If you play a part in managing or administering SharePoint at your company, the Sony hack might be more frightening to you than any movie released this year. The hackers looted Sony’s network and released sensitive employee information, confidential intellectual property, and even embarrassing emails. You don’t have any of these on your servers, do you?
Sure, your firm might not attract the ire of a rogue nation, but corporate cyberattacks are commonplace, and most malware isn’t directed at a specific target, but instead sweeps the internet for network vulnerabilities.
Oil is nearing $40 per barrel, companies are belt-tightening, and the last thing you need is a messy and expensive cleanup when your SharePoint environment is compromised. Here are the tools you should employ to help protect yourself.
If you control the network that contains your SharePoint farm, you first have to make sure that the network is secure through the proper use of firewalls and proxies. After that, look into:
- Dedicated Service Accounts: By creating the correct number of accounts and restricting their access as much as possible (called principle of least privilege), you can stop a rogue account from gaining access to parts of your farm it shouldn’t be able to access.
- SQL Transparent Data Encryption: Available with SQL Enterprise, SQL TDE encrypts SharePoint data while in storage, while backed up, and while in use in temporary databases.
- SSL and IPSec: If messages are being sent to and from SharePoint servers to computers outside of your firewall, such as when you have a corporate extranet, SSL will ensure safe arrival of packets to your SharePoint farm, and IPSec will grant safe communication between the servers in your farm.
SharePoint Online (O365)
If you are using Office365, Microsoft hosts your farm on their network. Microsoft has put a lot of thought and effort in security, since the success of their offerings hinges on your perception of how secure their network is, and they continue to improve. Microsoft states, as of the beginning of 2015:
“Our latest encryption feature with which content in OneDrive for Business and SharePoint Online will be encrypted at rest will start rolling out to customers soon. With this, the encryption technology in Office 365 moves beyond a single encryption key per disk to deliver a unique encryption key per file.“
Still, you may be uncomfortable with a third-party holding your data and your encryption keys on shared hardware. You might reasonably conclude that the O365 servers represent a ripe target for unscrupulous individual trawling the web. In the words of famed criminal Willie Sutton when asked why he robs banks, “That’s where the money is.”
If so, you should consider software that makes your data more secure in the cloud by encrypting it before it goes to Microsoft and keeping a copy of the key locally. Other options withhold portions of your data from ever making it to the cloud, while others make monitoring and enforcing your security and governance policies easier and more transparent.
Either On-Prem or Online
Whether you host your own farm or use Office365, you’re going to want to look at these strategies for more secure data:
- Role Based Access Control: You should have a thoughtful strategy for assigning roles to users and permissions to those roles. If your AD is a mess, the mail clerk who left the company six months ago might have access to your personnel file.
- AD/Azure RMS: Different names depending on whether you host your farm or whether Microsoft does, but RMS (Rights Management Services) is the tool you use to make sure that someone doesn’t download that sensitive document and email it to the Everyone@YourCompany.com distribution group.
If trying to implement some of these tools on top of your regular workload is less funny than The Interview, give us a call. We’ve helped countless upstream, midstream, downstream, and services companies buy, build, and integrate software.