SharePoint Governance & Security: Where to Start

Similar documents
How to Secure Your SharePoint Deployment

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Securing SharePoint 101. Rob Rachwald Imperva

10 Things Every Web Application Firewall Should Provide Share this ebook

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

10 Building Blocks for Securing File Data

White Paper. Managing Risk to Sensitive Data with SecureSphere

White Paper. Imperva Data Security and Compliance Lifecycle

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Applications and data are the main targets for modern attacks. Adoption of dedicated application and data security concepts, technologies and

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Seven Things To Consider When Evaluating Privileged Account Security Solutions

The New PCI Requirement: Application Firewall vs. Code Review

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

PCI Compliance for Cloud Applications

End-to-End Application Security from the Cloud

Cutting the Cost of Application Security

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

October Application Control: The PowerBroker for Windows Difference

The Value of Vulnerability Management*

SANS Top 20 Critical Controls for Effective Cyber Defense

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

ALERT LOGIC FOR HIPAA COMPLIANCE

Extreme Networks Security Analytics G2 Vulnerability Manager

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

IT Security & Compliance. On Time. On Budget. On Demand.

IBM Security QRadar Vulnerability Manager

Strengthen security with intelligent identity and access management

PREVENTIA. Skyhigh Best Practices and Use cases. Table of Contents

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

Boosting enterprise security with integrated log management

White paper. Four Best Practices for Secure Web Access

How To Protect Your Cloud From Attack

Privilege Gone Wild: The State of Privileged Account Management in 2015

Enterprise Security Solutions

How To Manage Security On A Networked Computer System

How To Implement Data Loss Prevention

Feature. Log Management: A Pragmatic Approach to PCI DSS

Security. Security consulting and Integration: Definition and Deliverables. Introduction

VENDOR MANAGEMENT. General Overview

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Security for PCI Compliance Addressing Security and Auditing Requirements for In-scope Web Applications, Databases and File Servers

Leveraging Privileged Identity Governance to Improve Security Posture

IBM Software Top tips for securing big data environments

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Privilege Gone Wild: The State of Privileged Account Management in 2015

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

how can I comprehensively control sensitive content within Microsoft SharePoint?

TRIPWIRE NERC SOLUTION SUITE

Scalability in Log Management

How To Buy Nitro Security

IAAS REFERENCE ARCHITECTURES: FOR AWS

Compliance Management, made easy

10 Things IT Should be Doing (But Isn t)

Virtual Compliance In The VMware Automated Data Center

Maximizing Configuration Management IT Security Benefits with Puppet

Average annual cost of security incidents

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

White Paper. What Auditors Want Database Auditing. 5 Key Questions Auditors Ask During a Database Compliance Audit

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Symantec Control Compliance Suite. Overview

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

Using SIEM for Real- Time Threat Detection

Application Firewall Overview. Published: February 2007 For the latest information, please see

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements

Breaking down silos of protection: An integrated approach to managing application security

How To Test For Security On A Network Without Being Hacked

CORE Security and GLBA

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

IBM Security QRadar Risk Manager

The Business Case for Security Information Management

LogRhythm and PCI Compliance

Securing and protecting the organization s most sensitive data

Breach Found. Did It Hurt?

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Security management solutions White paper. Extend business reach with a robust security infrastructure.

How To Manage Log Management

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Transcription:

WHITE PAPER SharePoint Governance & Security: Where to Start 82% The percentage of organizations using SharePoint for sensitive content. AIIM 2012 By 2016, 20 percent of CIOs in regulated industries will lose their jobs for failing to implement the discipline of information governance successfully. Gartner 2012 Introduction to SharePoint Governance If your company is like most, it s probable there are several SharePoint instances already deployed, including some rogue servers outside the purview of IT. If this has you concerned, you re not alone. A recent AIIM survey noted that while 82% of organizations use SharePoint to access or store secure content, over half worry that SharePoint won t meet their security and compliance requirements. For larger organizations, SharePoint governance is even more troubling: 13% feel that the security of their SharePoint instance is a disaster waiting to happen. 1 Whether you need to develop a SharePoint security and governance strategy because of a migration project, audit failure, breach, or as part of a larger SharePoint governance program, it s important to use a phased security framework. This approach helps prioritize security investments and rapidly reduce risk. 1 SharePoint Security A Survey on Compliance with Recommendations for Improvement, AIIM, July 2012

