SharePoint Defense in Depth

A community site for SharePoint security and compliance issues

About this community

SharePoint Defense in Depth is an open community site and resource for those interested in security, defense in depth, compliance, and SharePoint. This community site provides a place to pose questions to experts, and to learn how best to tackle your SharePoint security challenges.

For access to resources including a SharePoint Content Scanner, and SharePoint Risk Assessment, please create a login. Note that to limit spam and non-useful content on this site, we require either a valid corporate e-mail domain, or a legitimate LinkedIn profile for registrants before approving access.

Our simple goal is to provide the SharePoint community with tools and resources that enable you to more effectively secure your SharePoint environments. We encourage you to engage, and post your own tips, tricks, and resource to help make SharePoint sites more secure. If you have ideas as to how we can make the SharePoint Defense in Depth site a better community resource, please contact us on: info@sharepointdefenseindepth.com.

Blog Posts

Video demonstration of the content scanner

Posted by Mike Fleck on July 18, 2016 at 9:53am 0 Comments

If you came to SharePointDefenseInDepth looking for complimentary access to the data discovery tool (Content Scanner), you can request your copy by reaching out to info@cipherpoint.com. If you'd like to learn more about how to use the scanner and what it can locate check out this video on Vimeo. The first minutes minutes is background material so don't worry if you heard the audio but the video doesn't seem to be moving. …

Continue

Understanding file encryption in Office 365

Posted by Mike Fleck on March 8, 2016 at 12:01pm 0 Comments

In early 2015 Microsoft started rolling out per file encryption for SharePoint Online and OneDrive for Business in Office 365. Prior to that, the file encryption capability in Office 365 was simple BitLocker storage encryption. The newer approach, often referred to as Fort Knox, involved breaking files into fragments and encrypting each file fragment with a unique encryption key. Microsoft sometimes refers to this fragmenting of files as “shredded storage.” The fragment encryption keys (FEK)…

Continue

Reimagining a New Security Model for SharePoint

Posted by Peter Bradley on January 6, 2016 at 5:00pm 0 Comments

SharePoint's old security model was conceived in a different era. Let's imagine what a new security model might look like.

In my last post, we looked at the humble beginnings of SharePoint as Microsoft Tahoe, and pointed out that the security…

Continue

The free SharePoint Content Scanner is back

Posted by Mike Fleck on December 18, 2015 at 12:57pm 0 Comments

CipherPoint is once again providing free access to the content scanner.Yes, Office 365 has Data Loss Prevention but there are few reasons why you would be interested in this tool vs. the one from Microsoft.

  1. The CipherPoint scanner lets you create custom patterns to find.
  2. The CipherPoint scanner can search for sensitive content in on-premises AND Office 365 at the same time.
  3. The CipherPoint scanner is a lot easier to use.

To get the scanner you…

Continue

Events

Videos

Forum

Take the CipherPoint's Annual State of Collaboration Security Survey

Started by Mike Fleck in General security topics Jul 14, 2014. 0 Replies

Each year, CipherPoint conducts a survey to understand businesses’ top security concerns relating to file…Continue

Government Agencies Deploying SharePoint Despite the Lack of FIPS 140-2 Level Validation

Started by K Nahbrha in Industry compliance. Last reply by Mike Fleck Dec 6, 2013. 1 Reply

How are government agencies deploying SharePoint 2010 despite the fact that SharePoint does not support FIPS 140-2 level validation as required by NIST?The operating system that hosts SharePoint must…Continue

Tags: DISA, Cryptography, NIST, 2010, SharePoint

Securing SharePoint

Started by Site Admin in General security topics Aug 16, 2013. 0 Replies

A reader posted this response to a blog we posted on the Snowden breach, and the SharePoint connection. What do you think...can SharePoint be securely deployed?JimOur blog is here:…Continue

Is anyone using RMS and SharePoint 2013?

Started by Mike Fleck in General security topics. Last reply by Kirk Hasty Jul 22, 2013. 1 Reply

One of our members just posted the above question in his status. Is anyone here using Windows Rights Management (or third party RMS provider) with *any* version of SharePoint? If so, please post your…Continue

Tags: 2013, sharepoint, management, rights

The recent exposure of PRISM and the role that Cloud providers played in that program changes how businesses need to think about Cloud data encryption. These conclusions reduce to two bullet points:

-        Implicitly trusting your Cloud provider is not a wise move when it comes to storing your sensitive and confidential data in the Cloud. Enterprises must maintain strict control of their information even while it resides and is consumed in the Cloud.

-        Highly sophisticated organizations want your data. Enterprises need to adopt Cloud data encryption technologies that follow encryption and key management best practices.

Maintain Control

The Cloud provides great economies of scale for both the consumer of the Cloud service and the provider. For example, Microsoft, Google, and Amazon can buy more and better security technologies because they can split their cost-basis across a huge customer base. The security challenge, then, relates to maintaining control of your information. As someone in one of my recent presentations said, “once you put your data in the Cloud it becomes the property of your Cloud provider who allows you the right to access it for a monthly fee.” With non-commodity Cloud offerings enterprises can put the Cloud provider through months of due diligence and contract negotiations. That approach doesn’t work with offerings like Office 365 and the like. The best way to maintain control of your data is to encrypt it before it hits the Cloud and then maintain physical ownership of both the data encryption keys and the encryption/decryption functions.

Leave Encryption to the Professionals

While the US Government is the focus of attention these days (for obvious reasons) don’t forget that there are other nations trying to peek at your Cloud data. Like any other group of competitive organizations, if one is doing it the others are, too.  This means that your organization is likely to face determined attackers with plenty of resources.

Here are some top concerns when it comes to the landscape of Cloud data encryption vendors:

-        Proprietary Encryption Algorithms are the one thing that you never, ever want to use. If an encryption algorithm hasn’t been created, vetted, and accepted on a global academic and government scale then don’t use it. Period.

-        Usability at the cost of security is an approach that vendors take when they don’t have the expertise and experience to devise a Cloud data encryption system that is both secure and usable. There will, of course, always be an impact to usability for securing your data but remember the first bullet. Cutting corners is as good as doing nothing at all.

-        Encryption and key management requires a pedigree. Encryption and key management are highly specialized disciplines. Few organizations have the talent and experience necessary to make encryption and key management both secure and usable. There are a lot of moving pieces like Initialization Vectors, sources for random numbers, encryption key storage, key rotation, and key expiration just to name a few. We’ve touched on this topic in previous blog.

By Mike Fleck

CEO, CipherPoint

 

Views: 66

Comment

You need to be a member of SharePoint Defense in Depth to add comments!

Join SharePoint Defense in Depth

© 2019   Created by Jim.   Powered by

Badges  |  Report an Issue  |  Terms of Service