CISO's Guide to Securing SharePoint


Published on

SharePoint’s rapid adoption is undeniable but it raises one important question: What security capabilities did Microsoft implement to ensure that SharePoint--and the data it houses--remains secure? SharePoint’s functionality was built for business users to share information. However, business users don’t typically recognize critical security considerations. This leaves security teams with the task of layering security onto SharePoint well after deployments, or worse, after a data breach. These presentation slides highlight SharePoint use cases and potential security issues , offer best practices for SharePoint security planning and management, and provide key mitigation steps that enterprises implement to minimize the odds of a data breach.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CISO's Guide to Securing SharePoint

  1. 1. CISOs Guide to Securing SharePointRob RachwaldDirector of Security Strategy, Imperva
  2. 2. Agenda SharePoint in the Enterprise The Security Implications Mitigation Checklist
  3. 3. Today’s PresenterRob Rachwald, Dir. of Security Strategy, Imperva Research + Directs security strategy + Works with the Imperva Application Defense Center Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and Australia Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today Graduated from University of California, Berkeley
  4. 4. SharePoint in a Nutshell  Store  Share  Find  Leverage Source:
  5. 5. Major SharePoint Deployment Types Internal • Uses include SharePoint as a file repository Portal • Only accessible by internal users Company Intranet External • Uses include SharePoint as a file repository Portal • Accessible from the Internet • For customers, partners or the public Client access Internet • SharePoint as the Web site infrastructure Website • Not used as a file repository Public website
  6. 6. Why is File Security Important? 20% 80% Unstructured (file data) Businesses have a large amount of file data Structured (DB, Apps) Some files hold sensitive business data… Financial information Business plans Medical images Etc. 500 400 60%Volume 300 200 File data grows 60% annually 100 0 Time 1 2 3 4 5 6 7 8 9 6
  7. 7. Unsecured Files are a Serious Security ProblemReducing Insider Threats Files are susceptible to insider threat by their very nature + Intentionally accessible for collaboration, communication, etc. Required protections include: + Monitor sensitive data usage by all users + Enforce separation of duties and eliminate excessive rights + Discover sensitive data
  8. 8. SharePoint Admins Gone WildMost popular documents eyeballed were those containing the details of their fellow employees, 34 per cent, followed by salary – 23 per cent – and 30 per cent said "other."
  9. 9. Have Your Shared Privileged Info via SharePoint? No answer, 9% Yes 48% No 43% Source: NetworkWorld, May 2, 2011
  10. 10. Type of Content Shared Other HR Proprietary 21% 33% Customer Data 30% Financial 22%Source: NetworkWorld, May 2, 2011
  11. 11. Impact of SharePoint Insecurity “[Investigators] discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same.” —Wired, Dec 2011Source:
  12. 12. Impact of SharePoint Insecurity “[Investigators] discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same.” —Wired, Dec 2011Source:
  13. 13. Employee Attitudes Towards Data Insiders  70% of employees plan to take something with them when they leave the job + Intellectual Property: 27% + Customer data: 17%  Over 50% feel they own itSource: November 2010 London Street Survey of 1026 people, Imperva
  14. 14. Human Nature at Work?  70% of Chinese admit to accessing information they shouldn’t  62% took data when the left  56% admit internal hacking  36% feel they own itSource: February 2011 Shanghai and Beijing Street Survey of 1012 people, Imperva
  15. 15. But SharePoint Takes the Problem Beyond Files Web + E-commerce: Businesses leverage SharePoint to create Web sites that provide consumer content and, more importantly, the ability to buy products. Credit cards are a common form of payment. Database + Healthcare: Hospitals use SharePoint to house patient data. – In the past, this information has been very attractive since it helps hackers steal identities. – Patient records often contain a very rich list of data including Social Security numbers, address details, and even credit cards for co-pays. + Education: Schools and universities store student information in SharePoint.