A frightening 70% of organizations admit that they are still reliant on humans to manage security vulnerabilities. When this is combined with the ever growing rate at which content is being created and stored within SharePoint, it becomes immediately apparent that the content stored within organizations, and its associated security, is on the brink of being out of control. AIIM 2012 41% The percentage of users citing lack of governance as a factor for delaying SharePoint deployment. Forrester Research, Inc. 2011 72% The percentage of companies that have not evaluated compliance issues related to SharePoint. 3 NetworkWorld 2011 Turning SharePoint into SecurePoint When addressing security concerns and implementing governance policies after SharePoint is already in production, a risk-based approach should be used to deliver the greatest impact quickly. A risk-based approach assumes that not every security initiative can be implemented at once; instead, investments are prioritized by evaluating risk, cost, and effort. Most organizations are not aware of and have not thoroughly analyzed all of the risks to their SharePoint environment. SharePoint is a multi-faceted collaboration platform that involves Web content and applications, social media and, above all, your unstructured business data. With a number of channels available to access sensitive information, the most common concerns for organizations are data security, Web attack protection, and regulatory compliance. To effectively address these risks, controls need to be in place to monitor access rights, appropriate usage, network traffic, and application vulnerabilities. The first hurdle for most companies is identifying the risks that are most relevant to their business needs and how SharePoint is being used. What is the best way to start assessing and addressing your risks? Fortunately, automated tools can assist with detection, prioritization, and implementation of SharePoint governance and security controls. The following sections examine the business impacts of governance and four key steps you can take to streamline your SharePoint security governance efforts with an automated solution. Business Drivers for Effective SharePoint Governance Enabling Adoption of Your SharePoint Project Establishing a SharePoint governance plan is a delicate balance of promoting end-user adoption and, at the same time, securing the organization s most sensitive business data. In order for the SharePoint project to be considered successful, it s important that files are managed to the extent that users can find what they need to be productive, trust is established, and the platform is used on a recurring basis. In a recent Forrester study, for example, 41% of respondents said that little or no governance was a key reason that SharePoint was not adopted within their organization. 2 Examples of successful governance that increase usability of the platform include: Availability of the correct version of files, managed by a designated owner, to the correct audiences Assessment and removal of files that have been unused for a specific period of time Comprehensive security workflow of unstructured files to remediate excessive or dormant permissions. Meeting Compliance Requirements Unstructured data within an organization often contains information that falls under the purview of regulations such as Sarbanes-Oxley, PCI, HIPAA, MAS, and others. Organizations subject to these guidelines must have the ability to audit all user activity pertaining to sensitive data within SharePoint, such as personally identifiable information (PII), protected health information (PHI), or financial data. In addition, to supplement an audit trail that indicates who, what, when, and where regulated data may have changed, it s essential to have robust filtering and reporting capabilities to manage large volumes of data in the event of a security violation. 2 SharePoint Adoption: Content And Collaboration Is Just The Start. Forrester Research, Inc., September 2011 3 NetworkWorld, May 2, 2011 2

