Microsoft SharePointA Risk Worth Taking

Rob Davis, CISSP

Area Vice President

RSA, the Security Division of EMC

Capabilities of SPPartner extensions

CommunityCustom development

Personal Pages

File dump site

Intranet/Extranet

ERP integration

Threaded discussions

Records mgmt

Business Intelligence

Other software

% of requirements 100%

These bars represent examples – requirements differ by instance

SharePoint Maturity in Enterprises

Source: Burton Group

Google Trends – SharePoint vs.Websphere

SharePoint versus Xbox

SharePoint …it’s so easy!

Sites are easy to configure

MOSS 2007 is becoming more strategic• Leveraged to collaborate with

partners, contractors

• Leveraged for content management

• Leveraged for application development

SharePoint deployments contain sensitive or regulated data – even if you don’t think so.

Source: Forrester, 7/08

Bottom line: SharePoint is quick becoming an enterprise application for many organizations.

Securing an Information

Infrastructure

Key Challenges

SharePoint Security

Recommendations

Challenge #1: Information Sprawl

7

File Server

SharePointeRoom, etc.

EnterpriseApplications

Replica

ProductionDatabase

BusinessAnalytics

Internal Employees

Internal Employees

BackupDisk

Backup Tape

DiskArrays

Apps/DB StorageFS/CMSNetworkEndpoint

Challenge #2: Identity Sprawl

8

ContractorsPrivileged

UsersPrivileged

UsersPrivileged

UsersPrivileged

Users

BusinessAnalytics

EnterpriseApplications

Replica BackupDisk

Backup Tape

SharePointeRoom, etc.

File Server

DiskArrays

ProductionDatabase

Internal Employees

Internal Employees

Partner Entry Points

Channels

Customers

Partner Entry Points

Partners

Channels

Remote Employees

Channels

VPN

Apps/DB StorageFS/CMSNetworkEndpoint

Partner Entry Points

Partners

Partner Entry Points

CustomersRemote Employees

VPN

Business Analytics

Enterprise Apps

Replica

Production

Backup Disk

Backup Tape

Disk ArraysSharePointeRoom, etc.

File Server

ContractorsPrivileged

UsersPrivileged

UsersPrivileged

UsersPrivileged

Users

Challenge #3: Infrastructure Sprawl

Internal Employees

Internal Employees

9

Cloud

Virtualization

Mobility

Apps/DB StorageFS/CMSNetworkEndpoint

Challenge #4: Increasing Threats

BusinessAnalytics

EnterpriseApplications

Replica BackupDisk

Backup Tape

SharePointeRoom, etc.

File Server

DiskArrays

ProductionDatabase

Internal Employees

Privileged Users

Contractors

10

Privileged Users

Privileged Users

Internal Employees

Partner Entry Points

Channels

Customers

Partner Entry Points

Partners

Channels

Remote Employees

Channels

VPN

Apps/DB StorageFS/CMSNetworkEndpoint

IP Sent to non trusted

userStolen IP

App, DB or Encryption Key Hack

FraudStolen

Credentials

Endpoint theft/loss

Network LeakEmail-IM-HTTP-

FTP-etc.

PrivilegedUser Breach

InappropriateAccess

Privileged UsersTapes lost or stolen

Data LeakVia USB/Print

Public Infrastructure Access Hack

UnintentionalDistribution

(Semi) Trusted User Misuse

Discarded disk exploited

Challenge #5: Increasing Regulation

BusinessAnalytics

EnterpriseApplications

Replica BackupDisk

Backup Tape

SharePointeRoom, etc.

