SharePoint continues to be the collaboration and content management platform of choice. With more than 130 million users and adoption by 70 percent of large enterprises, we can expect continued market penetration, as well as increased use of SharePoint for managing sensitive and regulated content. However, numerous industry studies cite challenges with security, compliance, and information governance associated with SharePoint sites and the information stored in them. A recent Information Week study rated data security controls as the most important feature of collaboration software platforms—higher than all other capabilities. The study found that monitoring content in collaboration platforms for security and policy violations was a challenge for 38 percent of respondents. This white paper describes common security and compliance challenges associated with SharePoint content and identifies an end-to-end solution approach to securing confidential and regulated data in SharePoint.

1. Securing sensitive and compliance-regulated
data in SharePoint: an end-to-end approach
An IGC and CipherPoint Software White Paper

2. SharePoint continues to be the collaboration and content
management platform of choice. With more than 130 million
users and adoption by 70 percent of large enterprises, we can
expect continued market penetration, as well as increased use
of SharePoint for managing sensitive and regulated content.
However, numerous industry studies cite challenges with
security, compliance, and information governance associated
CipherPointKM security management console.
with SharePoint sites and the information stored in them. A
recent Information Week study rated data security controls
as the most important feature of collaboration software
platforms—higher than all other capabilities. The study
End-to-end solution architecture
found that monitoring content in collaboration platforms for Beyond evaluating specific threats to your SharePoint content,
security and policy violations was a challenge for 38 percent of you may also wish to perform a full risk assessment for your
respondents. SharePoint sites and information. CipherPoint has created
a brief SharePoint risk assessment template, which may be
This white paper describes common security and compliance downloaded for free at www.sharepointdefenseindepth.com.
challenges associated with SharePoint content and identifies
an end-to-end solution approach to securing confidential and
regulated data in SharePoint. Server-side security
As a web-based platform with myriad configuration
SharePoint customer security challenges possibilities, SharePoint security can be a complex topic,
and one that is highly dependent on the use case and the
Organizations face a host of issues when access to sensitive deployment model. The solution architecture described here
or regulated content in SharePoint libraries is not tightly provides the recommended end-to-end, “defense in depth”
controlled: approach to securing information in SharePoint. furthering
• Understanding what content is stored in SharePoint the ‘just, speedy and inexpensive’ determination of this case. “
and whether the data is sensitive or governed by
compliance regulations. It is important to not just write
policy, but to inspect SharePoint file storage and determine Protecting information stored in SharePoint
what is actually being stored in SharePoint sites.
• Classifying data in SharePoint and establishing access with CipherPoint
controls and required protection mechanisms for data in
storage, in transit and when downloaded to or being Threats to data while stored in SharePoint can come from
used on client device. insiders, administrators, external attackers, and from loss or
• Understanding the insider and administrator threat theft of servers and media. To ensure SharePoint is secured
to data in SharePoint since native platform controls are against those threats all the way from the front end back into
trivially easy for a farm or site administrator to circumvent. storage, a combination of user authentication, strong access
• Preventing information leakage from SharePoint, control, encryption and audit logging are recommended.
including via download, copy and paste, or just by
misconfiguring access controls. CipherPoint’s transparent web-tier encryption technology for
• Balancing ease of access and use with security. SharePoint secures sensitive or regulated content through the
• Building security controls to comply with relevant use of encryption, access control and activity logging.
regulations for your organization, in your industry.
• Providing separation of duties for SharePoint CipherPoint’s SharePoint products provide transparent data
administrators, particularly if your sites house trade encryption for on-premise SharePoint installations, using
secrets, IP, business plans, customer lists, and human technology that delivers distinct advantages over other
resources data approaches to securing SharePoint content:
A useful mechanism for thinking through content security • Inserts at the web tier, providing a higher level of threat
and SharePoint is to consider threats to the data and content protection against insiders and other threats to sensitive
from end to end. The diagram below can be used to build a data
risk model that describes the threats facing your organization • Transparent to end users
given how you use the SharePoint platform. Sensitive • Gives security control back to IT security management
information is potentially vulnerable at any stage, from the • Enables compliance to numerous regulations requiring
point of SharePoint access all the way to your backups. This encryption of regulated content
model can be used to help you evaluate how to best protect • Makes content protection for SharePoint easy, secure
against different threats at different points. and scalable
Page 2 - Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach

