By Mike Fleck
SharePoint sites, including SharePoint Online and hosted SharePoint farms, are subject to several serious content security risks.
With organizations using on-premises SharePoint sites, hosted SharePoint farms, and SharePoint Online for sensitive and regulated data--including personally identifiable information (PII), healthcare data, customer financial information, and intellectual property--securing that data is a high priority.
In addition, organizations face real and expensive compliance risks associated with regulated data and SharePoint. Some of the most common security and compliance risks found in SharePoint environments can have serious consequences for organizations, if left unmanaged.
Security breaches involving regulated data, however they happen, can cause fines, loss of customer trust, brand damage and other negative effects.
Below are 10 of the most common SharePoint Security risks with tips on how to mitigate them:
1. Lack of SharePoint Content Awareness
Implement governance guidelines and provide content classification. This includes training end users and performing periodic content scans. In addition, teams should use SharePoint metadata and workflows to route sensitive information to secure locations.
2. Failure to Secure SharePoint Against Privileged Insider Accounts
Limit privilege levels for administrator accounts and deploy third-party security solutions that enable encryption and access control.
3. Inadequate or Non-Existent Audit Trails for SharePoint Usage and Administrative Access
Enable auditing for system and file access, and for all administrative changes to SharePoint.
4. Failure to Secure Content in SharePoint Servers, in Transit, and on Endpoints
Organizations should implement solutions that secure content on SharePoint servers and on backups through access control and encryption. In addition, teams should consider whole-disk encryption for endpoints, especially laptops. Security administrators can also enable SSL encryption for data in transit.
5. Misconfiguring Access Controls and Permissions
First, audit existing SharePoint permissions, then review or create corporate access control policies. Align SharePoint permissions with corporate directory services. By doing this, administers can understand the use of inheritance and unmanaged item-level permissions.
6. SharePoint Platform Security Risks
Harden platforms by disabling ports and services that aren't necessary to the platform function; patch regularly, and consider application whitelisting.
7. SharePoint and Malware
Implement a server malware solution and regularly update the antivirus definitions.
8. Failure to Limit Administrator and Service Accounts
Limit privileges on service accounts, disable the install account, and don't use shared administrator accounts.
9. SharePoint System Architecture & Network Configuration Issues
Put a dedicated SharePoint web front end in a DMZ, use a single-function-per-server approach, and harden the SharePoint, OS, and database according to best practices.
10. Failure to Perform Backups, and Provide DR Capability
Perform backups and test and restore them on a regular basis, at least annually. Then consider how to recover from disasters using SharePoint services.
Managing these security risks through implementation of appropriate security controls goes a long way toward reducing content security and compliance risks in SharePoint.
In addition, putting your SharePoint environment on a solid security footing frees you to broaden the use of SharePoint in your organization for more effective collaboration and communication.
Mike Fleck is the CEO of CipherPoint.