The rise of IT security to a board level concern is maybe the fastest I ve ever seen. Thomas Sanzone, Senior Vice President, Booz Allen Hamilton Inc. 2012 5 You need to identify the data assets that generate value for the business, that are high-risk targets for cybercriminals, or that are subject to regulatory compliance, and then focus your efforts there. Forrester Research, Inc. 2012 7 Mitigating Risk Complementary to files that must be regulated in order to meet compliance guidelines, organizations also have a vast amount of sensitive, unstructured data to manage. Most SharePoint systems contain proprietary data that could have significant consequences if it left the organization, such as business plans, patent information, and other intellectual property. Headlines have been highlighting considerably more cases in which valuable information has leaked because proper usage rights were not in place. One of the benefits of effective SharePoint governance is the ability to not only monitor but also block suspicious or unwanted file activity. According to a recent Gartner report, inappropriate access to enterprise data is one of the greatest security risks that organizations encounter today. 4 4 Steps to Streamline SharePoint Security Governance Efforts 1. Identify and Secure Business Critical Assets The first essential step is to tackle quick wins that will shrink the attack surface of your deployment. Start by addressing valuable data targets that the organization is already aware of such as the Board of Directors site, sensitive intellectual property assets, and regulated data. These areas are susceptible to common access rights risks such as storing sensitive content that s accessible by everyone, data that has direct permission grants (i.e., individual users have rights, rather than the particular groups those individuals belong to), access rights that have been granted but not used, dormant user accounts, and toxic stale files. It is important to review and remediate unused resources and excessive permissions. For SharePoint sites that are exposed externally, be sure to also include Web protection in your assessment. Automated tools can be used to maximize your security investment and simplify the early stages of SharePoint governance. For example, user rights management tools can scan content, users, and access rights, and then provide summary views, reports, and workflow for access rights remediation. Web security products can examine Web traffic and automatically protect Web servers and applications from vulnerabilities and attacks to externally facing SharePoint sites. Similarly, activity monitoring technology can monitor user activity across the system, and identify excessive usage or suspicious behavior. As Securosis CTO Adrian Lane points out, User activity monitoring is the only way to get ahead in the security game. It s how we identify attacks and system misuse while it s happening and, it s hoped, early enough to stop it. 6 Implementing these automated policies and controls will accelerate risk reduction and identify broken business processes. Start by leveraging the out-of-the-box policies in SharePoint security products to help address many well-understood security risks. Once the standard policies have been applied, invest in customizing a focused set of security policies for your highest risk areas, specific business needs, or industry-specific challenges. 4 Don t Make the Mistake of Assuming Your Unstructured Data Is Secure. Gartner, June 2012 5 The Wall Street Journal, CIO Journal, January 24, 2012. 6 Fundamentals of User Activity Monitoring, InformationWeek Reports, April 2012 7 Protect And Manage Your Critical Information Assets, Forrester Research, Inc., 2012 3

The top four internal and external audit findings relate to access management, with excessive access rights being the top audit finding. Deloitte 2012 8 2. Establish a User Rights Management Framework Once the critical risks to the existing SharePoint environment have been addressed, establish a forward-looking framework that begins with permissions and information assurance. Framework components should address: Standards, schedule, and approval processes for access reviews Security goals, regulatory requirements, and data availability Operational management and individual responsibilities for lines of business and IT groups The same products that you use to automate risk reduction in the first phase can also streamline access processes and formalize the approval cycle. In addition to creating a central inventory of SharePoint content, these tools can provide detailed reports of effective permissions, usage, and permissions changes. In addition, automated processes can be used to identify data owners or their delegates, send permissions and usage reports on a scheduled basis for review, and track approval tasks. Although permissions reviews are an excellent starting point, additional checks are required for comprehensive governance. Users typically have been granted access to information through multiple paths, commonly through membership in different groups and inherited permissions. In many cases, reviewers are not informed of how access was granted, if access is available through multiple paths, or if adding or revoking permissions will cause downstream issues. Automated products can provide visibility into access paths and derived rights something that s unavailable through manual reviews. It s important to incorporate these checks into your security procedures to confirm adherence to security policies, align access with business need-toknow, and minimize business interruptions that can result from human error and rubber-stamp approvals or rejections. Finally, you should augment SharePoint s permissions framework with layered security controls. Expand the set of automated security policies and responses described in step one to account for unauthorized access scenarios and unapproved change operations. Common considerations include: A high volume of activity within a short period of time Operations outside of normal business hours or maintenance windows Activity from suspicious or external IPs Access of sensitive data from different departments or by administrators Creation of new sites or administrative accounts 3. Defend Applications From Web Attacks and Code Exploits Many organizations use SharePoint to host Web applications for employees, partners, and customers. Security governance policies should include provisions to test these SharePoint application and site customizations prior to initial release and before updates are deployed to production environments. According to Imperva s analysis of Common Vulnerability and Exposure (CVE) details, cross-site scripting is the most commonly reported SharePoint vulnerability. This means that whether or not your organization is exposing SharePoint applications externally, it is still important to test SharePoint applications since malicious or compromised insiders may be able to exploit application code at any point. 8 DTTL Global Financial Services Industry Security Study, Deloitte, 2012 4