  16. 16. Microsoft SharePoint: Taming Unstructured Data $1.3B licensing in 2009 SharePoint provides… 5X # of SP 2010 deployments • Content repository in the last 6 months • Web browser-based access + 50% deployed enterprise-wide • Easy portal construction + 75% used for portal/web-content • Easy application construction • Search Data value within SharePoint • Business intelligence services • Social media capabilities + 46% > $10M + 30% > $50M + 9% > $500M + Toxic data accumulation 67% of SharePoint breaches are by insiders. 96% of breaches were avoidable through simple or intermediate controls Security and rights management is #2 add- on, with 63% using or planning to use
  17. 17. What Version of SharePoint is Deployed?Source: SharePoint: Strategies and Experiences, September 2011
  18. 18. SharePoint Security Capabilities: 2007 vs 20102007 2010 Encryption  Some policy You can unplug all management the servers.  Authentication  Permissions  Metadata tagging  Versioning  Workflow  Info rights management
  19. 19. SharePoint 2010 is Still Missing Functionality + Proper auditing + Web-based protection + Security-centric reporting + Security-centric policies Bottom line + SharePoint is built for collaboration first, security second, third or tenth. + Features may provide security, but aren’t inherent security tools + Did you know? – SSL is NOT turned on by default for downloading. – Remote binary large object (BLOB) storage does not coordinate underlying storage permissions with its own access control lists.
  20. 20. What are the Key Security SharePoint Challenges? - CONFIDENTIAL - CONFIDENTIAL
  21. 21. Challenge #1: Built for Collaboration  They didn’t call it “HogPoint.”  SharePoint: + Was first designed to share content with partners and other external parties using a MS SQL. + Then, you built a website on top of it.  Security was an afterthought + Trends #5: “Security and authentication will become more important.”* + Poor security features – Poor user management capabilities – Poor authenticationSource:
  22. 22. Do you use SharePoint for Collaboration with anyof the Following?Source: SharePoint: Strategies and Experiences, September 2011
  23. 23. Key Issues with SharePoint Source: SharePoint: Strategies and Experiences, September 2011
  24. 24. Native SharePoint Security Capabilities In general, SharePoint involves a complex set of interactions that makes it difficult for securityteams to know if all their concerns are covered.” —Burton Group, 2010
  25. 25. Challenge #2: Sidesteps IT “Much of SharePoints appeal is that it enables users to bypass the explicit and organizational and process barriers of the organization.” —Gartner, 2009
  26. 26. Third-Party AdditionsSource: SharePoint: Strategies and Experiences, September 2011
  27. 27. Challenge #3: It Has HolesExample: April 2010, Microsoft reveals a SharePoint issue The vulnerability could allow escalation of privilege (EoP) within the SharePoint site. If an attacker successfully exploits the vulnerability, the person could run commands against the SharePoint server with the privileges of the compromised user.Source:
  28. 28. Challenge #3: It Has Holes Ooops, I did it again.
  29. 29. Key SharePoint Security Issues - CONFIDENTIAL - CONFIDENTIAL
  30. 30. Security Issue #1:Understanding Entitlements Problem: + It’s difficult to effectively track and manage all of the permissions. + Access rights are in a constant state of flux as the organization grows. Details: + SharePoint’s access control lists (ACL) are similar to Windows: administrators define users and groups, and provide permissions. + Business unit employees who don’t understand the technology often have responsibility for entitlement. It is tough to get employees to put in place confidentiality workflows, tagging, and classification of sensitive data. + A common issue once SharePoint instances have proliferated within an organization is to see and understand who has what permissions to what kind of data. Example: + If a hospital uses SharePoint for patient data and the system is managed by hospital staff, then who keeps track of which doctors, nurses, or administrators can see patient data? Further, who maintains and updates these permissions over time? How are they able to do what they do? How do you identify excessive or dormant rights?
  31. 31. Security Issue #2:Meeting Compliance Mandates and Governance Problem: + SharePoint does not provide a way to demonstrate to auditors that specific site set up is correct as well as provide an audit trail for potential breaches. Details: + In the same way database activity monitoring (DAM) helps provide an audit trail and forensic evidence of possible wrong doing, SharePoint features no such inherent capability. + If a breach occurs—either from an insider or a hacker—how can organizations learn how it happened? Example: + In August 2011, Bloomberg reported on 300,000 healthcare records that appeared in an Excel file. No one knows where the file came from, indicating a lack of auditing.