File Server

DiskArrays

ProductionDatabase

Internal Employees

Privileged Users

ContractorsPrivileged

UsersPrivileged

UsersPrivileged

Users

Internal Employees

Partner Entry Points

Channels

Public

Partner Entry Points

Partners

Channels

Remote Employees

Channels

VPN

Apps/DB StorageFS/CMSNetworkEndpoint

Sarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AICPA/CICA Privacy Framework ~ AICPA Suitable Trust Services Criteria ~ SEC Retention of Records, 17 CFR 210.2-06 ~ SEC Controls and Procedures, 17 CFR 240.15d-15 ~ SEC Reporting Transactions and Holdings, 17 CFR 240.16a-3 ~ Basel II ~ BIS Sound Practices for the Management and Supervision of Operational Risk ~ Gramm-Leach-Bliley Act (GLB) ~ Standards for Safeguarding Customer Information, FTC 16 CFR 314 ~ Privacy of Consumer Financial Information Rule ~ Safety and Soundness Standards, Appendix of 12 CFR 30 ~ FFIEC Information Security ~ FFIEC Development Acquisition ~ FFIEC Business Continuity Planning ~ FFIEC Audit ~ FFIEC Management ~ FFIEC Operations ~ NASD ~ NYSE ~ Recordkeeping rule for securities exchanges, SEC 17 CFR 240.17a-1 ~ Records to be made by exchange members, SEC 17 CFR 240.17a-3 ~ Records to be preserved by exchange members, SEC 17 CFR 240.17a-4 ~ Recordkeeping, SEC 17 CFR 240.17Ad-6 ~ Record retention, SEC 17 CFR 240.17Ad-7 ~ HIPAA (Health Insurance Portability and Accountability Act) ~ HIPAA HCFA Internet Security Policy ~ NIST Introductory Resource Guide for [HIPAA] (800-66) ~ CMS Core Security Requirements (CSR) ~ CMS Information Security Acceptable Risk Safeguards (ARS) ~ CMS Information Security Certification & Accreditation (C&A) ~ FDA Electronic Records; Electronic Signatures 21 CFR Part 11+D1 ~ Federal Energy Regulatory Commission (FERC) ~ North American Electric Reliability Council (NERC) ~ VISA CISP (Cardholder Information Security Program) ~ Mastercard SDP (Site Data Protection) Program ~ American Express DSS (Data Security Standard) ~ PCI DSS (Payment Card Industry Data Security Standard) ~ FTC ESIGN (Electronic Signatures in Global and National Commerce Act) ~ Uniform Electronic Transactions Act (UETA) ~ FISMA (Federal Information Security Management Act) ~ FISCAM (Federal Information System Controls Audit Manual) ~ FIPS Security Requirements for Cryptographic Modules 140-2 ~ FIPS Guideline for the Analysis of LAN Security 191 ~ FIPS Application Profile for GILS 192 ~ Clinger-Cohen Act (Information Technology Management Reform Act) ~ National Strategy to Secure Cyberspace ~ GAO Financial Audit Manual ~ DOD ...Standard for Electronic Records Management Software...5015-2 ~ CISWG Report on the Best Practices Subgroup ~ CISWG Information Security Program Elements ~ NCUA Guidelines for Safeguarding Member Information 12 CFR 748 ~ IRS Revenue Procedure: Retention of books and records 97-22 ~ IRS Revenue Procedure: Record retention: automatic data processing… 98-25 ~ IRS Internal Revenue Code Section 501(c)(3) ~ Federal Rules of Civil Procedure ~ Uniform Rules of Civil Procedure ~ ISO 15489-1 Information and Documentation: Records management: General ~ ISO 15489-2 Information and Documentation: Records management: Guidelines ~ DIRKS: A Strategic Approach to Managing Business Information ~ Sedona Principles Addressing Electronic Document Production ~ NIST ...Principles and Practices for Securing IT Systems 800-14 ~ NIST ...Developing Security Plans for Federal Information Systems 800-18 ~ NIST Security Self-Assessment Guide... 800-26 ~ NIST Risk Management Guide... 800-30 ~ NIST Contingency Planning Guide... 800-34 ~ NIST ...Patch and Vulnerability Management Program 800-40 ~ NIST Guidelines on Firewalls and Firewall Policy 800-41 ~ NIST Security Controls for Federal Information Systems 800-53 ~ NIST ... Mapping...Information and...Systems to Security Categories 800-60 ~ NIST Computer Security Incident Handling Guide 800-61 ~ NIST Security Considerations in...Information System Development 800-64 ~ ISO 73:2002 Risk management -- Vocabulary ~ ISO 1335 Information technology – Guidelines for management of IT Security ~ ISO 17799:2000 Code of Practice for Information Security Management ~ ISO 27001:2005 ...Information Security Management Systems -- Requirements ~ IT Information Library (ITIL) Planning to Implement Service Management ~ IT Information Library (ITIL) ICT Infrastructure Management ~ IT Information Library (ITIL) Service Delivery ~ IT Information Library (ITIL) Service Support ~ IT Information Library (ITIL) Application Management ~ IT Information Library (ITIL) Security Management ~ COSO Enterprise Risk Management (ERM) Framework ~ CobiT 3rd Edition ~ CobiT 4th Edition ~ ISACA IS Standards, Guidelines, and