Web Application Firewalls genuinely raise the bar on application security...they virtually patch the application faster than code fixes can be implemented. Adrian Lane, CTO, Securosis 44% of organizations have experienced multiple breaches of information originating from inside the organization conducted by an employee. Deloitte 2012 9 Code reviews should be supplemented with independently run vulnerability scans. Typically, however, organizations do not have sufficient resources or time to implement the code changes required to adequately secure applications and are unable to patch underlying vulnerabilities in vendor products. Web application firewalls (WAFs) are a practical compensating control for these scenarios. WAFs can consume vulnerability scan results and provide virtual patching until code changes or vendor updates can be deployed. Additionally, if relevant to your business goals, WAFs can prevent activities related to site scraping of proprietary content, fraud, and denial of service attacks. 4. Trust, But Verify, User Behavior A SharePoint security governance plan would be incomplete without consideration of auditing and analytics. Although Microsoft provides native auditing within SharePoint, challenges around the scope of visibility, usability, integration, and log security often necessitate external tools to meet compliance mandates, forensics objectives, and security goals. Automated systems solve these issues by providing continuous monitoring with robust, centralized collection mechanisms, and typically enrich native audit information to provide greater context and usability for reporting and forensics. Third-party systems can also store data in an external, tamperproof repository and/or integrate with SIEM systems to reduce storage requirements and offload processing impacts. Incorporating these tools into governance processes will further reduce manual efforts and minimize human error. Having a complete audit trail will address compliance requirements but analytics are needed to derive greater insight from the raw data. If a security violation occurs or suspicious activity requires investigation, it is essential to have rich filtering and drill-down capabilities that allow analysts to interactively sift through large volumes of data. The same analytics platform should have the ability to generate reports that provide greater transparency for business stakeholders. An audit trail will also allow you to incorporate security metrics and key performance indicators into your governance plans, and provide performance data to evaluate the success of security initiatives. For example, ongoing reports of high risk departments may indicate a need for greater security awareness training. Summary SharePoint is a complex platform experiencing explosive growth in adoption, exposure, and storage of sensitive content. Consequently, SharePoint security and governance are under greater scrutiny at the executive level and require immediate mitigation actions. The phased, risk-based perspective outlined in this paper aligns investments and priorities to accomplish the greatest security return for existing SharePoint deployments. Security plans should include both preventative and analytical capabilities and incorporate automated tools to provide controls and information that cannot be addressed practically by native SharePoint functionality or corporate resources. 9 DTTL Global Financial Services Industry Security Study, Deloitte, 2012 5

SecureSphere for SharePoint Products Automate and Protect Imperva s SecureSphere for SharePoint solutions help organizations automate the management, monitoring, and protection of sensitive data. The table below shows how the four recommended steps outlined in this paper map to Imperva SecureSphere functionality. 4 Steps to Streamline SharePoint Governance and Security Step 1: Identify and secure business critical assets Step 2: Establish a User Rights Management Framework Step 3: Defend applications from Web attacks and code exploits Step 4: Trust, but verify, user behavior Web Application Firewall File Activity Monitoring User Rights Management for SharePoint Database Firewall SecureSphere for SharePoint (SPT) SecureSphere for SharePoint helps organizations protect sensitive data stored within SharePoint. It addresses the unique SharePoint security requirements of the platform s file, Web, and database elements, ensuring that users with legitimate business needs can access data and others cannot. SecureSphere enables SharePoint security, SharePoint administration, and IT operations professionals to improve data security, meet compliance mandates, and streamline SharePoint permissions management. User Rights Management for SharePoint (URMS) User Rights Management for SharePoint aggregates and consolidates user access rights across SharePoint sites to provide visibility into effective permissions. SecureSphere helps conduct right reviews, eliminate excessive rights, and identify dormant users based on organizational context and actual data usage. Using URMS, organizations can help ensure access is based on business need-toknow, demonstrate compliance with regulations such as SOX, PCI 7, and PCI 8.5, and reduce the risk of a data breach. URMS is bundled with SPT. ADC Insights for SharePoint ADC Insights provide pre-packaged rules and reports to enforce core compliance requirements and SharePoint security best practices across the Web, file, and database components. 6

About Imperva Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high-value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. www.imperva.com Copyright 2014, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. WP-SHAREPOINT-GOVERNANCE-SECURITY-0314.1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information