SharePoint continues to be the collaboration and content
management platform of choice. With more than 130 million
users and adoption by 70 percent of large enterprises, we can
expect continued market penetration, as well as increased use
of SharePoint for managing sensitive and regulated content.
However, numerous industry studies cite challenges with
security, compliance, and information governance associated
with SharePoint sites and the information stored in them. A
recent Information Week study rated data security controls
as the most important feature of collaboration software
platforms—higher than all other capabilities. The study
found that monitoring content in collaboration platforms for
security and policy violations was a challenge for 38 percent of
respondents.
This white paper describes common security and compliance
challenges associated with SharePoint content and identifies
an end-to-end solution approach to securing confidential and
regulated data in SharePoint.
How to Troubleshoot Apps for the Modern Connected Worker
Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach
1. Securing sensitive and compliance-regulated
data in SharePoint: an end-to-end approach
An IGC and CipherPoint Software White Paper
2. SharePoint continues to be the collaboration and content
management platform of choice. With more than 130 million
users and adoption by 70 percent of large enterprises, we can
expect continued market penetration, as well as increased use
of SharePoint for managing sensitive and regulated content.
However, numerous industry studies cite challenges with
security, compliance, and information governance associated
CipherPointKM security management console.
with SharePoint sites and the information stored in them. A
recent Information Week study rated data security controls
as the most important feature of collaboration software
platforms—higher than all other capabilities. The study
End-to-end solution architecture
found that monitoring content in collaboration platforms for Beyond evaluating specific threats to your SharePoint content,
security and policy violations was a challenge for 38 percent of you may also wish to perform a full risk assessment for your
respondents. SharePoint sites and information. CipherPoint has created
a brief SharePoint risk assessment template, which may be
This white paper describes common security and compliance downloaded for free at www.sharepointdefenseindepth.com.
challenges associated with SharePoint content and identifies
an end-to-end solution approach to securing confidential and
regulated data in SharePoint. Server-side security
As a web-based platform with myriad configuration
SharePoint customer security challenges possibilities, SharePoint security can be a complex topic,
and one that is highly dependent on the use case and the
Organizations face a host of issues when access to sensitive deployment model. The solution architecture described here
or regulated content in SharePoint libraries is not tightly provides the recommended end-to-end, “defense in depth”
controlled: approach to securing information in SharePoint. furthering
• Understanding what content is stored in SharePoint the ‘just, speedy and inexpensive’ determination of this case. “
and whether the data is sensitive or governed by
compliance regulations. It is important to not just write
policy, but to inspect SharePoint file storage and determine Protecting information stored in SharePoint
what is actually being stored in SharePoint sites.
• Classifying data in SharePoint and establishing access with CipherPoint
controls and required protection mechanisms for data in
storage, in transit and when downloaded to or being Threats to data while stored in SharePoint can come from
used on client device. insiders, administrators, external attackers, and from loss or
• Understanding the insider and administrator threat theft of servers and media. To ensure SharePoint is secured
to data in SharePoint since native platform controls are against those threats all the way from the front end back into
trivially easy for a farm or site administrator to circumvent. storage, a combination of user authentication, strong access
• Preventing information leakage from SharePoint, control, encryption and audit logging are recommended.
including via download, copy and paste, or just by
misconfiguring access controls. CipherPoint’s transparent web-tier encryption technology for
• Balancing ease of access and use with security. SharePoint secures sensitive or regulated content through the
• Building security controls to comply with relevant use of encryption, access control and activity logging.
regulations for your organization, in your industry.
• Providing separation of duties for SharePoint CipherPoint’s SharePoint products provide transparent data
administrators, particularly if your sites house trade encryption for on-premise SharePoint installations, using
secrets, IP, business plans, customer lists, and human technology that delivers distinct advantages over other
resources data approaches to securing SharePoint content:
A useful mechanism for thinking through content security • Inserts at the web tier, providing a higher level of threat
and SharePoint is to consider threats to the data and content protection against insiders and other threats to sensitive
from end to end. The diagram below can be used to build a data
risk model that describes the threats facing your organization • Transparent to end users
given how you use the SharePoint platform. Sensitive • Gives security control back to IT security management
information is potentially vulnerable at any stage, from the • Enables compliance to numerous regulations requiring
point of SharePoint access all the way to your backups. This encryption of regulated content
model can be used to help you evaluate how to best protect • Makes content protection for SharePoint easy, secure
against different threats at different points. and scalable
Page 2 - Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach
3. The CipherPoint product solution for SharePoint comprises This process is completely transparent to the user, who only
CipherPointKM, the central key management console has to click a link to see the document content directly inside
providing administration capabilities for multiple SharePoint the SharePoint portal. This prevents sensitive information from
servers, and CipherPoint agent software, with three versions being lost when hard drives are replaced or sent outside an
suitable for use by small SharePoint farms, mid-sized organization without being securely wiped, or when laptops
enterprises, and large enterprises with multiple locations and are stolen, thumb drives are misplaced, or hackers access
very large SharePoint farms. unsecured drives. Brava eliminates these concerns by allowing
users to access the document content they need without the
original document ever being downloaded.
Protected libraries—Brava Protected Libraries offer
administrators even more options for securing their
repositories. When the Brava Protected Library feature is
activated on a library, users with read-only permissions on
a document can access a document only through the Brava
viewer. Users with write permissions on a document continue
to work normally with a document, including checking in a
new version, opening it in the original application or viewing
it through Brava. When a read-only user tries to access the
document, that user is automatically redirected to the Brava
viewer.
CipherPointKM security management console. Brava Protected Libraries do more than block a user’s ability to
download a document through the SharePoint web interface.
CipherPointCS is a SharePoint content scanner that enables In addition, Brava will trap all requests for a document so users
SharePoint administrators and security staff to scan are automatically redirected to the Brava viewer, regardless
SharePoint sites and find sensitive or compliance-regulated of whether the user navigates to the document through
data. CipherPoint is pleased to provide this content scanning SharePoint, clicks a link to the document in an email, or enters
utility for free as part of its philosophy that SharePoint site the URL of the document directly in a browser’s URL bar.
security starts with understanding exactly what content is
being stored in SharePoint sites. Read-only users are not able to copy and paste text from
Brava, print the document, or save a PDF rendition. Brava even
blocks the print screen command. Brava Protected Libraries
Client-side security protects from insider threats by ensuring that sensitive
information never leaves the controlled confines of your
Threats to SharePoint data while in use on client devices or SharePoint environment, while giving users access to the
when checked out from SharePoint sites can come from a information they need to do their jobs.
variety of sources, including device loss or theft and malicious
users who copy data to unauthorized devices or storage.
Addressing information access and security with
Brava!® for SharePoint
IGC’s Brava viewer allows SharePoint users access to their
document content directly through the SharePoint portal
without ever needing to download the document to
their computer. Brava users are able to view and annotate
virtually any document type and create redacted versions
of documents with sensitive information removed. Brava’s
capabilities provide end users easy access to the information
they need while still securing sensitive document content. Viewing documents in Brava for SharePoint
Brava protects sensitive content in multiple ways:
Redaction—Sometimes you will need to share documents
Untouched originals—When a document is viewed through that include customers’ private information, trade secrets,
the Brava viewer, the original document is never downloaded sensitive human resources information or other privileged
to the user’s computer. The Brava server converts documents information. Corporate governance policies, compliance
from their native format to an IGC proprietary format, which is concerns or government regulations may restrict your
then streamed to the viewer. ability to share that sensitive content. In these cases, Brava’s
Page 3 - Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach