share information. If we look at whom exactly
organizations are sharing their information with, as shown in Figure 5, we can see that a broad range of internal and external groups
are given access. Organizations should be complementing this degree of trust, access, and openness in their SharePoint deployments
with the ability to detect and alert on suspicious access activity.
Do you use SharePoint for collaboration with any of the following?
Employees on other sites in your country
Employees in other countries
Project partners
Sales/Channel partners
Customers
Suppliers
Regulators
None of these
0
10
20
30
40
50
60
70
80
Figure 5. Who organizations share information with when collaborating via SharePoint.
Given the basic level of activity auditing available in SharePoint, it is not surprising that SharePoint does not provide the ability to
automatically analyze access activity and respond with alerts or other follow-on actions. But, this is exactly what organizations should
be doing to reduce the risk to their shared data.
SecureSphere for SharePoint layers a policy framework on top of its audit record that allows organizations to build rules that identify
suspicious behavior and complement native access controls. SecureSphere also comes pre-configured with policies available out-ofthe-box to simplify the process. This allows organizations to share information that increases business efficiency, yet maintain a level
of monitoring and control that reduces threats.
4
For example, an organization sharing healthcare data with partners via a SharePoint portal might want to generate an alert if there
was an excessive level of access activity. Figure 6 shows a portion of a policy that alerts when someone accesses healthcare files at a
rate that exceeds 100 times in an hour. If the usual level of access for an employee or partner is 100 files over the course of an entire
day, this policy could be used to detect what would clearly be suspicious access activity.
Figure 6. Part of a SecureSphere for SharePoint policy for detecting excessive access activity.
Additionally, SecureSphere for SharePoint provides policies that monitor access to the Microsoft SQL database at the heart of many
SharePoint deployments, and block any unauthorized access. Not only does this prevent security threats, but it also helps organizations
adhere to Microsoft’s support conditions. Specifically, Microsoft places restrictions on what actions organizations can perform directly
on the SQL database. For example, adding new stored procedures or directly adding, changing, or deleting any data in any table of
any of the SQL databases used by SharePoint is not supported3. SecureSphere for SharePoint policies can be employed to ensure your
SharePoint environment is not left in an unsupported state.
4. Protect Web Applications
Internet accessible Web applications are a common threat vector for hacker attacks such as SQL injection and cross site scripting,
among others. SharePoint sites accessible to partners, customers, suppliers, etc., via the Internet have to be protected just like other
Web applications. According to an in-depth 2011 study of data breaches4, Web application attacks are one of the top ways hackers
get data records.
A leading market research firm5 estimates that approximately 30% of organizations have externally facing SharePoint sites. This same
study indicates that nearly 60% of organizations have augmented SharePoint with a third-party add-on for tasks such as workflow,
web parts and administration. The popularity of SharePoint add-ons reinforces the need to defend against Web application attacks.
Organizations using these add-ons simply don’t have control over the security of these components.
Organizations that develop their own SharePoint applications and extensions face similar challenges. SharePoint developers must
allocate time and resources to ensure that applications are written according to secure coding best practices, applications have to
be tested for weaknesses, and then any discovered vulnerabilities have to be fixed.
SecureSphere for SharePoint leverages market leading SecureSphere Web Application Firewall (WAF) technology to provide a
powerful defense against hackers, streamline and automate regulatory compliance, and mitigate data risks. In addition to WAF
protections, SecureSphere for SharePoint is attuned to SharePoint’s unique use of the HTTP protocol, and includes out-of-the-box
policies to protect SharePoint from suspicious activity.
http://support.microsoft.com/kb/841057
Verizon 2011 Data Breach Investigations Report
“SharePoint Adoption: Content And Collaboration Is Just The Start”, Forrester, October 2011
3
4
5
5
5. Take Control When Migrating Data
SharePoint migrations provide organizations with an opportunity to rein in two key areas of SharePoint that easily get out of control:
permissions and data storage. These areas are typically challenging in both the source and destination migration environments.
For example, organizations that use Microsoft Windows file servers as their unstructured data repository today face the same
permissions challenges outlined in the first section of this paper. Active Directory users and groups and file server ACLs easily fall
out of sync with business requirements, leaving data open to the risks of over accessibility.
If you are migrating data to SharePoint from either Windows file servers or an earlier version of SharePoint, you should use the migration
project as a time to remediate access controls that no longer reflect a business need-to-know level of access. If not, you will simply
migrate the permissions chaos from the source environment to your new SharePoint deployment.
The same rights visibility and review tools provided as part of SecureSphere for SharePoint are available for Windows file servers
and NAS devices as part of SecureSphere File Activity Monitoring, a complementary solution. So, using SecureSphere File Activity
Monitoring and SecureSphere for SharePoint, organizations can address these permissions challenges as they migrate their Windows
data from file servers and NAS devices to SharePoint, and using SecureSphere for SharePoint, organizations can conduct rights reviews
and clean up permissions as they migrate between SharePoint 2007 and 2010.
In addition to permissions sprawl, Windows and SharePoint environments often end up containing a large volume of unused or stale
data. While the costs of storage itself may not be significant, it is costly from an administrative perspective to constantly secure, archive,
de-duplicate, etc., data that no one is using.
One of the capabilities of SecureSphere is that it can identify data that no one has accessed for an extended period of time. It does this
by auditing all access activity, so it can identify which data is not being accessed. The ability to filter out specific access activity—such as
scans done by anti-virus or backup software—ensures that stale data is accurately identified. This enables organizations to then archive
or delete this data, free up storage space, and reduce ongoing administrative overhead.
Conclusion
SharePoint includes basic security capabilities such as ACLs and activity logs to help secure data and monitor access activity. As
organizations use SharePoint to store sensitive business data and extend access and collaboration to partners, customers and suppliers,
security requirements outpace native SharePoint security capabilities. Following the five recommendations discussed in this document,
organizations will be able to overcome operational challenges and close security gaps to secure their SharePoint deployments against
both internal risks and external threats.
About Imperva
Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting
high‑value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically
for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud
from inside and outside the organization, mitigate risk, and streamline compliance.
www.imperva.com
© Copyright 2014, Imperva
All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.
All other brand or product names are trademarks or registered trademarks of their respective holders. WP-SECURE-SHAREPOINT-DEPLOYMENT-0314.1