SharePoint Security Audit

Collaboration tools like SharePoint are excellent for facilitating exchange of information and enabling remote teams to work more effectively.  Over the years they have evolved to become much more than a file repository and enable linking of information across all aspects of a user’s desktop.  There are a couple of things to bear in mind when managing and using SharePoint, such as the relevant SharePoint security risks and how to perform the correct SharePoint security audits to highlight these risks.

It quickly becomes a treasure trove of information, but often that information is difficult to find and buries amongst large volume of data, meaning that in many cases nobody realises what information is stored in SharePoint and how much of this information is sensitive. Here we use the term “sensitive” broadly to refer to any information that could have a negative impact from an uncontrolled disclosure.  It could be personally identifiable information (PII), HR records (e.g. a spreadsheet with staff performance reviews) or valuable intellectual property.  Sensitive data buried in files and documents (referred to as unstructured data) can be much harder to manage than that in databases or applications (structured data).

This is where the risk comes in.  How can the data owner (as distinct from the IT administrator) be sure that sensitive information is only disclosed (with an appropriate level of access) to those who are authorised to see or use it?  The purpose of a SharePoint security audit is to provide a relatively objective assessment of the risk of an unauthorised disclosure.

The risk is very tightly linked to the information stored in SharePoint so the first step in auditing the risk is understanding what data is where. Historically organisations have relied on users to classify and label files based on its contents.  Anyone with a background in data loss prevention tools will confirm inconsistencies and subjectivity in this approach can lead to poor quality outcomes and are easily bypassed by users looking for a way to get things done or (more worryingly) looking to circumvent the system.

There are a range of automated discovery and classification tools on the market.  Those that are effective combine a range of techniques to enable effective classification in a timely fashion.  These techniques include basic metadata analysis and content scanning (keywords, pattern matching etc), but are also extending to more intelligent tools based around machine learning technology.  The trick is to be able to combine these techniques to achieve fast and accurate outcomes.  Both of these are harder than you think!

Once an organisation has a foundational understanding of what data is where (i.e. done the appropriate audit) then risk management becomes both easier and more effective.  Data can be managed and protected according to the information contained in the file.  Exposures can be prioritised and addressed by focussing on the biggest sources of risk for the most important data.  Sensitive data can be moved to somewhere safe or encrypted in-place where it is (or deleted if it is no longer required).  GDPR compliance is much easier if you can find (and delete if required) PII for an individual asserting their right to be forgotten.

Like most things in life risk levels and appropriate mitigation steps are on a spectrum, with the cost and effort involved in the mitigation needing to be tied to the level of risk.  The best approach is to have a clear understanding of what data you have where, who needs to access it and then implement appropriate access control, protection and auditing steps.

SharePoint security audits need some form of structured checklist to help ensure that nothing is missed and everything is given an appropriate priority.  Here is a SharePoint security checklist that we have put together.  This list is based on a data centric approach which aims to make the infrastructure level components less critical (but still as relevant as ever in a layered defence model).

  1. Use a risk based approach to help focus the organisation achieving optimum level of protection for important data
  2. Ensure all content is classified according to its contents (ideally a single file can have multiple classifications so that it can cater for real life complexity – e.g. an HR file that also contains PII).
  3. Have a SharePoint security policy that ensures all information has an owner and that this owner is accountable for determining who should have access to what data with what level of permission.
  4. Make sure IT is accountable for implementing systems that allow these policies to be implemented and enforced including:
    1. Access rights set by the data owner
    2. Limit access only to authorised users – this can be achieved by using separate repositories, the use or layered access control and/or encryption. Encryption has the advantage that it can easily be extended to cover backups and system level breaches (eg blinding your IT Admin).
    3. Logging and an audit trail to ensure traceability and accountability
    4. Authentication and authorisation – ensuring a user is who they say they are before they access something they are authorised to see is critical.
    5. Ensure infrastructure is reliable and secure – network security, patching, backup, scalability etc all need to be factored into this.  From a breach perspective this becomes less critical if encryption is well implemented as compromising the data store is not enough to access the content itself.