How to Secure Your SharePoint Deployment

Transcription

1 WHITE PAPER How to Secure Your SharePoint Deployment Some of the sites in your enterprise probably contain content that should not be available to all users [some] information should be accessible only on a need-to-know basis. Microsoft SharePoint s ability to function as both a data repository and a collaboration platform has accelerated its adoption in companies of all sizes and across multiple industries. Not only can it store an organization s sensitive business data, but it can help automate business processes around that data. When organizations begin to leverage SharePoint as a core business system, the importance of securing SharePoint data and applications comes into focus. SharePoint does include some basic security building blocks like permissions and auditing but successfully harnessing these, and addressing some of the gaps in native SharePoint, is critical for achieving effective data security. This paper presents five best practices for securing your SharePoint environment. It discusses how SecureSphere for SharePoint can help organizations get the most out of SharePoint s existing permissions system, and fill some of SharePoint s security gaps.

2 1. Getting Permissions Right Microsoft s advice for securing SharePoint begins with permissions. Their technical paper Security and protection for SharePoint Server starts with this guidance: Some of the sites in your enterprise probably contain content that should not be available to all users... [some] information should be accessible only on a need-to-know basis. Permissions control access to your sites and site content. You can manage permissions by using Microsoft SharePoint Server 2010 groups, which control membership, and fine-grained permissions, which help to secure content at the item and document level. Native SharePoint permissions are, in fact, an excellent access control mechanism. SharePoint Access Control Lists (ACLs) are directly associated with SharePoint items and documents, and SharePoint automatically enforces access control when users attempt to access data. What makes native permissions challenging, however, is that SharePoint lacks an automated way to ensure that rights remain aligned with business needs. The challenge here is twofold. First, it s difficult to effectively track and manage all of the permissions in SharePoint. Unstructured data is estimated to be growing at 60% per year. As more unstructured data is added to SharePoint, additional permissions are created either through inheritance or assignment and must be managed. The second challenge is that access rights are in a constant state of flux as the organization itself grows and changes. Each new employee, contractor or consultant that joins the company has access needs and restrictions, as do users who are starting new work projects, changing job roles, or leaving the company. Access rights are constantly growing and changing, but without an automated way to keep access rights aligned with business needs, SharePoint administrators have to work hard to stay on top of permissions. For example, access rights information is not available across multiple sites or site collections. Without an aggregated, centralized view of rights information, SharePoint permissions for each site collection must be extracted to an Excel spreadsheet and then combined by hand before they can be analyzed in any depth. And, that analysis must be done manually within Excel or exported yet again to a third-party analytics platform. SecureSphere for SharePoint overcomes the limitations of native SharePoint permissions visibility by automatically aggregating permissions across your entire SharePoint deployment. This delivers the insight necessary to keep rights aligned with business needs. For example, using SecureSphere it s easy to understand who has access to what data or, conversely, what data any given user or group can access, and how that access was assigned or inherited. SecureSphere also simplifies the process of identifying where excessive access rights have been granted, if there are dormant users, and who owns data. To further simplify the process of keeping access rights aligned with business needs, SecureSphere for SharePoint provides permissions review tools, such as those shown in Figure 1. These help administrators and data owners establish a baseline snapshot of access rights, and conduct rights reviews. Figure 1. A review of SharePoint access permissions in Imperva SecureSphere for SharePoint. 1 (May 12, 2010) 2

