overcoming security threats and vulnerabilities in sharepoint
TRANSCRIPT
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
ANTONIO MAIO
PROTIVITI SENIOR MANAGER
MICROSOFT SHAREPOINT MVP
Email: [email protected]: @AntonioMaio2Blog: www.TrustSharePoint.com
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
3,300professionals
Over 20 countriesin the Americas, Europe, the
Middle East and Asia-Pacific
70+offices
Our revenue:
More than
$743 million in 2015
Protiviti (www.protiviti.com) is a global consulting firm that helps
companies solve problems in finance, technology, operations,
governance, risk and internal audit, and has served more than 40
percent of FORTUNE 1000® and FORTUNE Global 500®
companies.
Protiviti serve clients through a network of more than 70
locations in over 20 countries. Protiviti is a wholly owned
subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert
Half is a member of the S&P 500 index.
WHO ARE WE
AGENDA
Where is the Exposure?
SharePoint On Premise vs Office 365
Online: Security Strategy and Features
On Premise: Security Configuration & Hardening
Information Governance
Final Thoughts & Recommendations
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WHERE IS THE EXPOSURE?
The Disorganized
The Lazy The Overcautious
The StressedThe Inexperienced
The Home Worker
The Newcomer
The Industrious
The Partisan
The Spy
The CarelessThe Malicious
Malware
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WHY SECURE SHAREPOINT?
• Represents our intranet, collaboration portal, extranet, public facing web site,
line of business, process automation, business analytics…
• SharePoint is our Repository for Corporate Data
• Sensitive Corporate Data
• Many Aspects of our Business Run on SharePoint
• Users Rely on it to Accomplish Day to Day Work
• Critical Business Infrastructure
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SHAREPOINT ON PREMISE VS OFFICE 365
SharePoint On PremiseHosted within corporate network (data center, Azure, AWS).
Office 365 - SharePoint OnlineSharePoint infrastructure hosted in Microsoft Data Centers.
• All data and systems is fully within corporate control
• Corporate IT is responsible for:
• All servers/infrastructure – security hardening,
firewall, network security, anti-malware, intrusion
detection, etc
• Regular patching & updates
• System uptime
• TLS (data in motion) & SQL encryption (data at rest)
• Corporate IT & Business responsible for Compliance
• New Services/Solutions – Corporate Dev team responsible
for security design & privacy
• User security controls/Administrative security controls
• You are responsible for security configuration within sites
and information governance policies/procedures
• World class physical data center security (included)
• Microsoft manages:
• Security hardening & network level security
• Regular patching & updates
• SLA ensuring 99.9% uptime
• DR through global network of data centers
• Encryption for data at rest and in motion
• Complies with data privacy standards: HIPAA, HITECH,
CSA Star Registry, EU Model Clauses, ISO27001,
SOC1, SOC2 (included)
• New Services/Solutions – Privacy by Design
• User security controls/Administrative security controls
• You are responsible for security configuration within
sites and information governance policies/procedures
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
OFFICE 365 DEFENSE IN DEPTH STRATEGY
Facility and Network Security
Automated Operations
Control Admin Access to Data
Security Development Life Cycle
Anti-Malware, Patching, and Config. Management
Data Isolation
Data Integrity
Physical Layer
Logical Layer
Data Layer
Security Features
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
• Information Rights Management
• Retention Policies
• Activity Monitoring
• Data Loss Prevention
• External Sharing Controls
• SharePoint Permissions
• Audit Reports
• (built in) TLS 1.2 Communication
• (built in) Encrypted Data at Rest
OFFICE 365 SECURITY FEATURES
• Customer Lockbox
• Azure AD Multi-Factor Auth.
• Azure AD Identity Protection
• Bring your Own Key
• Office 365 Trust Center
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Question
& Answer
DEMONSTRATIONDATA LOSS PREVENTION IN OFFICE 365
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Question
& AnswerSHAREPOINT ON PREMISE
SECURITY CONFIGURATION & SECURITY HARDENING
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SECURITY STARTS WITH DEPLOYMENT
• Before deploying, plan and document your service accounts• SQL Server Service Account
• Setup Account
• Farm Service Account
• SharePoint Web Application Pool Account
• SharePoint Service Account (Service App Pool Identity)
• Search Crawl Account
• User Profile Synchronization Account
• Cache Accounts (superreader, superuser)
• SQL Service Analytics & Excel Services Accounts
• Using a Least Privileged Model
• Determine which account farm admin use to login to Central Admin
• Determine which users will have Shell Access (PowerShell)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WEB APPLICATION AND SITE COLLECTION
Farm & Web Application Configuration• Authentication
• Web Application Policies (user & permission policies)
• TLS/SSL Communication
• Anonymous Access
• File Types Permitted
• Web Part Security
• Anti-Virus Configuration
• Thresholds (unique security scopes, list view threshold)
• Establish a strategy for patching and security updates
Site Collection Configuration• Site Collection Administrators
• Site Collection Auditing
• Permission Levels
• Anonymous Access
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
AUTHENTICATION MODELS
Important to Understand the Options Available
• SharePoint 2010 Options Classic Mode (Integrated Authentication, NTLM, Kerberos)
Claims Based Authentication
Forms Based Authentication - through Claims Based Auth.
