SharePoint Defense in Depth

A community site for SharePoint security and compliance issues

About this community

SharePoint Defense in Depth is an open community site and resource for those interested in security, defense in depth, compliance, and SharePoint. This community site provides a place to pose questions to experts, and to learn how best to tackle your SharePoint security challenges.

For access to resources including a SharePoint Content Scanner, and SharePoint Risk Assessment, please create a login. Note that to limit spam and non-useful content on this site, we require either a valid corporate e-mail domain, or a legitimate LinkedIn profile for registrants before approving access.

Our simple goal is to provide the SharePoint community with tools and resources that enable you to more effectively secure your SharePoint environments. We encourage you to engage, and post your own tips, tricks, and resource to help make SharePoint sites more secure. If you have ideas as to how we can make the SharePoint Defense in Depth site a better community resource, please contact us on:

Blog Posts

Video demonstration of the content scanner

Posted by Mike Fleck on July 18, 2016 at 9:53am 0 Comments

If you came to SharePointDefenseInDepth looking for complimentary access to the data discovery tool (Content Scanner), you can request your copy by reaching out to If you'd like to learn more about how to use the scanner and what it can locate check out this video on Vimeo. The first minutes minutes is background material so don't worry if you heard the audio but the video doesn't seem to be moving. …


Understanding file encryption in Office 365

Posted by Mike Fleck on March 8, 2016 at 12:01pm 0 Comments

In early 2015 Microsoft started rolling out per file encryption for SharePoint Online and OneDrive for Business in Office 365. Prior to that, the file encryption capability in Office 365 was simple BitLocker storage encryption. The newer approach, often referred to as Fort Knox, involved breaking files into fragments and encrypting each file fragment with a unique encryption key. Microsoft sometimes refers to this fragmenting of files as “shredded storage.” The fragment encryption keys (FEK)…


Reimagining a New Security Model for SharePoint

Posted by Peter Bradley on January 6, 2016 at 5:00pm 0 Comments

SharePoint's old security model was conceived in a different era. Let's imagine what a new security model might look like.

In my last post, we looked at the humble beginnings of SharePoint as Microsoft Tahoe, and pointed out that the security…


The free SharePoint Content Scanner is back

Posted by Mike Fleck on December 18, 2015 at 12:57pm 0 Comments

CipherPoint is once again providing free access to the content scanner.Yes, Office 365 has Data Loss Prevention but there are few reasons why you would be interested in this tool vs. the one from Microsoft.

  1. The CipherPoint scanner lets you create custom patterns to find.
  2. The CipherPoint scanner can search for sensitive content in on-premises AND Office 365 at the same time.
  3. The CipherPoint scanner is a lot easier to use.

To get the scanner you…





Take the CipherPoint's Annual State of Collaboration Security Survey

Started by Mike Fleck in General security topics Jul 14, 2014. 0 Replies

Each year, CipherPoint conducts a survey to understand businesses’ top security concerns relating to file…Continue

Government Agencies Deploying SharePoint Despite the Lack of FIPS 140-2 Level Validation

Started by K Nahbrha in Industry compliance. Last reply by Mike Fleck Dec 6, 2013. 1 Reply

How are government agencies deploying SharePoint 2010 despite the fact that SharePoint does not support FIPS 140-2 level validation as required by NIST?The operating system that hosts SharePoint must…Continue

Tags: DISA, Cryptography, NIST, 2010, SharePoint

Securing SharePoint

Started by Site Admin in General security topics Aug 16, 2013. 0 Replies

A reader posted this response to a blog we posted on the Snowden breach, and the SharePoint connection. What do you think...can SharePoint be securely deployed?JimOur blog is here:…Continue

Is anyone using RMS and SharePoint 2013?

Started by Mike Fleck in General security topics. Last reply by Kirk Hasty Jul 22, 2013. 1 Reply

One of our members just posted the above question in his status. Is anyone here using Windows Rights Management (or third party RMS provider) with *any* version of SharePoint? If so, please post your…Continue

Tags: 2013, sharepoint, management, rights

Site Admin's Blog (94)

Collaboration security in the Office Web Apps environments.

Let’s face it. Collaboration is the backbone for most any process intended to move projects through stakeholder channels, final drafts and completions.

For collaboration security, it's not surprising that certain team members will often be assigned different levels of tasks requiring access throughout SharePoint’s document management modules. But, not everyone is expected to have the same privileges, for example, to add or edit content.

As such, Office Web Apps used in…


Added by Site Admin on February 14, 2014 at 3:35pm — No Comments

Cloud security and SharePoint 2013 big concern among SMBs; hybrid solutions becoming common choice.

