WHITEPAPER. Find, Secure and Audit Personally Identifiable Information In SharePoint

Transcription

1 WHITEPAPER Find, Secure and Audit Personally Identifiable Information In SharePoint

2 Executive Summary The adoption of SharePoint, whether on-premises, or in cloud collaboration platforms such as Office 365 and SharePoint Online, provides business users an improved platform to exchange information and collaborate more efficiently. Moving to a centralized platform such as SharePoint also allows IT teams to better backup, restore, and manage information. For SharePoint to continue to grow as a business platform it must be suitable for highly sensitive areas of the business that handle trade secrets, military intelligence, healthcare records, or personnel files. This sensitive information includes Personally Identifiable Information (PII), which is regulated by various laws and compliance regulations. An informed approach to security for SharePoint, including transparent encryption and access control for sensitive content, can address concerns relating to sensitive information and PII being stored in SharePoint sites. With the average cost of a data breach reaching nearly $7M per incident (Ponemon Institute), securing Personally Identifiable Information in content repositories and collaboration platforms such as SharePoint is a critical priority for IT organizations. Beyond addressing current security concerns, proper security can also be the catalyst for expanding the use cases for SharePoint, to include new areas such as HR, executive teams, and as a platform to store and process regulated information. This is particularly true for Office 365 and SharePoint Online, where concerns regarding security and privacy have to be addressed before adoption of these platforms for use cases involving sensitive information can be considered. CipherPoint Software offers products to find, encrypt, control access, and log access to PII in file sharing and collaboration platforms, in onpremises and in Cloud environments. This document describes the PII problem, and demonstrates how an organization can use CipherPoint s products to quickly identify locations that contain PII, secure those locations, and then be able to quickly respond to an incident and report any permitted or denied access to an individual s PII. CipherPoint s approach not only reduces the Total Cost of Ownership typically associated with security solutions but also reduces the cost and time it takes to respond to security incidents.

3 Problem Overview To enable SharePoint for use for executive staff, boards of directors, human resources departments and for the storage and processing of PII, an organization must go beyond common SharePoint security mechanisms such as permissions and security for the network session. Specifically, the organization needs to iteratively find, classify, protect, and audit sensitive information usage none of which are core features of SharePoint. The challenge of finding PII in SharePoint and determining the scope of the problem is extremely common among large SharePoint implementations. A recent study by CipherPoint found that 50% of onpremises SharePoint administrators have never scanned their sites looking for regulated or sensitive information, and 80% of SharePoint Online administrators have never performed a scan. Further, use cases that touch on highly confidential areas of the business such as Human Resources, and that produce large volumes of PII, require that IT administrators cannot mistakenly or maliciously access sensitive content. An additional requirement is that security controls must not hamper the end users productivity nor require additional training that distracts them from the value they bring to the company. In short, the security controls must be transparent and automated. Personally Identifiable Information is generally defined as including these information elements: Full name (if not common) National identification number IP address (in some cases) Vehicle registration plate number Driver's license number Face, fingerprints, or handwriting Credit card numbers Digital identity Date of birth Birthplace Genetic information The following less frequently used information elements are also potentially PII, because they may be combined with other personal information to identify an individual:

4 First or last name, if common Country, state, or city of residence Age, especially if non-specific Gender or race Name of the school they attend or workplace Grades, salary, or job position Criminal record Personally Identifiable Information is becoming highly regulated throughout the world. Compliance regulations that specify either specific security controls to protect PII, or which impose penalties for data breaches involving the loss of PII include HIPAA/HITECH, GLBA, PCI DSS, numerous other US regulations and guidance, EU Data Privacy, UK Data Protection Act, PIPEDA in Canada, 45+ state data breach laws in the US, and various data privacy laws in other parts of the world. Common security and compliance requirements for the protection of PII include: 1. Strong authentication of end users and administrative staff 2. Access control to protect from unauthorized access and enforce business need to know 3. Protecting access to sensitive information through use of transparent content encryption 4. Activity auditing to track permitted and denied access requests 5. Separation of duties among IT administrators, the various tiers of SharePoint and storage administrators, and information security teams 6. Identifying where PII exists in collaboration sites Requirement 5 is especially challenging for SharePoint deployments as the departments that are responsible for the security and compliance for the business cannot have privileged access to SharePoint, SharePoint administrators are not responsible for security, and end users rarely accept the burden of securing their own information. Businesses need to be able to secure content in a way that empowers information security, allows the SharePoint administrators to maintain the platform, and is effectively invisible to end users. Native SharePoint platform security controls provide well-documented options for user authentication. SharePoint s role-based access control is