Procedures for Auditing and Control... ~ NFPA 1600 ...Disaster/Emergency Management and Business Continuity... ~ Information Security Forum (ISF) Standard of Good Practice ~ Information Security Forum (ISF) Security Audit of Networks ~ A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ~ Business Continuity Institute (BCI) Good Practice Guidelines ~ IIA Global Technology Audit Guide - Information Technology Controls ~ ISSA Generally Accepted Information Security Principles (GAISP) ~ CERT Operationally Critical Threat, Asset & Vulnerability Evaluation (OCTAVE) ~ Cable Communications Privacy Act Title 47 § 551 ~ Telemarketing Sales Rule (TSR) amendment 16 CFR 310.4(b)(3)(iv) ~ CAN SPAM Act ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Children's Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Driver's Privacy Protection Act (DPPA) 18 USC 2721 ~ Family Education Rights Privacy Act (FERPA) 20 USC 1232 ~ Privacy Act of 1974 5 USC 552a ~ Telemarketing Sales Rule (TSR) 16 CFR 310 ~ Video Privacy Protection Act (VPPA) 18 USC 2710 ~ Specter-Leahy Personal Data Privacy and Security Act ~ AR Personal Information Protection Act SB 1167 ~ AZ Amendment to Arizona Revised Statutes 13-2001 HB 2116 ~ CA Information Practice Act SB 1386 ~ CA General Security Standard for Businesses AB 1950 ~ CA Public Records Military Veteran Discharge Documents AB 1798 ~ CA OPP Recommended Practices on Notification of Security Breach ~ CO Prohibition against Using Identity Information for Unlawful Purpose HB 1134 ~ CO Consumer Credit Solicitation Protection HB 1274 ~ CO Prohibiting Inclusion of Social Security Number HB 1311 ~ CT Requiring Consumer Credit Bureaus to Offer Security Freezes SB 650 ~ CT Concerning Nondisclosure of Private Tenant Information HB 5184 ~ DE Computer Security Breaches HB 116 ~ FL Personal Identification Information/Unlawful Use HB 481 ~ GA Consumer Reporting Agencies SB 230 ~ GA Public employees; Fraud, Waste, and Abuse HB 656 ~ HI Exempting disclosure of Social Security numbers HB 2674 ~ IL Personal Information Protection Act HB 1633 ~ IN Release of Social Security Number, Notice of Security Breach SB 503 ~ LA Database Security Breach Notification Law SB 205 Act 499 ~ ME To Protect Maine Publics from Identity Theft LD 1671 ~ MN Data Warehouses; Notice Required for Certain Disclosures HF 2121 ~ MO HB 957 ~ MT To Implement Individual Privacy and to Prevent Identity Theft HB 732 ~ NJ Identity Theft Prevention Act A4001/S1914 ~ NY A4254, A3492 [no title] ~ NV SB 347 [no title] ~ NC Security Breach Notification Law (Identity Theft Protection Act) SB 1048 ~ ND Personal information protection act SB 2251 ~ OH Personal information -- contact if unauthorized access HB 104 ~ RI Security Breach Notification Law H 6191 ~ TN Security Breach Notification SB 2220 ~ TX Identity Theft Enforcement and Protection Act SB 122 ~ VT Relating to Identity Theft HB 327 ~ VA Identity theft; penalty; restitution; victim assistance HB 872 ~ WA Notice of a breach of the security SB 6043 ~ EU Directive on Privacy and Electronic Communications 2002/58/EC ~ EU Directive on Data Protection 95/46/EC ~ US Department of Commerce EU Safe Harbor Privacy Principles ~ ...Consumer Interests in the Telecommunications Market Act No. 661 ~ Directive On Privacy And Electronic Communications 2002.58.EC ~ OECD Technology Risk Checklist ~ OECD Guidelines on...Privacy and Transborder Flows of Personal Data ~ UN Guidelines for the Regulation of Computerized Personal Data Files (1990) ~ ISACA Cross-border Privacy Impact Assessment ~ The Combined Code on Corporate Governance ~ Turnbull Guidance on Internal Control, UK FRC ~ Smith Guidance on Audit Committees Combined Code, UK FRC ~ UK Data Protection Act of 1998 ~ BS 15000-1 IT Service Management Standard ~ BS 15000-2 IT Service Management Standard - Code of Practice ~ Canada Keeping the Promise for a Strong Economy Act Bill 198 ~ Canada Personal Information Protection and Electronic Documents Act ~ Canada Privacy Policy and Principles ~ Argentina Personal Data Protection Act ~ Mexico Federal Personal Data Protection Law ~ Austria Data Protection Act ~ Austria Telecommunications Act ~ Bosnia Law on Protection of Personal Data ~ Czech Republic Personal Data Protection Act ~ Denmark Act on Competitive Conditions and Consumer Interests ~ Finland Personal Data Protection Act ~ Finland Amendment of the Personal Data Act ~ France Data Protection Act ~ German Federal Data Protection Act ~ Greece Law on Personal Data Protection ~ Hungary Protection of Personal Data and Disclosure of Data of Public Interest ~ Iceland Protection of Privacy as regards the Processing of Personal Data ~ Ireland