• SharePoint 2013 & 2016 Options Claims Based Authentication - Default
Forms Based Authentication
Classic Mode Authentication Deprecated!(only configurable through PowerShell)
• SharePoint Online Only Claims Based Authentication Available
• Other Considerations Trusted Identity Providers
Multi-Factor Authentication
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
AUTHORIZATION
• SharePoint Permissions - Hierarchical model
• Permissions are inherited from level above
• Break inheritance to apply unique permissions
• Manual process
• Permissive Model
• SharePoint’s “Share” Interface allows easy fine
grained permissions
SharePoint Farm
Web Application
Site Collection Site Collection
Site Site
Library List
Document
Web Application
Item
Site
Document
Document
Item
Demo Members SharePoint Group Edit
Demo Owners SharePoint Group Full Control
Demo Visitors SharePoint Group Read
Finance Team Domain Group Edit
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Research Team Domain Group Full Control
Senior Mgmt Domain Group Full Control
Antonio.Maio Domain User Full Control
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SHAREPOINT PERMISSIONS
• Every time permission inheritance is broken a
new security scope is created
• Security Scope is made up of principles:
• Domain users/groups
• SharePoint users/groups
• Claims
• Be aware of “Limited Access”
• Limitations
• Security Scopes (50K per list)
• Size of Scope (5K principals per scope)
Microsoft SharePoint Boundaries and Limits:
http://technet.microsoft.com/en-us/library/cc262787.aspx
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SECURITY HARDENING
• System Updates
• Web Server and Application Server Roles
• Services
• Ports and Protocols
• Database Server Role
• Blocking standard ports; Listening on non-standard ports
• Permissions on SQL Service Accounts
• Service Application Communication
• User Profile Synchronization Service
• Connection to External Servers
• Web.Config
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
DATA IN MOTION & DATA AT REST
• Protect Data in Motion with TLS/SSL
• Even for Intranets
• IIS Configuration and SharePoint Central Admin
• Protect Data at Rest with SQL TDE Encryption
• Separate keys for Test & Prod
• Understand who you are protecting
system from (DB level access only)
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Question
& Answer
INFORMATION GOVERNANCE
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
ROLES & RESPONSIBILITIES
Establish and document key administrative roles & responsibilities
• Document each role related to SharePoint and owners
• Each role has a primary and secondary owner
• Define/educate each role on responsibilities & access
requirements
• Include administrative, development and management
roles
• Keep documentation up to date and centrally located
Goal…
Document and educate admins
on the division of duties related to
managing the environment and
who is responsible for each
system.
Enable other users to easily
determine who to go to for
specific tasks/questions/issues.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
GoalsGoal…
DATA OWNERSHIP
Establish data owners for each site collection, subsite or collection of subsites
• Typically business users; can be different from site
owners
• Define data owner responsibilities
• Understand sensitivity & regulatory compliance
requirements for the data in areas they own
• Approve/Deny requests for access to data
• Responsible for permission remediation and
certification for their area
• Define & document data owners – ensure they accept
• In all cases, assign a primary & secondary data
owners
Define on a site basis the users
responsible for the compliance
and security requirements of all
types of data.
Facilitate implementation of other
security policies.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
PERMISSION MANAGEMENT
Establish a standard permission management policy
• Determine who manages permissions on sites:
• Delegate to business OR centralize in IT
• IT must support data owners & site owners
• Site Collection Admins are different from Site Owners
• Consider if Full Control is right, even to site owners
• Customize permission levels
• Assist and provide training where necessary
• Create training videos
• Provide one-on-one where necessary
Standardize the method by which
permissions are assigned &
managed.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
PERMISSION REMEDIATION PROCESS
Establish standard process requiring data owners to review
and certify permissions are correct
• Establish regular cadence
• Perform every 6 months or 12 months
• More frequently in areas with sensitive data
• Automate reminders & reports
• Scripts, reports or third party tools
• Provide data owners with reports of current permissions
• Allow data owners to remediate and IT provides support
• Require data owners to provide written certification
On a periodic basis validate that
content is correctly shared and
users are only permitted to access
content necessary to perform their
role.