5 customizable to facilitate most any combination of permissions. Most organizations already have a trusted authentication mechanism in place and will prefer to use it. The internal SharePoint team must then configure basic role-based access controls to ensure only intended end-users have authorized access to the site or library. This task is straightforward but for SharePoint sites, it is too often left to the discretion of end users, with the frequent result that too many users (or all to often all users) are provided with full access. Enabling audit trails for SharePoint user login activity, and for administrative changes to the groups that control access to data in SharePoint is also important. By completing these tasks, organizations can address requirement 1 above. However, these measures do not fully address requirements 2 and 4. Using SharePoint permissions to enforce business need to know is insufficient because, in most organizations, SharePoint administrators themselves control group membership and permissions. In the case of requirement 4, enabling audit logging for SharePoint sites is also typically a function that is controlled by SharePoint administrators. If the threat that is of concern is insiders and administrators, then it follows that separating duties in these areas is critical. For requirements 3, 5, and 6 above, there are no effective security controls that are natively available on the SharePoint platform that address this issue. These requirements require third party security solutions to fill the security gaps. It s also worth noting that the use of encryption to protect PII for information stored in SharePoint (requirement 3 above) will generally meet safe harbor provisions found in many of the compliance regulations and data breach laws, so that if encrypted PII is lost or stolen, notification requirements regarding data breaches are waived. Organizations wishing to deploy SharePoint, Office 365, and SharePoint Online to user communities including executive teams, HR, and Boards of Directors will need to look beyond the capabilities provided in SharePoint out of the box to fully address their security requirements. CipherPoint Eclipse Solution: Find, Secure, Audit

6 The CipherPoint solution is specifically architected to maintain the confidentiality of information stored in SharePoint, Office 365, and SharePoint Online environments and other multi-tenant file sharing and collaboration platforms. Customers can use CipherPoint s technology to: Find PII in SharePoint Transparently encrypt it according to NIST guidelines Control and audit access to PII per need to know policies Report and respond to accesses to PII The approach above allows an organization to not only demonstrate the due diligence required to avoid the fines associated with data breaches or improper disclosures of PII information but also to quickly and cost effectively respond to a potential breach of PII. The Eclipse solution is unique in that it ensures that accounts with privileged IT rights cannot be used to maliciously or mistakenly view protected information. This is a major concern not only for highly sensitive data but also for on-premises SharePoint portals exposed to the public Internet. For Office 365 and SharePoint Online, the Snowden breach fallout has made this issue critical for cloud security as well, both because enterprises have no desire to allow cloud service provider administrators to be able to see sensitive data and PII, and because cloud providers can be forced to turn over data to national intelligence services. This places additional importance on customer-controlled encryption keys for cloud data. CipherPoint s solution complements the existing security capabilities found in SharePoint, Office 365, and SharePoint Online by providing additional layers of security and separation of duties. The CipherPoint Eclipse Data Security Suite includes a centralized security management console that allows for the configuration and management of the security and encryption of SharePoint content. This architecture provides true separation of duties as the SharePoint administrators can manage the platform without being able to circumvent security, the security team can administer the security controls without requiring access to SharePoint, and the authorized end-users are the only ones that can access their sensitive information. In addition, the CipherPoint technology inserts at the web tier, resulting in a user

7 experience that is truly seamless. Transparent operation is critical for end user adoption of a SharePoint encryption solution. The remainder of this paper shows how to find, secure, and audit access to PII. Finding PII in SharePoint, Office 365, and SharePoint Online Finding PII in any repository can be a challenge, especially with file repositories such as SharePoint. Use CipherPoint Eclipse s content scanning module to scan your SharePoint Document Libraries and Lists for PII identifiers such as those depicted in the figure below. Once you have confirmed whether or not PII resides in SharePoint, you can decide if there is a business need for that information to be in the platform. Figure 1 Example: Scanning Rules below shows an example of scanning rules to identify potential PII stored in SharePoint. In this example, the assumption is that any SharePoint item that contains a date, ICD code, and a social security number is likely to contain PII. Further, the SharePoint List or Document Library where that item is stored likely contains many other items containing PII. Figure 1 Example: Scanning Rules After executing the scan configuration shown in Figure 1 Example:

8 Scanning Rules, the Eclipse Console returns a report including a summary of the number of matches for each individual rule as well as the number of matches for any particular SharePoint item (Figure 2 Example: Scan Results). At this point you can use CipherPoint Eclipse to secure the PII according to NIST encryption best practices, or your individual corporate security standards. Figure 2 Example: Scan Results Using CipherPoint Eclipse to Secure PII CipherPoint Eclipse includes transparent at rest encryption, access controls, and activity logging. The software is unique in that it automatically manages encryption keys in accordance with NIST A key provision of that standard, and one of the most difficult guidelines in which to comply, is refreshing the data encryption keys every two years. As you can see in Figure 3 Change Key Rotation below, a security administrator can easily configure the CipherPoint product to automatically generate, change, and (optionally) expire encryption keys not only to achieve compliance but also to maintain compliance over time.

