In light of the recent NHS attack, I wanted to write a blog about Security and re-emphasise what we should be doing to protect our data, especially in regards to SharePoint.
This blog will focus on SharePoint within Office 365 and on Premise and some (of many) pointers of defence to help protect SharePoint.
- A common security issues I see with many clients is permission governance.
A SharePoint governance plan can help keep your data secure and compliant, by helping you structure, create policies and procedures and implement controls, such as designing security controls, permissions and roles for assigning permissions etc.
SharePoint is used to store data, and on most occasions, sensitive data. It is important to ensure that this sensitive data is not accessible to the people who do not need to see it, especially as data if shared with external parties, such as contractors, partners etc, therefore it is vital to ensure that access rights remain aligned with the business needs. There have been many cases known where data has got into the wrong hands, e.g. United States v. Manning.
This also includes using the least privileged accounts and use specific accounts for specific purposes. I have seen many SharePoint systems where IT use the farm account as their admin account. Plan for administrative service accounts : https://technet.microsoft.com/en-us/library/cc263445.aspx .
Also you should being using Groups to manage users as much as you can. Using groups gives you a more maintainable security model, meaning If you want to make a change to permission, you apply it to a group, not individual people.
for e.g. different sites require different governance policies. Site such as homepage would be more tightly governed as it would typically be available to everyone in the organisation, whereas the HR department, for example would be more tightly governed than other generic sites such knowledge based areas.
- Multi Factor Authentication – Within office 365, Multi Factor Authentication (MFA) increases the security of user login. With MFA, users are required to enter an second stage of authentication after their initial entering of their password. The second stage requires the user to receive an email, app notification, phone call or text message to enter a number. Only after the second stage is complete will the user be authenticated to sign in.
- Virus Protector: For On-Premise installs of SharePoint, there are a growing number 3rd party tools which can be used for anti-virus protection, such as
- Bit Defender
- Trend Micro
However, Microsoft recommend that you install an anti-virus solution based on SharePoint Portal Server Virus Scanning Application (VS API) – this is because SharePoint is continually providing enhancements to SharePoint via, installing a non related SharePoint AV will not guarantee you any support for SharePoint specific issues.
Within Office 365, files are scanned as they are uploaded. If a file is found to be infected, a property is set so that users cant download that file from the browser or syn the file in the One Drive for business client.
This is not to say you should not have a virus protector on your local machine
- Information Rights Management (IRM) – IRM is a technology applied at the list / library level in SharePoint. A document that is IRM permission can either permit / deny a user from doing certain actions within that document such as :
- Controlling copy and paste
- Preventing printing and editing
- Require users to review their credentials at specific intervals
- Provide ability to not upload documents that are not IRM protected
- Allow people with least the view items permissions to run embedded code or macros on a document.
Now this next step is not strictly a SharePoint security setting. With SharePoint, Online and On-Premise it’s important to have some sort of lock or password on your device, especially as users now bring their own devices into work. SharePoint is available on mobile, apps like Yammer, One Drive for Business can be exposed thus potentially leaking sensitive data.
In addition to this, I wrote a blog on Data Loss Prevention (here) which is another great way of ensuring that sensitive data does not leave the corporate domain.