SharePoint Governance & Security: Where to Start

Transcription

1 WHITE PAPER SharePoint Governance & Security: Where to Start 82% The percentage of organizations using SharePoint for sensitive content. AIIM 2012 By 2016, 20 percent of CIOs in regulated industries will lose their jobs for failing to implement the discipline of information governance successfully. Gartner 2012 Introduction to SharePoint Governance If your company is like most, it s probable there are several SharePoint instances already deployed, including some rogue servers outside the purview of IT. If this has you concerned, you re not alone. A recent AIIM survey noted that while 82% of organizations use SharePoint to access or store secure content, over half worry that SharePoint won t meet their security and compliance requirements. For larger organizations, SharePoint governance is even more troubling: 13% feel that the security of their SharePoint instance is a disaster waiting to happen. 1 Whether you need to develop a SharePoint security and governance strategy because of a migration project, audit failure, breach, or as part of a larger SharePoint governance program, it s important to use a phased security framework. This approach helps prioritize security investments and rapidly reduce risk. 1 SharePoint Security A Survey on Compliance with Recommendations for Improvement, AIIM, July 2012

2 A frightening 70% of organizations admit that they are still reliant on humans to manage security vulnerabilities. When this is combined with the ever growing rate at which content is being created and stored within SharePoint, it becomes immediately apparent that the content stored within organizations, and its associated security, is on the brink of being out of control. AIIM % The percentage of users citing lack of governance as a factor for delaying SharePoint deployment. Forrester Research, Inc % The percentage of companies that have not evaluated compliance issues related to SharePoint. 3 NetworkWorld 2011 Turning SharePoint into SecurePoint When addressing security concerns and implementing governance policies after SharePoint is already in production, a risk-based approach should be used to deliver the greatest impact quickly. A risk-based approach assumes that not every security initiative can be implemented at once; instead, investments are prioritized by evaluating risk, cost, and effort. Most organizations are not aware of and have not thoroughly analyzed all of the risks to their SharePoint environment. SharePoint is a multi-faceted collaboration platform that involves Web content and applications, social media and, above all, your unstructured business data. With a number of channels available to access sensitive information, the most common concerns for organizations are data security, Web attack protection, and regulatory compliance. To effectively address these risks, controls need to be in place to monitor access rights, appropriate usage, network traffic, and application vulnerabilities. The first hurdle for most companies is identifying the risks that are most relevant to their business needs and how SharePoint is being used. What is the best way to start assessing and addressing your risks? Fortunately, automated tools can assist with detection, prioritization, and implementation of SharePoint governance and security controls. The following sections examine the business impacts of governance and four key steps you can take to streamline your SharePoint security governance efforts with an automated solution. Business Drivers for Effective SharePoint Governance Enabling Adoption of Your SharePoint Project Establishing a SharePoint governance plan is a delicate balance of promoting end-user adoption and, at the same time, securing the organization s most sensitive business data. In order for the SharePoint project to be considered successful, it s important that files are managed to the extent that users can find what they need to be productive, trust is established, and the platform is used on a recurring basis. In a recent Forrester study, for example, 41% of respondents said that little or no governance was a key reason that SharePoint was not adopted within their organization. 2 Examples of successful governance that increase usability of the platform include: Availability of the correct version of files, managed by a designated owner, to the correct audiences Assessment and removal of files that have been unused for a specific period of time Comprehensive security workflow of unstructured files to remediate excessive or dormant permissions. Meeting Compliance Requirements Unstructured data within an organization often contains information that falls under the purview of regulations such as Sarbanes-Oxley, PCI, HIPAA, MAS, and others. Organizations subject to these guidelines must have the ability to audit all user activity pertaining to sensitive data within SharePoint, such as personally identifiable information (PII), protected health information (PHI), or financial data. In addition, to supplement an audit trail that indicates who, what, when, and where regulated data may have changed, it s essential to have robust filtering and reporting capabilities to manage large volumes of data in the event of a security violation. 2 SharePoint Adoption: Content And Collaboration Is Just The Start. Forrester Research, Inc., September NetworkWorld, May 2,

