SharePoint Security: Tips for Securing Office 365 and SharePoint

December 16, 2016 |
SharePoint Security: Tips for Securing Office 365 and SharePoint

There’s a challenge to overcome with collaboration in SharePoint environments – security. And it’s a particular problem when you blend environments of various SharePoint instances and versions, including Office 365 and SharePoint Online. Questions that present problems include:

  • How can you secure SharePoint data when users don’t fully understand the organization’s data security policies?
  • How do you secure SharePoint data uniformly across different infrastructures?

I recently addressed these questions in a webinar on Securing Files for All Users, All Devices, All Locations.

Two Competing SharePoint Requirements: Security vs. Collaboration

You have people working from home, third party collaborators, employees that need tools to be productive and useful; and you need to secure the information that they’re working with. These users need access to data wherever they are, but for SharePoint administrators and security professionals, this is at odds with their goals – to secure data. Forrester Research said:

“Your role is to help foster safe behaviors, control information access, and verify ongoing compliance — all without hampering creativity, productivity, collaboration, or other daily activities.” Forrester Research, August 17 2016

But as a security professional, those are two competing requirements. How do you lock down your sensitive data and make sure that people don’t inadvertently attach it to an email or grant access to somebody who ought not to have it? And at the same time, how do you ensure employees can be productive and flexible. You want to let them work from home, give them access to data when they’re at a customer’s site, or when they’re collaborating on a project remotely. You also have third-party contractors who have different levels of access into your company.

How do you balance security and flexibility? The answer is: it’s a fine line. Collaboration tools are widespread and easy, but securing that collaboration can seem difficult. What are people doing within these collaboration tools? We have a wide variety of users and these days they’re global. We have employees, third-parties, customers, and they’re working with different types of information with many levels of sensitivity. Furthermore, sometimes they’re subject to different regulations that overlap.

Why is SharePoint collaboration hard to secure?

SharePoint and Office 365 make collaboration easy. Users can move files through your global corporate network from SharePoint Online, from one tenant to another. And sometimes this data will be subject to different regulations. This combined with online apps that give users remote access from unmanaged devices and BYOD policies mean that your users will collaborate by sharing data in the fastest and easiest way possible.

If that means taking it out of your SharePoint system and sticking it in Dropbox so that the third-party contractor can see it, they’ll do it. Because that’s easier than going to IT and getting fresh permissions for a contractor. It also means that your employee will have access to these files whenever it is convenient for them – if they’re away from the office, have a work problem to handle and the only device near to them is their kid’s tablet – they’ll use it to access your files.

With Office 365 and SharePoint Online, it’s easier than ever to spin up new SharePoint sites when a manager needs them. And you won’t always be sure if those sites are subject to the same permissions and security you have everywhere.

Alt Text: Why is SharePoint collaboration hard to secure? Traditional file security doesn’t accommodate a flexible environment      User permissions and library-based access secure only the perimeter     Devices are not always controlled and administered by the IT team     Regulations can be overlapping and contradictory     Policies are not fine-grained enough to secure changing user and file contexts     Managing complex permissions can be difficult and expensive      File security often relies upon user education         Collaborators will prioritize getting work done over being secure         Users don’t always know, remember or follow the “rules”         Half of internal data breaches are due to employee negligence

Traditional SharePoint file security doesn’t accommodate today’s flexible environments. When we used to secure our file systems, it was by user permissions and library-based access. We also secured the perimeter, but the perimeter isn’t inside your company’s walls anymore, especially when you move to blended environments or move online. In addition, devices are not always controlled and administered by IT.

The regulations that your company can be subject to are often overlapping and contradictory. There are new regulations, particularly in finance industries and with customer privacy data popping up all over the place. You also might be subject to new laws in New York State because you do business there. And if you have customers in the EU, you’ll also be subject to EU GDPR regulation.

Traditional policies are not fine-grained enough to secure both the changing user and files in all of their contexts. As people move around and use different devices, and as the files are moving, you need fine-grained access control. Yet managing the complex permissions can be very difficult and expensive.

We haven’t even talked about whether your users know what to do. Traditionally we’ve relied upon user education, but that doesn’t work. Collaborators will always prioritize getting their work done over operating securely. And even if they’re trying to follow the rules, sometimes users don’t always know, or remember to follow the rules. How do you train your users? The answer is you can’t! User education isn’t enough because even trusted employees make mistakes. Half of internal data breaches are due to employee negligence and these stories can be heartbreaking. For example, a school administer who needed to send a redacted file in response to a public records request but instead grabbed the non-redacted version of the file and sent it out. A simple mistake, and it happens every day. So, how do we protect against this?

Extending SharePoint security capabilities beyond Microsoft

SharePoint and Office 365 are doing a whole lot in the security space covering some requirements. But sometimes businesses need to go beyond that. They need something more economic, more real-time. A tool that can determine whether this user, in this situation should be handling this particular file in this way – a finer-grained tool that’s dynamic and real-time.

Alt text: Mixed file storage & mobile users. Enable employee and non-employee collaboration inside and outside the business perimeter. Deliver information to the corporate and BYOD clients. Enforce proper behavior without excess training or impeding work. Consistent user policies across mixed SharePoint environments. Dynamically adapt to changing user and file contexts.

Let’s look beyond SharePoint’s native security capabilities. We need to extend the SharePoint and Azure user permissions by evaluating in real-time this convergence of the file classification and content:

  • What is the user’s security clearance?
  • What should they be allowed to do?
  • What’s the context?
  • Where are they located?
  • What device are they on?
  • Who are they?

But this needs to happen without altering the existing SharePoint permissions that have already been tried and tested: the work to secure the perimeter, meet regulations, and comply with government certifications or permissions that work with SharePoint on-premises. These shouldn’t be altered, but instead, a layer needs to be added to add in dynamic security. We need to:

1. Extend SharePoint and Azure user permissions

  • Evaluate in real-time: file classification / user security clearance / user context
  • Do not alter existing SharePoint permissions that have been “qualified”

2. Automate RMS encryption for specific situations

  • Restrict users, not the file, so that the file is searchable and indexable
  • Encrypt at rest when regulations require it
  • Tailor encryption for the file’s destination

3. Maintain a centralized audit trail for each document and user

  • Regardless of mixed data storage environments

So how do you achieve all this? How do you extend security capabilities to improve SharePoint?

A Dynamic Collaboration & DLP for SharePoint

Security Sheriff dynamically adjusts file security based on real-time comparison of user context and file content to make sure that users view, use, and share files according to your industry and business’s regulations and policies. It offers:

  • Classification – Locate and classify all data on-premises and in the cloud, encrypt or quarantine when required, and report status to stakeholders.

  • Collaboration – Trusted users can collaborate on any device and in any location, knowing that all data is secure, even when it leaves the company.

  • Administration – Policies and permissions are managed by admins who know the policies, users and data, thereby reducing cost and frustration.

To learn more about Security Sheriff, watch my on-demand webinar.

Watch the webinar on Securing Files for All Users, All Devices, All Locations - Image




Back to Blog Home

Diana South

As Senior Product Marketing Manager, Diana South is responsible for Cryptzone’s data loss prevention and digital accessibility solutions. Diana brings over 20 years of experience with enterprise software to help organizations provide equal and secure access for their users, delivering products that become integral to the customers' business.

Leave a Reply

Your email address will not be published. Required fields are marked *