3 2. Automate Compliance Reporting SharePoint adoption has been successful in large part because of its ease of use and its unique combination of features, especially its portal, workflow, and enterprise content management capabilities, as highlighted in Figure 2. These features make SharePoint a natural platform for storing, managing and presenting sensitive business data. If you store business-critical data in SharePoint, then demonstrating compliance with regulations, industry mandates or internal risk controls will most likely be an essential part of SharePoint administration and governance for your organization. How are you currently using, or plan to use, your SharePoint investment? Content Repository Only ECM Portal/Web Content Workflow BPM Social, community, collaboration B.I. / Dashboards Custom Apps Figure 2. The top uses of SharePoint are Web portals, workflow management and enterprise content management. 2 Organizations that maintain sensitive data in SharePoint will be well served by automating SharePoint compliance reporting. Why automate compliance reporting? One of the greatest operational challenges of compliance is demonstrating that your organization is, in fact, meeting compliance mandates. Unfortunately, for many organizations, this means manually collecting and organizing relevant information to generate reports. Manual compliance reporting is typically a significant burden on businesses that disrupts normal operational activities. IT administrators have to locate relevant information, collate it, and assemble reports, a process which is both time consuming and error prone. For two major areas of IT compliance reporting user rights and access activity SharePoint leaves organizations wanting. The first section of this paper highlighted the challenge of establishing permissions visibility in SharePoint, which is obviously a prerequisite for being able to generate reports. SharePoint s built in capabilities for access activity auditing and reporting are similarly limited. A quick review of the built in audit trail, pictured below in Figure 3, reveals that it does not provide readily usable information. For example, look at a Site ID and an Item ID in one of the rows below. These long strings of numbers must be decoded to provide meaningful information. And, you cannot simply look them up in the SharePoint user interface. You need an understanding of the SharePoint object model, and then you need to write a program to do the decoding, and piece the various parts together. Figure 3. Native SharePoint activity monitoring details. 2 How are Businesses using Microsoft SharePoint in the Enterprise? Market Survey Update for

4 Ultimately, for operationally efficient and scalable activity monitoring, organizations turn to third-party solutions. For example, compare the native SharePoint audit details of Figure 3 with the audit information pictured in Figure 4, a screen capture of SecureSphere for SharePoint. With SecureSphere, information is presented in an easily understandable format, and it can be augmented with other relevant information, such as the type of data ( Data Type in Figure 4), and the name of the data owner. This level of information simplifies the process of identifying relevant details for compliance reporting. Figure 4. Viewing access activity details in SecureSphere for SharePoint. SecureSphere for SharePoint automates compliance reporting by combining permissions and activity details with enterprise-class reporting capabilities such as scheduling, formatting and broad range of report delivery options. This blend of content and structure ensures compliance reports are generated with the right information, on-time, and tailored to each recipient s needs. 3. Respond to Suspicious Activity in Real Time Figure 2 highlighted that SharePoint s most popular use is as a portal a place to share information. If we look at whom exactly organizations are sharing their information with, as shown in Figure 5, we can see that a broad range of internal and external groups are given access. Organizations should be complementing this degree of trust, access, and openness in their SharePoint deployments with the ability to detect and alert on suspicious access activity. Do you use SharePoint for collaboration with any of the following? Employees on other sites in your country Employees in other countries Project partners Sales/Channel partners Customers Suppliers Regulators None of these Figure 5. Who organizations share information with when collaborating via SharePoint. Given the basic level of activity auditing available in SharePoint, it is not surprising that SharePoint does not provide the ability to automatically analyze access activity and respond with alerts or other follow-on actions. But, this is exactly what organizations should be doing to reduce the risk to their shared data. SecureSphere for SharePoint layers a policy framework on top of its audit record that allows organizations to build rules that identify suspicious behavior and complement native access controls. SecureSphere also comes pre-configured with policies available out-ofthe-box to simplify the process. This allows organizations to share information that increases business efficiency, yet maintain a level of monitoring and control that reduces threats. 4

