SharePoint security hardening and controls. How to protect against insider threats?

Enterprises using ECM and content service platforms such as SharePoint are increasingly concerned about unauthorised internal access (including by persons with IT administrator privileges) to confidential documents like finance or HR. Enterprises often have inadequate intranet security and the platforms do not natively provide encryption or privileged access controls for SharePoint security hardening.

The business and compliance risks and the financial costs and penalties arising from insider threats are real when you consider regimes such as GDPR.

In some markets particularly Europe enterprises are still grappling with issues such as securing data stored in and accessed from existing on-premises applications let alone the issues that arise as they migrate to cloud based versions of those applications.

There are straightforward solutions to augment content platforms like SharePoint document security using encryption (including in-transit), strict access controls and comprehensive audit capabilities to enable enterprises to fully meet their corporate compliance and risk requirements.

Data access permissions

The first thing that comes to mind when it comes to document security is permission controls. When it comes to SharePoint security hardening, you have two different levels of permissions – folder level and file level.

Folder permissions allows for protection of each file within said folder with a set of permissions or restrictions. The problem is that you actually have to place files in this folder for that kind of protection to work, and it does nothing against people accidentally or intentionally copying an important file somewhere else before moving it to that specific folder. There’s also another possible scenario – when folder structures within SharePoint become too complicated and users are highly likely to copy important files to devices they have physical access to – smartphones, portable flash drives, even physical desktop storages. However, the problem is that once a specific file is copied from SharePoint to somewhere else, the organisation may immediately lose control and auditability of that information, meaning its now even more vulnerable.

File permissions are there to at least mitigate that type of security risk. These permissions are assigned to a specific file and apply to that file no matter where it is in the SharePoint file ecosystem. There’s even a possibility to restrict any unauthorized copying or moving of this specific file. While this is a good first step, it’s not perfect. Due to SharePoint’s limited metadata editing functionality some administrators might find it hard to set specific rules per file in the system. And there’s still not enough protection against random file metadata edits, both intentional and accidental.

Unfortunately, permissions alone can’t ensure that your files are protected against all possible threats – there are a lot of other solutions designed for SharePoint security hardening purposes, both within SharePoint and as third-party services.

Data encryption

Now we’re on the topic of SharePoint’s built-in data protection capabilities – i.e. data encryption at rest.

Data at rest can be protected using encryption on both a disk and file level. Disk-level uses BitLocker for encryption purposes, and file encryption applies industry compliant standard AES-256 (Advanced Encryption Standard) via a normal https tunnel (which is the norm with all website communication in this day and age).

However, data at rest isn’t the only data state that exists, there’s also data mid transfer, and there are somewhat different protection methods when it comes to it. Usual example is a client who’s communicating with a SharePoint server – such connection is typically protected via SSL/TLS (Transport Layer Security/Secure Socket Layer) connection, but it’s not perfect as a protection method and you can’t just forget about data encryption because of that. Having several different methods and approaches is highly recommended if you want to ensure good data protection hygiene in general.

Personnel permissions

File encryption isn’t the only thing that is used to protect SharePoint data. There are also permissions that are assigned to each and every participant of a SharePoint system, from low-level employees to company’s executives.

SharePoint’s system administrator rights – or Full Control permissions – are assigned to each and every person in the “Owner” group when the system is created. SharePoint has quite a lot of different permission levels, and managing them will get complicated very quickly. For that exact reason it’s common advice to use Groups functionality to make controlling multiple employee’s permissions easier.

Some of the most obvious permission types are as follows:

  • Full Control;
  • Read;
  • Edit;
  • Contribute;
  • Limited Access;
  • View Only;
  • Approve, and so on.

Most of those permissions are pretty basic and self-explanatory, like Read, Edit, View Only, etc. Some permissions, like Limited Access, can’t be given directly to a specific user, but they are created when a file is given limited permissions to view or edit. And some, like Full Control, Approve (and somewhat similar one – Manage Hierarchy), give almost unlimited functionality to a person and should be assigned only after a lot of consideration has taken place. Assigning too many people with permission access of that level can result in disaster, including data breaches, security being compromised, and more.


Modern world’s nature is always evolving at an enormous pace, and this means new methods on how to compromise a company’s sensitive data. For that exact reason it’s quite important for data protection methods to evolve and improve, as well. It is highly recommended not to restrict your data protection efforts to SharePoint’s basic capabilities but also put effort into more complex safeguards, including third-party protection service providers to expand your SharePoint security capabilities, segregating permissions of privileged users/administrators and so on.

Cipherpoint’s cp.Protect offers various controls for SharePoint security incl. effective encryption and centralised security management.