Popular collaboration platforms such as Microsoft SharePoint are making sharing and storing information
easy. Private and confidential information is finding it’s way into SharePoint environments with increasing
frequency. This ease of deployment and use introduces new data security and compliance concerns for
organizations. With data security breaches and attacks on the rise, protecting sensitive information stored in
SharePoint is a critical issue. Security researchers from the Ponemon Institute now put the average
organizational cost of a data breach at $6.75M.
According to Osterman Research, “the focus of SharePoint security concerns
appears to be much more focused on protecting sensitive information than on
traditional malware. ”
Several approaches are available to provide for protection of the information stored in SharePoint sites.
Each approach has its merits, and provides different levels of protection against different threats and
attacks. The transparent data encryption approach implemented specifically to protect data on SharePoint
servers provides the most comprehensive data security possible, addressing the broadest set of potential
attack scenarios, including insider threats from administrators.
Management staff responsible for securing SharePoint sites is advised to carefully consider the risks and
threats to information, and implement an approach that effectively secures against these threats.
Securing Sensitive Information
Usage of collaboration sites such as SharePoint is experiencing explosive growth, with analyst firm
Infotrends projecting that the market for SharePoint will surpass $5B in product and services revenue by
2012. The overall market for content management systems is projected to grow to $10B by 2014, according
to industry analyst firm Basex.
Analysts at Gartner have estimated 30% of SharePoint deployments are being deployed outside the control
of central IT and information security groups. The increasing use of
SharePoint for all types of information coupled with relatively less oversight from IT security staff and a
simple user interface that makes storing and sharing sensitive information easy, and you have potential for
data security breaches.
As SharePoint has grown in popularity, sites are increasingly being used to store all types of private and
confidential information. Recent high profile (and high cost) privacy breaches involving sensitive corporate
data and customer information have increased the importance of properly securing collaboration and
enterprise content management platforms such as SharePoint. In addition, vulnerabilities recently disclosed
in SharePoint software releases have heightened the need to treat data security for SharePoint as a critical
This white paper identifies some of the key concerns around data security for sensitive and regulated
information stored in SharePoint. Several approaches are possible for organizations seeking to enhance the
security of SharePoint sites, each with different threat protection capabilities. This paper describes various
threat scenarios, the different approaches to data security in SharePoint, deployment and user interaction
considerations, and the relative pros and cons of each data security approach.
Big Picture Security Concerns and SharePoint
Information stored in SharePoint tends to be unstructured, with users to some extent using SharePoint to
replace file servers and network drives. This approach results in private and confidential information
becoming widely dispersed, easily accessed, and poorly secured.
High-level security concerns include malware prevention, access control, and data security and compliance.
Specific threats to information stored in SharePoint can come from both external attackers and from
insiders. Security concerns for SharePoint are exacerbated by the following realities:
1) SharePoint is extremely easy to setup, and many sites are created outside of central IT
organizations. Because of this, there is little governance over what should and should not be stored
in SharePoint. In many cases there have not been adequate security controls deployed to protect
sensitive data in SharePoint sites.
2) The platform is also very easy for end users to use, and as a result it tends to be used to facilitate
document storage and collaboration of all sorts of private and confidential data. And users rarely
understand the data security issues affected by storing private and confidential data in SharePoint.
3) The security capabilities that exist natively in SharePoint (largely access controls coupled to Active
Directory identities, with a document permission inheritance scheme) have a reputation for quickly
becoming very complex to administer and are not distinctly designed to secure private and
4) The hierarchy of administrators required to configure and manage SharePoint (including
SharePoint administrators, site administrators, and SQL database administrators) provides
multiple insider threats with privileged user access to private and confidential data. The simple fact
is that when lower level security approaches (such as disk encryption or SQL database encryption)
are taken to protect data in SharePoint sites, the data is still accessible and viewable by these
multiple administrators. Implicitly trusting all privileged users represents too much risk for most
As a platform that leverages standard web protocols, SharePoint is susceptible to vulnerabilities that could
cause security issues including things such as cross-site scripting, cross-site request forgery, and SQL
injection. Recent patches for SharePoint (SharePoint Security Updates KB 983444 and KB 979445) have
included fixes for some of these vulnerabilities. A security bug was recently reported in SharePoint for an
escalation of privilege problem which is highly problematic for sites being used to store and share private
and confidential information.
Native security controls in SharePoint provide some ability to secure access to files through access control
lists. However, in practice, the permissions inheritance is difficult to setup and maintain over time. Lack of
synchronization, ongoing management, and general proliferation of static access control lists is a serious
challenge with SharePoint.