20% of IT staff time

SharePoint Security Survey

68% of respondents reporting that their organization did not have adequate tools for governing the data held on SharePoint;

47% admitting that many employees, temporary staff or contractors often have access to documents on SharePoint that are not pertinent to their role or responsibilities

Survey conducted by the Ponemon Institute, December 2008

Most important security capability for SharePoint?

Source: RSA SharePoint Customer Survey, Jan. 2009

Ranked Most important (#1)

28

123

36

31

17

32

Grant/modify/revoke user accessprivileges to SharePoint sites

Grant/modify/revoke user accessprivileges to specific resources withinSharePoint sites (e.g., files)

Identify sensitive information withinSharePoint sites

Identify users and user groups withaccess to sensitive information availablevia SharePoint sites

Monitor access to sensitive informationavailable via SharePoint sites in order toidentify unusual user activity

Monitor when and where sensitiveinformation is created in yourSharePoint environment

The SharePoint Security Problem

14

information

identities

infra-structure

• Unfettered growth of SharePoint

• No visibility to sensitive data

• Excessive Privileges

• Need for reporting on actual access to sensitive data

Securing an Information

Infrastructure

Key Challenges

SharePoint Security

Recommendations

SharePoint or Active Directory Groups?

Platform Services

17SharePoint Technology Challenges

Fragmented architecture makes administration difficult•Microsoft shows its departmental server heritage: a large system is a

collection of many, rather than a unified whole with subcomponents

• Is viewed as a ‘no cost’ solution & easy to install, creating chaos!

•SharePoint uses other services (e.g., IIS, .NET, SQL Server), creating dependencies

Microsoft Products

SQLServer.NET

IIS

Example Multi-Farm Topology

SharePoint Governance Model by Microsoft

PermanentEnterprise Search

NewsKPIs - Business Intelligence

CorporateBusiness Taxonomy

With DivisionalStakeholders

Exists withAD User

Ad hoc SelfService

w/ Retention Policies

PermanentBusiness Process Management

DashboardsDivision Scoped Search

Group Reporting & ScorecardsSite Directories & Site Maps

AS NeededDocument & Records Mgmt

AggregationProject Reports

Short LivedCollaboration

Semi PermanentPrivate & SharedContextual Collab

Office SharePoint Server Security

277 Pages

Table of Contents is 6 pages

Lots of great tidbits, such as the one below:

Be aware, however, that there is no way to view all of the permissions specific to lists,

libraries, folders, items, or documents within a site. This means that it is difficult to quickly

ascertain who has permissions on which securable objects and also difficult to reset

any fine-grained permissions in bulk.

