Is Your SharePoint Environment Dynamically Secured Against These 3 Scenarios?

April 28, 2017 |
Image of user properties including time, security clearance, location, group permissions, custom attributes, device

To protect SharePoint users and files, dynamic security is key. By “dynamic security”, I mean a balance between locking down sensitive files and enabling users the flexibility to actually find and use them. In order to do this, SharePoint security needs to depend on file content and user context, accommodating all SharePoint files in motion.

There are a number of scenarios where dynamic file protection adds security beyond what’s native in SharePoint today. Is your SharePoint environment dynamically secured against these three scenarios?

First, here is an example set of dynamic security policies:

  1. External contractors must never see documents classified as internal
  2. Users must have a higher security clearance than the document’s classification to gain access
  3. Project documents should only ever be accessed by project team members
  4. Unclassified documents are hidden to all but the creator until they have been classified
  5. External contractors must never share documents outside of the company
  6. Top Secret documents may only reside in headquarters (use secure viewer when outside of HQ)
  7. Confidential documents must be encrypted and protected against copy, download, and print outside of HQ

Scenario 1: Employee on campus

The campus is using a hybrid SharePoint environment. An employee is working on campus as a member of Project team A.

Scenario 1 - Employee on CampusFigure 1: Employee on campus scenario

This employee has full clearance, and because she is located at headquarters, she is granted access to all Project A documents. She is allowed to share and download content because she is working at the office where this activity is permitted according to policy.

When this same employee tries to work with a top-secret document, extra protection is applied by applying encryption when she removes it from the secured SharePoint environment.

Scenario 2: Employee working remotely

An employee who has full clearance on multiple projects, is working remotely from a coffee shop. The level of protection applied to the documents, within the multiple projects, can be changed dynamically and in real‑time.

Scenario 2 - Employee working remotely - checks against policiesFigure 2: Employee Working Remotely

If the employee attempts to view top-secret documents, the employee will only be able to view the documents in the most secure manner possible. This same employee is a member of Project A and B teams so documents within those projects are visible. Context is considered based on the employee’s location so certain actions are denied – the ability to print or copy a document. If a document is extracted from the SharePoint environment, protection, including file‑level encryption, is applied. This employee is able to access and use sensitive files, but by appropriately encrypting them when she removes the file from SharePoint, the file can be tracked and destroyed if her device is compromised.

Scenario 3: Contractor (non-employee)

An external contractor who uses an unsecured device from an unknown location needs to have limited clearance to Project A files and nothing more. This individual sits outside of the organization and is not on a trusted network or device, so any sensitive files that he uses must be protected. The organization cannot trust a non-employee with sensitive data, but it is important to grant him the flexibility he needs to contribute to the project.

Scenario 3 - Contractor - Checks against policiesFigure 3: Contractor

The contractor should be allowed to view files they are working on associated with Project A. For any of the files the contractor can view, the organization should control exactly how this contractor is able to work with them. Top-secret documents associated with Project A should be completely hidden from the external contractor. As with the remote employee, any documents removed from the SharePoint environment should be appropriately encrypted so that permissions can be revoked if necessary. Using dynamic security principles, this approach can enable an external contractor to contribute to a project without risk of that non-employee seeing any inappropriate files. Also, if this person abuses his access, the organization can still protect the data he removed from the secured SharePoint environment.

Dynamically Protecting Users and Files

On one side of the dynamic security equation is the users.

Each user has more than just a user-name – they have attributes such as:

  • Device type
  • Location
  • Department membership
  • Security clearance
  • Group permissions
  • Time

Image of user properties including time, security clearance, location, group permissions, custom attributes, deviceFigure 6: User properties

Dynamic security enables organizations to consume these different user attributes from many different locations and apply the appropriate policies in real-time.

On the other side of the dynamic security equation are the files and their attributes such as:

  • Location in the hybrid environment
  • Location in a specific library?
  • Create date
  • Author
  • Unique tag to identify association with specific projects

Decorative image of File IdentifyFigure 7: File identity

The key to balancing file security and user flexibility is evaluating both user and file attributes to create sophisticated policies. If any of these attributes change, policies are updated in real‑time, whenever a user accesses a file. This is dynamic security.

Applying Dynamic File Protection to SharePoint

To protect both users and files in these scenarios, dynamic security is key. Learn how Cryptzone Security Sheriff applies dynamic file protection to SharePoint using user attributes combined with file attributes organizations can create sophisticated and dynamic policies.

Security Sheriff - Policy Checks

Security Sheriff Protecting Users and Files

Watch the on-demand webinar on Dynamically Securing SharePoint Content – Easily and Quickly. This webinar discusses best practices to secure SharePoint content in today’s collaborative and mobile world, including:

  • Applying dynamic policy-based permissions based on metadata attributes and/or user properties
  • Eliminating headaches maintaining user-groups, inherited permissions and folder permissions
  • Automatically changing security based on users’ changing permissions, locations and devices
  • Enforcing security to 3rd-party collaborators
  • Securing search results and external connection points
  • Document-level control of ribbon features users can use, based on dynamic user-properties

Watch the webinar on Dynamically-Securing-SharePoint-and-O365-Content

Back to Blog Home

Diana South

As Senior Product Marketing Manager, Diana South is responsible for Cryptzone’s data loss prevention and digital accessibility solutions. Diana brings over 20 years of experience with enterprise software to help organizations provide equal and secure access for their users, delivering products that become integral to the customers' business.

Leave a Reply

Your email address will not be published. Required fields are marked *