In general, with all the concerns about cloud security, the full migration of critical files, folders and documents to the cloud is far from becoming an overwhelming choice by the C-level suite.

Instead of an all-or-nothing choice, a large number of SMBs using SharePoint continue to opt for a hybrid solution, or a combination of public and private hosting solutions.

A recent online survey conducted by …


Added by Site Admin on January 25, 2014 at 1:01am — No Comments

Cloud security and SharePoint 2013 big concern among SMBs; hybrid solutions becoming common choice.

In general, with all the concerns about cloud security, the full migration of critical files, folders and documents to the cloud is far from becoming an overwhelming choice by the C-level suite.

Instead of an all-or-nothing choice, a large number of SMBs using SharePoint continue to opt for a hybrid solution, or a combination of public and private hosting solutions.

A recent online survey conducted by Redmond Magazine indicated that of the 300 respondents 46.3 percent…


Added by Site Admin on December 18, 2013 at 7:00am — No Comments

Personally Identifiable Information should go carefully into Libraries, MySite or SkyDrive; taxonomy, classification, security needed.

It’s no surprise that with the blender approach to funneling data throughout the enterprise and organization the concern about Personally Identifiable Information (PII) is high in the minds of C-level folks and SharePoint administrators.

After all, when you consider the go-to sources available today, such as Libraries, lists, Dropbox folders, Amazon EC2 storage, SkyDrive and file shares, to name a few,…


Added by Site Admin on December 17, 2013 at 7:00am — No Comments

Cloud-based File Security: How MSPs Can Consolidate Client Fears

File security is one of the crucial features that a discerning managed service provider firm worries about when it comes to cloud computing. There are countless benefits that the cloud based file sharing offers to businesses. However, there are a number of factors that make companies overlook sharing on the cloud. As an MSP, there are several interventions that will be handy when helping clients overcome cloud computing fears.   

When you run as an MSP, your clients see you…


Added by Site Admin on December 16, 2013 at 6:30am — No Comments

SharePoint Online: Microsoft doesn't recommend using branding on an Intranet home page.

No surprise, but it seems like every iteration of SharePoint since 2007 has been over-hyped relative to it’s ability to deliver an intuitive and manageable intranet platform, notes Toby Ward’s post on CMS Wired.

But all bets are riding high that SharePoint 2013 (SP13) will provide the enterprise with more credible Intranet features; this, as over 80% of…


Added by Site Admin on December 13, 2013 at 6:30am — No Comments

Encryption and SharePoint Files

If you run a business, it’s normally a good idea to ensure that you get the best encryption for your data, and one of the best ways of doing it is through the use of SharePoint encryption. As time goes by, information becomes more and more valuable, and this means that an increasing number of people want to get their hands on it. For instance, there are many people who may be interested in breaking…


Added by Site Admin on December 12, 2013 at 6:30am — No Comments

SharePoint's Document Library does offer file security, but not a reason to assign sole file server status.

The question about using SharePoint as a file server takes on new meaning when considering issues like file security, not to mention the per file costs, according to an article in Redmond Magazine.

For one thing, to think of it as an ‘either or’ decision is faulty, even though SharePoint’s Document Library makes it easy to collaborate and share; store and offer version…


Added by Site Admin on December 11, 2013 at 6:30am — No Comments

Cross-over technologies like Dropbox or Google Drive present cloud security issues for SharePoint users.

Given SharePoint’s abundance of features and extensive content management capabilities it’s no wonder that the term, “SharePoint sprawl,” is used in referring to the never-ending expansion of sites within the suite.

Today’s SharePoint is not unlike it’s 2010 iteration when it comes to implementing a quick start, thanks to it’s basic install…


Added by Site Admin on December 9, 2013 at 8:00am — No Comments

AIIM survey points to overriding concerns for cloud security in Office 365 SharePoint offering.

Maybe it’s the three iterations of SharePoint that the Redmond Giant has introduced over the past number of years that keep users from embracing Office 365’s cloud option.

Microsoft’s three-year of introducing a new upgrade has caused many companies to not only have many versions, but has handed IT a host of support issues as well:

* 38 percent are supporting two or more live versions.

* 21 percent of larger organizations are supporting three or more…


Added by Site Admin on December 6, 2013 at 8:00am — No Comments

Security threats from disabling 'authentication' calls for recent Microsoft critical patches

It happens often: SharePoint users are disabling the suite’s authentication mode to make it easier to access/share documents. Unwittingly, this opened a Pandora’s Box of security problems with outside attackers.

