4 security guidelines for sharepoint governance

© 2013 Imperva, Inc. All rights reserved.

SharePoint Governance: 4 Security Guidelines

1

Carrie McDaniel, File Security Team


Agenda

2

§  Introduction to SharePoint governance § Common business drivers §  4 guidelines for SharePoint governance and security § SecureSphere for SharePoint § Q&A


Carrie McDaniel – File Security Team

3

§ Product Marketing Manager for File Security; focus on SharePoint security

§ Previously held product marketing position at Moody’s Analytics in San Francisco

§ Past experience in finance and tech industries at Wells Fargo and NetApp

§ Holds degrees in Marketing and French from Santa Clara University


Efficient & Effective Use of Business Data

4

BUILD Build sites Build apps Publish apps

MANAGE Manage costs Manage risk Manage 6me

DISCOVER Connect across the organiza6on Draw insights from reports Customizable search ORGANIZE Keep projects on track Connect with your team Store and sync documents

SHARE Share ideas with social features Share content internally and

externally

microsoft.com


Challenges

5

BUILD Build sites Build apps Publish apps

MANAGE Manage costs Manage risk Manage 6me

DISCOVER Connect across the organiza6on Draw insights from reports Customizable search ORGANIZE Keep projects on track Connect with your team Store and sync documents

SHARE Share ideas with social features Share content internally and

externally

•  Migration

•  Customization

•  Security

•  Rollout

•  Adoption


Microsoft’s View of SharePoint Governance

6

§  Streamlining the deployment of products and technologies

§  Helping protect your enterprise from security threats or noncompliance liability

§  Helping ensure the best return on your investment in technologies

Governance is the set of

policies, roles, responsibilities, and processes that guide, direct,

and control how an organization's business divisions

and IT teams cooperate to achieve business goals.


Governance From The Start, Or…

7


Business Drivers for Effective SharePoint Governance

8

ADOPTION

COMPLIANCE

RISK

41%

72%

82%


4 Steps to Streamline SharePoint Security Governance Efforts

9


Step 1: Identify and Secure Critical Business Assets

10

§ Address valuable data targets

Financial Information

Personal Health Information (PHI) Legal Documents

Intellectual Property

Personally Identifiable Information (PII)



11

§  Identify valuable data targets

You need to identify the data assets that generate value for the business that are high-risk targets

for cybercriminals, or that are subject to regulatory compliance, and then focus your efforts there.

Forrester Research, Inc.



12

§ Address valuable data targets

§ Secure business critical assets with automation

Financial Information

Personal Health Information (PHI) Legal Documents

Intellectual Property

Personally Identifiable Information (PII)


Step 2: Establish a User Rights Management Framework

13

§ Sensitive content accessible to everyone

§ Access rights granted but not used

§ Data where individual users have rights, not groups

§ Dormant user accounts and stale files

Common Access Rights Risks



14

§ Sensitive content accessible to everyone

§ Access rights granted but not used

§ Data where individual users have rights, not groups

§ Dormant user accounts and stale files

Common Access Rights Risks

The top four internal and external audit findings relate to

access management, with excessive access rights being

the top audit finding.

Deloitte



15

§ Streamline access processes §  Formalize the approval cycle § Report on effective permissions, usage, and permissions

changes § Send permissions and usage reports on a scheduled

basis for review §  Identify data owners §  Track approval tasks

Benefits of Automating User Rights Management



16

Understanding How Access is Granted

§ Gain insight into how access was granted § Align access with business need-to-know § Minimize business interruptions



17

Unauthorized Access Scenarios

A high volume of activity within a short period of time

Operations outside of normal business hours or maintenance windows

Activity from suspicious or external IPs

Access of sensitive data from different departments or by administrators

Creation of new sites or administrative accounts


Step 3: Defend Applications from Web Attacks and Code Exploits

18

§  Test SharePoint applications

§ Scan for vulnerabilities

§ Perform virtual patching


Step 3: Defend Applications from Web Attacks and Code Exploits

19

§  Test SharePoint applications

§ Scan for vulnerabilities

§ Perform virtual patching

Web Application Firewalls genuinely raise the bar on application security…they

‘virtually’ patch the application faster than code fixes can be

implemented.

Adrian Lane, CTO, Securosis


Step 4: Trust, But Verify, User Behavior

20

§ Establish a complete audit trail

§  Leverage sophisticated analytics and reporting capabilities

Address compliance requirements

Monitor activity in real-time

Store data in a secured, centralized repository

Enrich native audit information


Step 4: Trust, But Verify, User Behavior

21

§ Establish a complete audit trail

§  Leverage sophisticated analytics and reporting capabilities

Address compliance requirements

Monitor activity in real-time

Store data in a secured, centralized repository

Enrich native audit information


Where Native SharePoint Security and Controls Fall Short

23

Defending against Web-based attacks

Maintaining a comprehensive audit trail

Real-time responses to unwanted activity

Managing permissions and rights

Performing rights reviews

Monitoring MS SQL database activity


Imperva Data Security

24

External Customers

Staff, Partners Hackers

Internal Employees

Malicious Insiders Compromised Insiders

Data Center Systems and Admins

Tech. Attack Protection

Logic Attack Protection

Fraud Prevention

Usage Audit

User Rights Management

Access Control


Security for SharePoint’s File, Web and Database Resources

25

Web Application Firewall

File Activity Monitoring

Database Firewall

§  Protection against Web-based attacks

§  Tuned for Microsoft SharePoint traffic

§  Fraud prevention and reputation controls available

§  Protect against changes to SQL server that would render it unsupportable by Microsoft

§  Enforce separation of duties

§  Prevent unauthorized access and fraudulent activity

§  Monitor and audit file activity

§  Comprehensive user rights management

§  Enforce file access control policies

Secu

reSp

here

for S

hare

Poin

t


Audit

Enterprise Users

The Internet

SQL Injection

XSS

IIS Web Servers

Application Servers

MS SQL Databases

Web-Application Firewall

Activity Monitoring & User Rights Management

Excessive Rights

Administrators

DB Activity Monitoring & Access Control

Unauthorized Changes

Audit

Unauthorized Access

Layers of SharePoint Protection

26


Additional Resources

27


Additional Resources

28

DOWNLOAD SHAREPOINT GOVERNANCE & SECURITY WHITE PAPER

VIEW SHAREPOINT SECURITY CUSTOMER STORY

https://www.imperva.com/lg/lgw.asp?pid=485

http://youtu.be/IjUr3hVocHc

http://youtu.be/IjUr3hVocHc

https://www.imperva.com/lg/lgw.asp?pid=485


www.imperva.com

29

4 security guidelines for sharepoint governance

Technology

business need

sharepoint security

business interruptions

access processes

toachieve business goals

dormant user accounts

sharepoint qa

toaccess management