Facilitate data owners resolving
permission issues.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
PRIVILEGED ACCESS REVIEWS
Establish standard process for access reviews of privileged accounts
• Include IT administrators, Site Collection Admins,
Vendors/Contractors with privileged access
• Establish regular cadence - Recommend Quarterly
• Document and Include Executive Oversight
• Automate where possible (notifications, data
gathering, reports)
• Scripts, BI reports or third party tools
On a periodic basis ensure that
privileged users are permitted to
only access necessary systems.
Facilitate resolution of permission
issues.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
REQUESTING ACCESS TO INFORMATION
Establish standard process for end users to request access
to information
• Create a standard form with fields that must be
provided for all site requests:
• name, purpose, if access must expire?
• Include approvals by IT, data owners and/or
requestor's manager
• Make use of workflows for notifications & approval
requests
• Log all access - don't rely on SharePoint logs
Provide approval process for all
access requests.
Maintain historical record.
Avoid oversharing data internally..
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
REQUESTING & CREATING SITES
Establish standard process for end users to request new sites
• Create a standard form with fields that must be
provided for all site requests
• name, purpose, primary & secondary data owners, site
owners (if different), will contain sensitive data?
• Consider centralize site creation process with IT
• Include approval process by IT, data owners, and/or
requestor's manager
• Make use of workflows for notifications & approval
requests
• Log all requests - don't rely on SharePoint logs
Prevent site sprawl.
Help users to use existing sites
instead of always creating new
ones.
Maintain historical record
Provide oversight and centralized
review.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
SITE LIFECYCLE & DECOMMISSIONING
Establish standard processes for site review, archiving & deletion
• Consider:• Scenario 1: site is requested - site is created - site
never gets used
• Scenario 2: site is requested & created - site is used -
all employees having access leave company - site is
forgotten
• Scenario 3: over time number of sites grows to point of
making other governance processes unmanageable
• Process can occur at site collection or subsite level
• Make use of built in attributes: ContentLastModified,
SecurityLastModified
Prevent site sprawl.
Prevent forgotten or unused
sites.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
TAXONOMY & CLASSIFICATION
Establish standard global & departmental taxonomy with
sensitivity metadata
• Keep global taxonomy small - applies to all content
• Include metadata fields for sensitivity classification -
ex. Sensitive, Restricted, Internal Only, Public
• Make use of managed metadata for centralized
management
• Provide end user training (videos, online)
• End user responsibilities, how to classify, what
they mean, distribution & info. handling policies
Enable and/or enforce end users
to easily identify sensitive
documents & items.
Centrally control classification
schema.
Confidential
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
SECURITY & GOVERNANCE TRAINING
Establish standard periodic training for employees (annual) & new hires which
educates on security & information governance policies, practices, responsibilities
• Use videos, online training, other low impact tools
• Make it very fast for employees to find out how to do
something
• Ex. declare a record, request a site request
access, manage permissions
Ensure that all employees
understand their responsibilities
and are contributing proactively to
the organization's security
strategy.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
ACTIVITY AUDITING & MONITORING
Make use of Activity Monitoring capabilities for data breach/leak investigation &
automatic alerts
• Build up administrative expertise on using built in
Activity Monitoring capabilities (Office 365)
• Implement automatic alerts for specific key activities:
• Administrative modification of external sharing,
granting access to sites containing sensitive
content, etc.
• Make use of scripts or third party tools
Build expertise to investigate data
breaches.
Ensure all administrators are
aware of key administration
setting changes.
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Question
& Answer
DEMONSTRATIONACTIVITY MONITORING IN OFFICE 365
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONDUCT A SHAREPOINT SECURITY ASSESSMENT
• In-depth Security Analysis
• Independent Review
• Impartial Observations & Recommendations
• Detailed
• Reproducible
• Actionable
• Realistic
• Prioritized
• Documented Analysis & Report
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
FINAL THOUGHTS & RECOMMENDATIONS
• Overcoming threats and vulnerabilities requires both
good security & strong information governance
• Understand the security capabilities available
• Know what data is sensitive & where it lives
• Know who is responsible for sensitive data
• Establish information governance policies/procedures
• Conduct regular independent security assessments
© 2016 Protiviti Inc.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
THANK YOU!ANTONIO MAIO
PROTIVITI SENIOR MANAGER
MICROSOFT SHAREPOINT MVP
Email: [email protected]: @AntonioMaio2Blog: www.TrustSharePoint.com