3 The rise of IT security to a board level concern is maybe the fastest I ve ever seen. Thomas Sanzone, Senior Vice President, Booz Allen Hamilton Inc You need to identify the data assets that generate value for the business, that are high-risk targets for cybercriminals, or that are subject to regulatory compliance, and then focus your efforts there. Forrester Research, Inc Mitigating Risk Complementary to files that must be regulated in order to meet compliance guidelines, organizations also have a vast amount of sensitive, unstructured data to manage. Most SharePoint systems contain proprietary data that could have significant consequences if it left the organization, such as business plans, patent information, and other intellectual property. Headlines have been highlighting considerably more cases in which valuable information has leaked because proper usage rights were not in place. One of the benefits of effective SharePoint governance is the ability to not only monitor but also block suspicious or unwanted file activity. According to a recent Gartner report, inappropriate access to enterprise data is one of the greatest security risks that organizations encounter today. 4 4 Steps to Streamline SharePoint Security Governance Efforts 1. Identify and Secure Business Critical Assets The first essential step is to tackle quick wins that will shrink the attack surface of your deployment. Start by addressing valuable data targets that the organization is already aware of such as the Board of Directors site, sensitive intellectual property assets, and regulated data. These areas are susceptible to common access rights risks such as storing sensitive content that s accessible by everyone, data that has direct permission grants (i.e., individual users have rights, rather than the particular groups those individuals belong to), access rights that have been granted but not used, dormant user accounts, and toxic stale files. It is important to review and remediate unused resources and excessive permissions. For SharePoint sites that are exposed externally, be sure to also include Web protection in your assessment. Automated tools can be used to maximize your security investment and simplify the early stages of SharePoint governance. For example, user rights management tools can scan content, users, and access rights, and then provide summary views, reports, and workflow for access rights remediation. Web security products can examine Web traffic and automatically protect Web servers and applications from vulnerabilities and attacks to externally facing SharePoint sites. Similarly, activity monitoring technology can monitor user activity across the system, and identify excessive usage or suspicious behavior. As Securosis CTO Adrian Lane points out, User activity monitoring is the only way to get ahead in the security game. It s how we identify attacks and system misuse while it s happening and, it s hoped, early enough to stop it. 6 Implementing these automated policies and controls will accelerate risk reduction and identify broken business processes. Start by leveraging the out-of-the-box policies in SharePoint security products to help address many well-understood security risks. Once the standard policies have been applied, invest in customizing a focused set of security policies for your highest risk areas, specific business needs, or industry-specific challenges. 4 Don t Make the Mistake of Assuming Your Unstructured Data Is Secure. Gartner, June The Wall Street Journal, CIO Journal, January 24, Fundamentals of User Activity Monitoring, InformationWeek Reports, April Protect And Manage Your Critical Information Assets, Forrester Research, Inc.,

4 The top four internal and external audit findings relate to access management, with excessive access rights being the top audit finding. Deloitte Establish a User Rights Management Framework Once the critical risks to the existing SharePoint environment have been addressed, establish a forward-looking framework that begins with permissions and information assurance. Framework components should address: Standards, schedule, and approval processes for access reviews Security goals, regulatory requirements, and data availability Operational management and individual responsibilities for lines of business and IT groups The same products that you use to automate risk reduction in the first phase can also streamline access processes and formalize the approval cycle. In addition to creating a central inventory of SharePoint content, these tools can provide detailed reports of effective permissions, usage, and permissions changes. In addition, automated processes can be used to identify data owners or their delegates, send permissions and usage reports on a scheduled basis for review, and track approval tasks. Although permissions reviews are an excellent starting point, additional checks are required for comprehensive governance. Users typically have been granted access to information through multiple paths, commonly through membership in different groups and inherited permissions. In many cases, reviewers are not informed of how access was granted, if access is available through multiple paths, or if adding or revoking permissions will cause downstream issues. Automated products can provide visibility into access paths and derived rights something that s unavailable through manual reviews. It s important to incorporate these checks into your security procedures to confirm adherence to security policies, align access with business need-toknow, and minimize business interruptions that can result from human error and rubber-stamp approvals or rejections. Finally, you should augment SharePoint s permissions framework with layered security controls. Expand the set of automated security policies and responses described in step one to account for unauthorized access scenarios and unapproved change operations. Common considerations include: A high volume of activity within a short period of time Operations outside of normal business hours or maintenance windows Activity from suspicious or external IPs Access of sensitive data from different departments or by administrators Creation of new sites or administrative accounts 3. Defend Applications From Web Attacks and Code Exploits Many organizations use SharePoint to host Web applications for employees, partners, and customers. Security governance policies should include provisions to test these SharePoint application and site customizations prior to initial release and before updates are deployed to production environments. According to Imperva s analysis of Common Vulnerability and Exposure (CVE) details, cross-site scripting is the most commonly reported SharePoint vulnerability. This means that whether or not your organization is exposing SharePoint applications externally, it is still important to test SharePoint applications since malicious or compromised insiders may be able to exploit application code at any point. 8 DTTL Global Financial Services Industry Security Study, Deloitte,