As such, Microsoft’s released a recent patch to address 10 critical areas within the SharePoint software.

At issue, was the capability of hackers to use “remote code…


Added by Site Admin on December 5, 2013 at 8:06pm — No Comments

Data Encryption in a Post-PRISM Cloud

The recent exposure of PRISM and the role that Cloud providers played in that program changes how businesses need to think about Cloud data encryption. These conclusions reduce to two bullet points:

-        Implicitly trusting your Cloud provider is not a wise move when it comes to storing your sensitive and confidential data in the Cloud. Enterprises must maintain strict control of their information even while it resides and is consumed in the Cloud.

-        Highly…


Added by Site Admin on September 19, 2013 at 5:30pm — No Comments

Challenges Securing SharePoint Against Privileged Insiders

It is well documented at this point that some leaked Wikileaks data came from SharePoint sites. Details have emerged regarding how the data relating to the PRISM breach was obtained, and this breach, like Wikileaks, also involved SharePoint.

To provide some structure for this discussion, we’ll break the discussion into three types of collaboration platforms: legacy file servers, on-premises SharePoint sites, and cloud collaboration platforms such as Office 365 and SharePoint…


Added by Site Admin on September 17, 2013 at 4:00pm — No Comments

Sharepoint compliance strengthened through use of Libraries and Lists.

The monetary effects of identify theft approaches upwards of fifty billion dollars, as some fifteen million people annually are in some way touched by fraudulent claims.

When it comes to sharepoint compliance it organizations are at risk of regulatory mis-management of data with the potential for staggering financial loss as well as…


Added by Site Admin on September 13, 2013 at 9:30am — No Comments

Sharepoint data security at issue with 'wide-open platform' rollout of 2013.

Count on it: if the rollout of SharePoint 2013 is left to IT without polling the key stakeholders, then the result will  be a very “tightly-controlled” implementation  with questionable benefit to the organization.

The other ‘extreme’ is to offer SharePoint as a  “wide-open platform” without the usual regard for governance, or sharepoint data security. In fact, this strategy with the underlying “‘sprawl’” of…


Added by Site Admin on September 11, 2013 at 9:30am — No Comments

Insider Threats, SharePoint, and the Snowden and Wikileaks Security Breaches

Cross post from

At a high level, the Snowden and Wikileaks security breaches both highlight the insider threat to sensitive information. The “insider threat” has been well understood (for a very long time) to be very serious (significant impacts are likely from insider security breaches). Also well known is the difficulty in implementing controls that fully mitigate the threat.

If you’re wondering how insiders can access sensitive information in SharePoint,…


Added by Site Admin on August 20, 2013 at 10:00am — No Comments

CIOs concerned over SharePoint's mobile security threats; Android apps lacking.

CIO’s get it: Mobile and Sharepoint go together, but still it can be the “red headed stepchild” in many organizations, notes Rich Wood on CMS Wired,“The SharePoint Mobility Forecast Outlook: Cloudy.”

In short, using our mobile devices to collaborate and share documents via SharePoint continues to be a big headache in managing…


Added by Site Admin on August 19, 2013 at 10:00am — No Comments

SharePoint Security Impacts From Snowden and Wikileaks Breaches

Cross post from

The biggest security story that we’ll see this year is the Snowden – NSA – PRISM leak. The biggest security story in the past couple of years prior to PRISM has clearly been Wikileaks. Common threads obviously run through these breaches, starting with the use of SharePoint by both organizations and the attackers in both cases compromising the confidentiality of information therein. The…


Added by Site Admin on August 16, 2013 at 10:11am — No Comments

Defense in Depth: A Community to Support SharePoint Security Issues

Security is an important function within any business. Customers want to make sure that their information is safeguarded and protected. SharePoint provides a great set of tools to keep business running as normal, and to enhance business efficiencies. As with any software, SharePoint has some security concerns that users would like to address. Sharepoint Defense in Depth is a community designed around providing…


Added by Site Admin on August 16, 2013 at 10:05am — No Comments

SharePoint content security & Organization 2.0; concerns re. ‘security and confidentiality’ exist.

SharePoint’s been around now for over a decade, and its community of users may still scratch their heads at what it really is, what is does and how to access its multitude of features.

For sure, it’s a content management system that harbors sharepoint content security concerns; others may accept SharePoint in the context of a development framework. And, yes, its collaborative nature is the backbone of the platform, notes Brien Posey in his article, “Working Together:…


Added by Site Admin on June 6, 2013 at 8:00am — No Comments

© 2020   Created by Jim.   Powered by

Badges  |  Report an Issue  |  Terms of Service