SharePoint Security: Tips for Securing Office 365 and SharePoint
There’s a challenge to overcome with collaboration in SharePoint environments – security. And it’s a particular problem when you blend environments of various SharePoint instances and versions, including Office 365 and SharePoint Online. Questions that present problems include:
- How can you secure SharePoint data when users don’t fully understand the organization’s data security policies?
- How do you secure SharePoint data uniformly across different infrastructures?
I recently addressed these questions in a webinar on Securing Files for All Users, All Devices, All Locations.
Two Competing SharePoint Requirements: Security vs. Collaboration
You have people working from home, third party collaborators, employees that need tools to be productive and useful; and you need to secure the information that they’re working with. These users need access to data wherever they are, but for SharePoint administrators and security professionals, this is at odds with their goals – to secure data. Forrester Research said:
“Your role is to help foster safe behaviors, control information access, and verify ongoing compliance — all without hampering creativity, productivity, collaboration, or other daily activities.” Forrester Research, August 17 2016
But as a security professional, those are two competing requirements. How do you lock down your sensitive data and make sure that people don’t inadvertently attach it to an email or grant access to somebody who ought not to have it? And at the same time, how do you ensure employees can be productive and flexible. You want to let them work from home, give them access to data when they’re at a customer’s site, or when they’re collaborating on a project remotely. You also have third-party contractors who have different levels of access into your company.
How do you balance security and flexibility? The answer is: it’s a fine line. Collaboration tools are widespread and easy, but securing that collaboration can seem difficult. What are people doing within these collaboration tools? We have a wide variety of users and these days they’re global. We have employees, third-parties, customers, and they’re working with different types of information with many levels of sensitivity. Furthermore, sometimes they’re subject to different regulations that overlap.
Why is SharePoint collaboration hard to secure?
SharePoint and Office 365 make collaboration easy. Users can move files through your global corporate network from SharePoint Online, from one tenant to another. And sometimes this data will be subject to different regulations. This combined with online apps that give users remote access from unmanaged devices and BYOD policies mean that your users will collaborate by sharing data in the fastest and easiest way possible.
If that means taking it out of your SharePoint system and sticking it in Dropbox so that the third-party contractor can see it, they’ll do it. Because that’s easier than going to IT and getting fresh permissions for a contractor. It also means that your employee will have access to these files whenever it is convenient for them – if they’re away from the office, have a work problem to handle and the only device near to them is their kid’s tablet – they’ll use it to access your files.
With Office 365 and SharePoint Online, it’s easier than ever to spin up new SharePoint sites when a manager needs them. And you won’t always be sure if those sites are subject to the same permissions and security you have everywhere.
Traditional SharePoint file security doesn’t accommodate today’s flexible environments. When we used to secure our file systems, it was by user permissions and library-based access. We also secured the perimeter, but the perimeter isn’t inside your company’s walls anymore, especially when you move to blended environments or move online. In addition, devices are not always controlled and administered by IT.
The regulations that your company can be subject to are often overlapping and contradictory. There are new regulations, particularly in finance industries and with customer privacy data popping up all over the place. You also might be subject to new laws in New York State because you do business there. And if you have customers in the EU, you’ll also be subject to EU GDPR regulation.
Traditional policies are not fine-grained enough to secure both the changing user and files in all of their contexts. As people move around and use different devices, and as the files are moving, you need fine-grained access control. Yet managing the complex permissions can be very difficult and expensive.
We haven’t even talked about whether your users know what to do. Traditionally we’ve relied upon user education, but that doesn’t work. Collaborators will always prioritize getting their work done over operating securely. And even if they’re trying to follow the rules, sometimes users don’t always know, or remember to follow the rules. How do you train your users? The answer is you can’t! User education isn’t enough because even trusted employees make mistakes. Half of internal data breaches are due to employee negligence and these stories can be heartbreaking. For example, a school administer who needed to send a redacted file in response to a public records request but instead grabbed the non-redacted version of the file and sent it out. A simple mistake, and it happens every day. So, how do we protect against this?
Extending SharePoint security capabilities beyond Microsoft
SharePoint and Office 365 are doing a whole lot in the security space covering some requirements. But sometimes businesses need to go beyond that. They need something more economic, more real-time. A tool that can determine whether this user, in this situation should be handling this particular file in this way – a finer-grained tool that’s dynamic and real-time.
Let’s look beyond SharePoint’s native security capabilities. We need to extend the SharePoint and Azure user permissions by evaluating in real-time this convergence of the file classification and content:
- What is the user’s security clearance?
- What should they be allowed to do?
- What’s the context?
- Where are they located?
- What device are they on?
- Who are they?
But this needs to happen without altering the existing SharePoint permissions that have already been tried and tested: the work to secure the perimeter, meet regulations, and comply with government certifications or permissions that work with SharePoint on-premises. These shouldn’t be altered, but instead, a layer needs to be added to add in dynamic security. We need to:
1. Extend SharePoint and Azure user permissions
- Evaluate in real-time: file classification / user security clearance / user context
- Do not alter existing SharePoint permissions that have been “qualified”
2. Automate RMS encryption for specific situations
- Restrict users, not the file, so that the file is searchable and indexable
- Encrypt at rest when regulations require it
- Tailor encryption for the file’s destination
3. Maintain a centralized audit trail for each document and user
- Regardless of mixed data storage environments
So how do you achieve all this? How do you extend security capabilities to improve SharePoint?
A Dynamic Collaboration & DLP for SharePoint
Security Sheriff dynamically adjusts file security based on real-time comparison of user context and file content to make sure that users view, use, and share files according to your industry and business’s regulations and policies. It offers:
Classification – Locate and classify all data on-premises and in the cloud, encrypt or quarantine when required, and report status to stakeholders.
Collaboration – Trusted users can collaborate on any device and in any location, knowing that all data is secure, even when it leaves the company.
Administration – Policies and permissions are managed by admins who know the policies, users and data, thereby reducing cost and frustration.
To learn more about Security Sheriff, watch my on-demand webinar.