5 Web Application Firewalls genuinely raise the bar on application security...they virtually patch the application faster than code fixes can be implemented. Adrian Lane, CTO, Securosis 44% of organizations have experienced multiple breaches of information originating from inside the organization conducted by an employee. Deloitte Code reviews should be supplemented with independently run vulnerability scans. Typically, however, organizations do not have sufficient resources or time to implement the code changes required to adequately secure applications and are unable to patch underlying vulnerabilities in vendor products. Web application firewalls (WAFs) are a practical compensating control for these scenarios. WAFs can consume vulnerability scan results and provide virtual patching until code changes or vendor updates can be deployed. Additionally, if relevant to your business goals, WAFs can prevent activities related to site scraping of proprietary content, fraud, and denial of service attacks. 4. Trust, But Verify, User Behavior A SharePoint security governance plan would be incomplete without consideration of auditing and analytics. Although Microsoft provides native auditing within SharePoint, challenges around the scope of visibility, usability, integration, and log security often necessitate external tools to meet compliance mandates, forensics objectives, and security goals. Automated systems solve these issues by providing continuous monitoring with robust, centralized collection mechanisms, and typically enrich native audit information to provide greater context and usability for reporting and forensics. Third-party systems can also store data in an external, tamperproof repository and/or integrate with SIEM systems to reduce storage requirements and offload processing impacts. Incorporating these tools into governance processes will further reduce manual efforts and minimize human error. Having a complete audit trail will address compliance requirements but analytics are needed to derive greater insight from the raw data. If a security violation occurs or suspicious activity requires investigation, it is essential to have rich filtering and drill-down capabilities that allow analysts to interactively sift through large volumes of data. The same analytics platform should have the ability to generate reports that provide greater transparency for business stakeholders. An audit trail will also allow you to incorporate security metrics and key performance indicators into your governance plans, and provide performance data to evaluate the success of security initiatives. For example, ongoing reports of high risk departments may indicate a need for greater security awareness training. Summary SharePoint is a complex platform experiencing explosive growth in adoption, exposure, and storage of sensitive content. Consequently, SharePoint security and governance are under greater scrutiny at the executive level and require immediate mitigation actions. The phased, risk-based perspective outlined in this paper aligns investments and priorities to accomplish the greatest security return for existing SharePoint deployments. Security plans should include both preventative and analytical capabilities and incorporate automated tools to provide controls and information that cannot be addressed practically by native SharePoint functionality or corporate resources. 9 DTTL Global Financial Services Industry Security Study, Deloitte,

6 SecureSphere for SharePoint Products Automate and Protect Imperva s SecureSphere for SharePoint solutions help organizations automate the management, monitoring, and protection of sensitive data. The table below shows how the four recommended steps outlined in this paper map to Imperva SecureSphere functionality. 4 Steps to Streamline SharePoint Governance and Security Step 1: Identify and secure business critical assets Step 2: Establish a User Rights Management Framework Step 3: Defend applications from Web attacks and code exploits Step 4: Trust, but verify, user behavior Web Application Firewall File Activity Monitoring User Rights Management for SharePoint Database Firewall SecureSphere for SharePoint (SPT) SecureSphere for SharePoint helps organizations protect sensitive data stored within SharePoint. It addresses the unique SharePoint security requirements of the platform s file, Web, and database elements, ensuring that users with legitimate business needs can access data and others cannot. SecureSphere enables SharePoint security, SharePoint administration, and IT operations professionals to improve data security, meet compliance mandates, and streamline SharePoint permissions management. User Rights Management for SharePoint (URMS) User Rights Management for SharePoint aggregates and consolidates user access rights across SharePoint sites to provide visibility into effective permissions. SecureSphere helps conduct right reviews, eliminate excessive rights, and identify dormant users based on organizational context and actual data usage. Using URMS, organizations can help ensure access is based on business need-toknow, demonstrate compliance with regulations such as SOX, PCI 7, and PCI 8.5, and reduce the risk of a data breach. URMS is bundled with SPT. ADC Insights for SharePoint ADC Insights provide pre-packaged rules and reports to enforce core compliance requirements and SharePoint security best practices across the Web, file, and database components. 6

7 About Imperva Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high-value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Copyright 2014, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. WP-SHAREPOINT-GOVERNANCE-SECURITY