5 For example, an organization sharing healthcare data with partners via a SharePoint portal might want to generate an alert if there was an excessive level of access activity. Figure 6 shows a portion of a policy that alerts when someone accesses healthcare files at a rate that exceeds 100 times in an hour. If the usual level of access for an employee or partner is 100 files over the course of an entire day, this policy could be used to detect what would clearly be suspicious access activity. Figure 6. Part of a SecureSphere for SharePoint policy for detecting excessive access activity. Additionally, SecureSphere for SharePoint provides policies that monitor access to the Microsoft SQL database at the heart of many SharePoint deployments, and block any unauthorized access. Not only does this prevent security threats, but it also helps organizations adhere to Microsoft s support conditions. Specifically, Microsoft places restrictions on what actions organizations can perform directly on the SQL database. For example, adding new stored procedures or directly adding, changing, or deleting any data in any table of any of the SQL databases used by SharePoint is not supported 3. SecureSphere for SharePoint policies can be employed to ensure your SharePoint environment is not left in an unsupported state. 4. Protect Web Applications Internet accessible Web applications are a common threat vector for hacker attacks such as SQL injection and cross site scripting, among others. SharePoint sites accessible to partners, customers, suppliers, etc., via the Internet have to be protected just like other Web applications. According to an in-depth 2011 study of data breaches 4, Web application attacks are one of the top ways hackers get data records. A leading market research firm 5 estimates that approximately 30% of organizations have externally facing SharePoint sites. This same study indicates that nearly 60% of organizations have augmented SharePoint with a third-party add-on for tasks such as workflow, web parts and administration. The popularity of SharePoint add-ons reinforces the need to defend against Web application attacks. Organizations using these add-ons simply don t have control over the security of these components. Organizations that develop their own SharePoint applications and extensions face similar challenges. SharePoint developers must allocate time and resources to ensure that applications are written according to secure coding best practices, applications have to be tested for weaknesses, and then any discovered vulnerabilities have to be fixed. SecureSphere for SharePoint leverages market leading SecureSphere Web Application Firewall (WAF) technology to provide a powerful defense against hackers, streamline and automate regulatory compliance, and mitigate data risks. In addition to WAF protections, SecureSphere for SharePoint is attuned to SharePoint s unique use of the HTTP protocol, and includes out-of-the-box policies to protect SharePoint from suspicious activity Verizon 2011 Data Breach Investigations Report 5 SharePoint Adoption: Content And Collaboration Is Just The Start, Forrester, October

6 5. Take Control When Migrating Data SharePoint migrations provide organizations with an opportunity to rein in two key areas of SharePoint that easily get out of control: permissions and data storage. These areas are typically challenging in both the source and destination migration environments. For example, organizations that use Microsoft Windows file servers as their unstructured data repository today face the same permissions challenges outlined in the first section of this paper. Active Directory users and groups and file server ACLs easily fall out of sync with business requirements, leaving data open to the risks of over accessibility. If you are migrating data to SharePoint from either Windows file servers or an earlier version of SharePoint, you should use the migration project as a time to remediate access controls that no longer reflect a business need-to-know level of access. If not, you will simply migrate the permissions chaos from the source environment to your new SharePoint deployment. The same rights visibility and review tools provided as part of SecureSphere for SharePoint are available for Windows file servers and NAS devices as part of SecureSphere File Activity Monitoring, a complementary solution. So, using SecureSphere File Activity Monitoring and SecureSphere for SharePoint, organizations can address these permissions challenges as they migrate their Windows data from file servers and NAS devices to SharePoint, and using SecureSphere for SharePoint, organizations can conduct rights reviews and clean up permissions as they migrate between SharePoint 2007 and In addition to permissions sprawl, Windows and SharePoint environments often end up containing a large volume of unused or stale data. While the costs of storage itself may not be significant, it is costly from an administrative perspective to constantly secure, archive, de-duplicate, etc., data that no one is using. One of the capabilities of SecureSphere is that it can identify data that no one has accessed for an extended period of time. It does this by auditing all access activity, so it can identify which data is not being accessed. The ability to filter out specific access activity such as scans done by anti-virus or backup software ensures that stale data is accurately identified. This enables organizations to then archive or delete this data, free up storage space, and reduce ongoing administrative overhead. Conclusion SharePoint includes basic security capabilities such as ACLs and activity logs to help secure data and monitor access activity. As organizations use SharePoint to store sensitive business data and extend access and collaboration to partners, customers and suppliers, security requirements outpace native SharePoint security capabilities. Following the five recommendations discussed in this document, organizations will be able to overcome operational challenges and close security gaps to secure their SharePoint deployments against both internal risks and external threats. About Imperva Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Copyright 2014, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. WP-SECURE-SHAREPOINT-DEPLOYMENT