  32. 32. Governance Policies in Place Source: SharePoint: Strategies and Experiences, September 2011
  33. 33. Regulations and SharePoint 40.00% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% PCI HIPAA SOXSource: NetworkWorld, May 2, 2011
  34. 34. Regulations and SharePoint40.00%35.00%30.00%25.00%But72 percent of companies have NOT20.00%evaluated compliance issues related to15.00% SharePoint data.10.00% 5.00% 0.00% PCI HIPAA SOX Source: NetworkWorld, May 2, 2011
  35. 35. Security Issue #3:Web Site Vulnerabilities Problem: + All of the same issues you have with a Web site application, you have with SharePoint. Details: + The typical problems should be familiar: SQL injections, brute forced password attacks, cross site scripting (XSS) and so forth. + As a platform for building applications, many of the typical flaws that developers put into code will apply to SharePoint. + Many apps can be developed by contractors, so fixing vulnerabilities can be especially cumbersome and time consuming. Example: + According to CVE details, XSS is the most commonly reported vulnerability in SharePoint.
  36. 36. Security Issue #4:Securing the Back-End Database Problem: + SharePoint’s reliance on SQL Server, storage protection is essentially database protection. Details: + Access control should govern access. However, in SharePoint, database access based on corporate policies and stored procedures usually doesn’t apply—creating viable threat vectors. + Awareness of database threats is high, but few know that SharePoint functions differently. + Current versions support columnar database encryption. For many, the word encryption means omnipotent protection, others know better. + Privileged users: Will admins have a key? Audit policies needed to monitor malicious/compromised insiders. Example: + “Database modifications may result in an unsupported database state,” Microsoft support. + “Fully audit all SQL Server administrative activities,” Gartner 2009. + “SharePoint is notoriously difficult to patch,” Infoworld. In June of 2010, many SharePoint admins reported that installing SharePoint patches caused their Windows SharePoint Server 3.0 machines to lock up.
  37. 37. Security Issue #5:Exposure to Search Engines Problem: + Misconfigured entry points are quickly indexed by search engines. Example: + Soldiers’ personal information was exposed through the external SharePoint Web site of Missouri’s national guard.
  38. 38. Google Diggity Project
  39. 39. A Checklist to Securing SharePoint Get ahead of all SharePoint deployments • Implement a SharePoint governance policy. • Put in place security requirements when SharePoint instances go live. • Don’t trust native security features. • Specify what kind of information can be put in SharePoint. Identify sensitive data and protect it • Use search capabilities to identify sensitive data. • Sensitive data in databases: use database activity monitoring to identify and protect confidential data. • Sensitive data transacted by SharePoint Web applications • Secure sensitive data held in files: use file activity monitoring to apply user rights management and auditing capabilities.
  40. 40. A Checklist to Securing SharePoint Deploy user rights management to identify data ownership • Ensure legitimate access to data. • Accelerate permissions reviews and management. • Identify and delete dormant users. Check for dormant users on a regular basis. • Focus on regulated data and streamline access. • Adjust department-level access. • Create permission reports for data owners. • Implement ownership policies – especially for alerts around unauthorized access. Protect Web sites • Identify sensitive data transacted by SharePoint Web applications and use Web application firewalls to monitor and protect intranets, portals, and Web sites. • Log all failed login attempts.
  41. 41. A Checklist to Securing SharePoint Enable auditing for compliance and forensics • Who accessed this data? • When and what did they access? • Who owns this data? • Are external users accessing admin pages? • Have there been repeat failed login attempts?
  42. 42. SecureSphere for SharePoint - CONFIDENTIAL - CONFIDENTIAL
  43. 43. Imperva Data Security in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  44. 44. SharePoint & SecureSphere for SharePoint Administrators Migrations - Permissions - Data ownership - Data cleanup Unauthorized Changes DB Activity Monitoring & Access Control Web-Application Activity Monitoring & Firewall User Rights Management Partners XSS Excessive Rights Audit Employees from other sites The Internet Audit Application Servers SQL Injection Enterprise Users MS SQL External Access IIS Web Databases to Admin pages Unauthorized and Failed Access Servers44 Login Attempts Data Across Borders & Ethical Walls - CONFIDENTIAL -
  45. 45. SecureSphere for SharePoint User rights management + Aggregate and visualize rights + Identify excessive and dormant rights + Streamline rights reviews + Identify data owners Activity monitoring + Monitor file & list access in real-time + Find unused data Policy based threat protection + Defend against file, Web and database threats + Alert and block in real-time
  46. 46. Webinar Materials Get LinkedIn to Imperva Data Security Direct for… Answers to Post-Webinar Attendee Discussions Questions Webinar Webinar Slides Recording Link
  47. 47.