9 Figure 3 Change Key Rotation There is no need to configure auditing in the CipherPoint product; the system will automatically log all permitted and denied requests to documents containing PII, as well as any changes to the security configuration. You may optionally apply access control lists to the locations containing PII if the existing SharePoint permissions and the management of those permissions are not sufficient for your compliance requirements. The access control lists can contain Active Directory users and groups or whatever identities SharePoint is using, such as a custom claims provider. Reporting Access to PII The CipherPoint solution includes a reporting capability to provide a history of not only access requests to PII but also the security controls applied to that information. The Object Access Report allows customers to generate a report of all permitted and denied access requests to PII during a configurable time interval. The Security Manifest Report allows customers to automatically document the security controls in place at a point in time. Together these reports allow organizations to not only document successful and denied access attempts to PII, but also prove they have the proper security controls in place.

10 Responding to an incident Figure 4 Object Access Report Fortunately, an incident does not necessarily mean that there has been a breach ofpii. When a security incident occurs it is critical to not only prove that your organization was exercising due diligence in regards to securing PII, but also to quickly confirm whether an individual s PII was improperly disclosed. CipherPoint Eclipse can be used to locate all the SharePoint items that contain the PII of a specific individual and then correlate that information with the audit records to report all access requests to that PII. For example, assume that the specific individual whose PII we need to identify is Vinny Boombatz. CipherPoint Eclipse allows you to easily build scanning rules to search for Mr. Boombatz s first name, last name, record date, and the last four digits of his Social Security Number. Figure 5: Scan for Specific PII

11 Executing the scan using the rules shown PII will quickly identify the SharePoint items that contain Mr. Boombatz s PII. The CipherPoint Eclipse Console audit logs can then be searched to report on all accesses to those items containing the PII in question including the ability to export the results in Comma Separate Value (CSV) format. The audit logs include exactly what access requests occurred, which user made those request, the network location of that user, and whether the request resulted in access to PII. Figure 6 Reporting access to PII Conclusion The combination of CipherPoint s transparent encryption, access control, and activity logging technology and key management capabilities with native SharePoint authentication and access controls fully addresses the requirements outlined above. As SharePoint becomes more of a missioncritical business platform, organizations will require additional security controls to maintain the confidentiality of sensitive information stored in SharePoint sites. Expanding the secure use of SharePoint, Office 365, and SharePoint Online to include senior executives, boards of directors, human resources staff, and other owners and producers of sensitive content and PII can be accomplished through the thoughtful deployment of appropriate security controls, including transparent encryption, access controls, strong authentication, audit trails, and separation of duties. As a SharePoint architect or administrator, CipherPoint s solutions and SharePoint s native security features allow you to provide a secure platform and enable

12 collaboration within your organization. In doing so, you will provide a more efficient and secure way of doing business, increase SharePoint s visibility in your organization, and increase your value to your enterprise. About CipherPoint Software, Inc. CipherPoint identifies, secures, and audits access to sensitive and regulated data on-premises and in cloud file sharing and collaboration systems with a single data security management console. CipherPoint s solution is unique in keeping privileged IT administrators and outside attackers that target IT level access from being able to view sensitive information. CipherPoint is uniquely capable of securing data across file servers, on-premises SharePoint, Office365, SharePoint Online, and other cloud collaboration systems. CipherPoint s products are easy to deploy and manage, and scalable to meet the needs of large enterprises. A winner of the SINET 16 award as a top security company in 2012, CipherPoint is headquartered in Denver, Colorado, and was founded by IT security experts with deep experience in building successful security technology companies. Customers in healthcare, financial services, manufacturing, government, and other industries, in Europe, North America, and Asia rely on CipherPoint to protect access to sensitive and regulated information. CipherPoint is proud to be a member of the Microsoft Business Critical SharePoint Program. Copyright 2014, all rights reserved. CipherPoint is a registered trademark of CipherPoint Software, Inc. CipherPoint Eclipse,CipherPoint Eclipse for SharePoint, CipherPoint Eclipse for SharePoint Online/Office 365, CipherPoint Eclipse for Healthcare, CipherPoint Eclipse for File Servers, CipherPoint Eclipse Data Security Console and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc.. SharePoint, SharePoint Online, and Office 365 are trademarks of Microsoft. Doc. ID: CPWP006