3. The CipherPoint product solution for SharePoint comprises This process is completely transparent to the user, who only
CipherPointKM, the central key management console has to click a link to see the document content directly inside
providing administration capabilities for multiple SharePoint the SharePoint portal. This prevents sensitive information from
servers, and CipherPoint agent software, with three versions being lost when hard drives are replaced or sent outside an
suitable for use by small SharePoint farms, mid-sized organization without being securely wiped, or when laptops
enterprises, and large enterprises with multiple locations and are stolen, thumb drives are misplaced, or hackers access
very large SharePoint farms. unsecured drives. Brava eliminates these concerns by allowing
users to access the document content they need without the
original document ever being downloaded.
Protected libraries—Brava Protected Libraries offer
administrators even more options for securing their
repositories. When the Brava Protected Library feature is
activated on a library, users with read-only permissions on
a document can access a document only through the Brava
viewer. Users with write permissions on a document continue
to work normally with a document, including checking in a
new version, opening it in the original application or viewing
it through Brava. When a read-only user tries to access the
document, that user is automatically redirected to the Brava
viewer.
CipherPointKM security management console. Brava Protected Libraries do more than block a user’s ability to
download a document through the SharePoint web interface.
CipherPointCS is a SharePoint content scanner that enables In addition, Brava will trap all requests for a document so users
SharePoint administrators and security staff to scan are automatically redirected to the Brava viewer, regardless
SharePoint sites and find sensitive or compliance-regulated of whether the user navigates to the document through
data. CipherPoint is pleased to provide this content scanning SharePoint, clicks a link to the document in an email, or enters
utility for free as part of its philosophy that SharePoint site the URL of the document directly in a browser’s URL bar.
security starts with understanding exactly what content is
being stored in SharePoint sites. Read-only users are not able to copy and paste text from
Brava, print the document, or save a PDF rendition. Brava even
blocks the print screen command. Brava Protected Libraries
Client-side security protects from insider threats by ensuring that sensitive
information never leaves the controlled confines of your
Threats to SharePoint data while in use on client devices or SharePoint environment, while giving users access to the
when checked out from SharePoint sites can come from a information they need to do their jobs.
variety of sources, including device loss or theft and malicious
users who copy data to unauthorized devices or storage.
Addressing information access and security with
Brava!® for SharePoint
IGC’s Brava viewer allows SharePoint users access to their
document content directly through the SharePoint portal
without ever needing to download the document to
their computer. Brava users are able to view and annotate
virtually any document type and create redacted versions
of documents with sensitive information removed. Brava’s
capabilities provide end users easy access to the information
they need while still securing sensitive document content. Viewing documents in Brava for SharePoint
Brava protects sensitive content in multiple ways:
Redaction—Sometimes you will need to share documents
Untouched originals—When a document is viewed through that include customers’ private information, trade secrets,
the Brava viewer, the original document is never downloaded sensitive human resources information or other privileged
to the user’s computer. The Brava server converts documents information. Corporate governance policies, compliance
from their native format to an IGC proprietary format, which is concerns or government regulations may restrict your
then streamed to the viewer. ability to share that sensitive content. In these cases, Brava’s
Page 3 - Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach

4. redaction capabilities will assist you in securing sensitive concert, the CipherPoint and IGC solutions can also enable
information. your organization to confidently deploy SharePoint as a
platform for senior management, team collaboration, boards
of directors, human resources, and more.
CipherPoint secures sensitive and regulated content in web-
based application environments including cloud, SaaS and
premise-based collaboration platforms such as Microsoft
SharePoint. Headquartered in Denver, Colorado, CipherPoint
was founded by IT security experts with deep experience
in building successful security technology companies.
CipherPoint is committed to helping customers meet their
security objectives, building value for our shareholders,
fostering a stimulating work environment for employees
and improving the community through volunteering.
Customers in manufacturing, financial services, federal
and state government, defense, healthcare, and business
A redacted file in SharePoint. services use CipherPoint’s content security solutions to secure
their sensitive and compliance-regulated data. Customers
throughout North America, the UK and Europe, the Middle
Brava architecture East, and Asia rely on CipherPoint to secure their sensitive
information. Learn more at http://www.cipherpoint.com.
Brava allows you to mark sensitive information for redaction
and generate a new document with that content completely
removed. You can manually mark areas for redaction, search
About IGC
for common privacy information such as social security
numbers or enter your own text patterns to redact. All the IGC is a recognized leader in viewing, collaboration and
content not marked for redaction is transferred to the new redaction software, offering products that speed workflows,
document unchanged, so you are still able to search for and increase efficiency, and aid in regulation compliance. IGC
use everything except the sensitive content. The redacted solutions are deployed across almost every industry, with
information will never appear in the new document, so millions of installed seats worldwide.
you never have to worry about someone extracting that
information from the redacted document. This allows you to Brava gives users access to needed information in documents
share documents while still complying with the policies and quickly and allows them to make comments, remove
laws governing management of sensitive information. sensitive information and create sanitized versions as PDFs,
TIFFs or CSFs. Brava supports virtually any format, including
office documents, images (e.g., TIFF, JPG, GIF) and CAD
Protect sensitive information with comprehensive drawings. Redact-It® automatically creates public renditions
of documents with sensitive content completely removed
SharePoint security as part of a workflow. Blazon™, formerly known as Net-It®,
automatically creates a TIFF or PDF version of the source
Brava consists of a SharePoint solution, a web application and document and enables users to add stamps, a watermark,
a client-side viewer control. When a user accesses a document or other information based on metadata from Microsoft
through Brava, the document is sent from SharePoint to IGC’s SharePoint. Learn more at www.infograph.com/sharepoint.
proprietary format, which is then streamed to the viewer. The
original document is never sent to the user’s computer. The
Brava web application can live behind a corporate firewall.
This ensures that your documents never even have to leave
your corporate network, even if users are outside the network.
All communication between the Brava viewer and server can
For more information,
be configured to use https, adding another degree of security
please contact:
to the communication.
Informative Graphics Corp. CipherPoint Software
About CipherPoint 4835 E. Cactus Road, Suite 445 4600 S. Syracuse, 9th Floor
Scottsdale, AZ 85254 Denver, CO 80237-2719
Employing an end-to-end protection strategy for SharePoint Phone: 800.398.7005 +1.888.657.5355
can allow your organization to comply with relevant (intl +1.602.971.6061) URL: www.cipherpoint.com
regulations, secure your sensitive information and avoid URL: www.infograph.com Email: info@cipherpoint.com
expensive data breaches and brand damage. When used in Email: info@infograph.com
© Copyright 2012 Informative Graphics Corporation