Beyond technical security considerations, the use of SharePoint as a repository and a means to collaborate
can cause issues for data subject to compliance regulations. Numerous compliance regulations are now
requiring effective controls and encryption for sensitive information types (non-public personal information
in GLBA, electronically protected healthcare information in HIPAA, personally identifiable information in
state data privacy laws, and cardholder data in PCI DSS). In addition, many of the now 43+ state data
privacy laws strongly encourage the use of encryption by allowing organizations experiencing a security
breach of sensitive information to avoid having to publicly disclose the breach (and to avoid having to incur
expensive notification costs to individuals), if the data was encrypted. Other compliance regulations such as
ITAR and FISMA have severe fines associated with the disclosure of sensitive data.
Threat Scenarios and Attack Vectors for Information Stored in SharePoint Sites
As with most IT platforms, attacks against the SharePoint platform and data resident in SharePoint sites
can come from external attackers, as well as from insiders.
Attacks and misuse by insiders, especially those with privileged user access rights, can oftentimes be the
most damaging security incidents. A survey by a leading database user group regarding top security
concerns bears this out. The 2009 studyi found that the top two greatest risks and threats to enterprise data
were “internal hackers or unauthorized users” (32%), and “abuse of privileges by IT staff” (26%). Both of
these risks represent the insider threat, and taken together they far surpass concerns around loss of media
(25%), and malicious code or viruses (20%). While the platforms are obviously different, the insider threat is
consistent across both databases and collaboration platforms with respect to sensitive information. One
could argue that the insider threat problem is likely more acute in collaboration platforms, given the ease
with which sensitive unstructured information can deposited, indexed and accessed, and the relative lack of
mature data governance processes.
An example of an insider attack (a malicious database administrator) resulting in public disclosure of
sensitive customer information occurred at Fidelity National Information Services. This insider attack in
early 2010 resulted in $975,000 in fines against the firm by the Florida Attorney General, and another
$375,000 in fines from the Financial Industry Regulatory Agency.
Clearly, managing access to sensitive information in collaboration sites is a key concern. SharePoint
provides some native tools which can be used to restrict access to files and libraries. These controls include
permissions that can be applied at the site, group, or document library level. However, these capabilities
suffer from an inherent configuration complexity that restricts most organizations from effectively applying
authorization and access control capabilities at a useful level. In addition, the staff assigned to design and
implement security controls using these mechanisms are generally insiders: administrators, site
administrators, and farm administrators in the hierarchy of SharePoint management. The native
SharePoint access controls do not provide adequate separation of duties. Providing for separation of duties
is a basic security principle, and it is required by many compliance regulations.
Data Security Approaches for SharePoint
Protecting against the insider threat on IT platforms has generally involved encrypting data at rest, and
providing an effective key management capability that restricts access to sensitive information to those with
a true “need to know”.
In SharePoint implementations, there are four possible places to insert encryption to protect information:
1) Disk encryption using Microsoft Encrypting File System or Bitlocker. These technologies seem
simple to implement, given that the encryption technologies are provided with the operating
system. However, the key management is extremely cumbersome and they only provide protection
against threats such as loss of media. They do nothing to protect against insider threats and are not
specifically designed to protect data in a SharePoint environment.
2) Use Transparent Database Encryption in the MS SQL 2008 database platform. This approach
also provides protection against threats such as loss of media. TDE implemented at the database
level provides no threat protection against Database or SharePoint administrators.
3) Implement client software that provides the ability for end users to invoke encryption. While this
approach can deliver a capability to encrypt sensitive files, history has shown that end users make
poor security administrators, and when given this level of decision-making authority, they almost
always choose convenience over security. Security works best when users do not have to make
decisions about what files to secure.
4) Implement data encryption directly and transparently on the SharePoint server. This approach
provides complete threat protection against all insiders (including DBAs, SharePoint
administrators, and site/farm administrators), as well as against media loss, and lower level threats.
The figure on the next page shows the relative threat protection for different encryption options.
Key management is a critically important capability regardless of which approach your organization opts
for. With a centralized key management capability providing for secure key distribution and storage,
automatic key changes, and separation of duties for security administrators, organizations can be assured
that sensitive information being stored in SharePoint sites is secure.
Data security in SharePoint is becoming a significant concern. Look to encryption, implemented directly
and transparently on the SharePoint server, as the most effective threat protection, addressing the widest
range of attack scenarios and threats.
About CipherPoint Software, Inc.
CipherPoint Software is the first provider of transparent content encryption software for Microsoft
SharePoint, and was founded by IT security industry veterans with deep experience in building security
CipherPoint Software, Inc., 1000 Heritage Center Circle, Round Rock, TX 78664
Copyright CipherPoint Software, Inc., 2010 All rights reserved.
CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo are
trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft.
i 2009 Independent Oracle User Group Data Security Study
Copyright CipherPoint Software, Inc., 2010 All rights reserved.
CipherPoint Software, Inc., CipherPointSP, CipherPointSP Enterprise, CipherPoint KM, and the stylized CipherPoint logo
are trademarks of CipherPoint Software, Inc. SharePoint is a trademark of Microsoft.