10 Ways to Harden your SharePoint Environment

Configure Firewall Rules lock down to most restrictive w/ acceptable level of usability (consider blocking HTTP out)

Secure client communication with trusted SSL certificates (128bit HTTPS)

IP Sec (Secure communication between servers)

Enable Kerberos Authentication (Intranet)

SQL SSL encrypted Traffic + Non Standard Port

Configure Central Admin on App DMZ servers

Restrict IP Traffic on Central Admin and SSP Admin (IIS)

Configure Deny Web App Policies for Content & Admin

Configure ISA Secure Publishing

Configure Forefront Antivirus and Content scanning

Forefront Security for SharePoint

SQL Document

Library

DocumentUsers

Document

SharePoint Server

Virus Protection for Document LibrariesIntegrates scan engines from eight

industry leading vendorsReal-time scanning of documents

uploadedand downloaded from document library

Manual and scheduled scanning of document library

Content Policy EnforcementFile filtering to block documents frombeing posted based on name match,

file type or file extensionContent filtering by keywords within

documents for inappropriate words and phrases

Statistics as of March 2009

Active Users: 9000~

Total Database Size: 103 GB

Type of Users: staff, students, faculty and affiliates of the University

Site collections: 85

Branded Sites: 10

It is important to emphasize that the medical environment has strict regulations for privacy and security of data. The major set of rules come from HIPPA (Health Information Portability and Accountability Act) . At MD Anderson each site administrator is required to categorize the data on their site. This is then shown to every visitor of that site with an icon

so there will be no confusion.

It is expected that the users of each site have enough understanding of HIPPA and other regulations so that they will

treat the information appropriately.

In order to be able to monitor the use of documents within all sites the administrators do rigorous logging of SharePoint activities.

Securing an Information

Infrastructure

Key Challenges

SharePoint Security

Recommendations

Organizations Using SharePoint

Information Risk Management

Discover and Classify:Discover all sources of sensitive information across the infrastructure

Define Policy:Describe how sensitive information is protected - Data, People, Infrastructure

Enforce Controls:Establish a control framework and implement appropriate controls to enforce the policy

Data ControlsAccess Controls

Report and Audit:Audit the environment to ensure and document compliance with policy

PolicyPolicy

Microsoft SharePoint What problems do we hope to solve?

Discover• SharePoint resource hierarchy

• Sensitive data within SharePoint and users who have access

Enforce• IRM for documents within SharePoint or

remediate (alert/delete)

• Strong authentication for highly-sensitive sites

Monitor & Report• SharePoint environment to identify risk

SP Discovery

2FA and/or Audit

SIEM

DLPand/or

MS RMS

DLPor

Sample Audits

DiscoverView the scope of the SharePoint deployment

1. Understand how far and wide the SharePoint deployment spans

• Gain a hierarchical view of the SharePoint environment from servers to files

• View which users and user groups have access to those resources

• Prioritize which areas to focus on remediation

Discover Identify where the sensitive data resides on SharePoint

2. Data at RestDiscover and classify sensitive data based on content and context

• Identify the specific sensitive objects within SharePoint sites

• Classify data sensitivity according to high, medium and low impact

Enforce Data in Use and Data in Motion

3. DLP and MSFT RMS Enforce remediation policy on sensitive data• Quarantine, delete or

move sensitive data to a secure location

• Block, audit or notify user actions on sensitive data

• Implement user rights permissions on documents no matter where they go using Microsoft Rights Management Services (RMS)

• Control flow of sensitive data out of the enterprise

4. Additional Authentication

• Invoke two-factor authentication for highly-sensitive sites

• Choose between tokens or risk-based authentication

3333

Product Development

Employee Benefits

Access Management

Enforce Increase Authentication for sensitive data

Monitor & Report SIEM should integrate with DLP

5. SIEMDetermine anomalous activity associated with sensitive data on SharePoint servers

• Monitor activity on SharePoint servers

• Ease compliance burdens with reporting on SharePoint server events

Where to Start?

Do you have a problem?• Determine priority for scan focus

• DLP identifies sensitive information on SharePoint

• Recommendations Report• Summary of requirements

• Remediation recommendations

• Scan Results, Interpretation and Analysis

• Report scope of SharePoint environment scanned

• Highlights of number of sites and files with sensitive data

Thank you!

Rob Davis | rdavis@rsa.com