An IGC and CipherPoint Software White Paper

Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach

SharePoint continues to be the collaboration and content management platform of choice. With more than 130 million users and adoption by 70 percent of large enterprises, we can expect continued market penetration, as well as increased use of SharePoint for managing sensitive and regulated content.

However, numerous industry studies cite challenges with security, compliance, and information governance associated with SharePoint sites and the information stored in them. A recent Information Week study rated data security controls as the most important feature of collaboration software platforms—higher than all other capabilities. The study found that monitoring content in collaboration platforms for security and policy violations was a challenge for 38 percent of respondents.

This white paper describes common security and compliance challenges associated with SharePoint content and identifies an end-to-end solution approach to securing confidential and regulated data in SharePoint.

Organizations face a host of issues when access to sensitive or regulated content in SharePoint libraries is not tightly controlled:

• Understanding what content is stored in SharePoint and whether the data is sensitive or governed by compliance regulations. It is important to not just write policy, but to inspect SharePoint file storage and determine what is actually being stored in SharePoint sites.

• Classifying data in SharePoint and establishing access controls and required protection mechanisms for data in storage, in transit and when downloaded to or being used on client device.

• Understanding the insider and administrator threat to data in SharePoint since native platform controls are trivially easy for a farm or site administrator to circumvent.

• Preventing information leakage from SharePoint, including via download, copy and paste, or just by misconfiguring access controls.

• Balancing ease of access and use with security.• Building security controls to comply with relevant

regulations for your organization, in your industry.• Providing separation of duties for SharePoint

administrators, particularly if your sites house trade secrets, IP, business plans, customer lists, and human resources data

A useful mechanism for thinking through content security and SharePoint is to consider threats to the data and content from end to end. The diagram below can be used to build a risk model that describes the threats facing your organization given how you use the SharePoint platform. Sensitive information is potentially vulnerable at any stage, from the point of SharePoint access all the way to your backups. This model can be used to help you evaluate how to best protect against different threats at different points.

Beyond evaluating specific threats to your SharePoint content, you may also wish to perform a full risk assessment for your SharePoint sites and information. CipherPoint has created a brief SharePoint risk assessment template, which may be downloaded for free at www.sharepointdefenseindepth.com.

As a web-based platform with myriad configuration possibilities, SharePoint security can be a complex topic, and one that is highly dependent on the use case and the deployment model. The solution architecture described here provides the recommended end-to-end, “defense in depth” approach to securing information in SharePoint. furthering the ‘just, speedy and inexpensive’ determination of this case. “

Threats to data while stored in SharePoint can come from insiders, administrators, external attackers, and from loss or theft of servers and media. To ensure SharePoint is secured against those threats all the way from the front end back into storage, a combination of user authentication, strong access control, encryption and audit logging are recommended.

CipherPoint’s transparent web-tier encryption technology for SharePoint secures sensitive or regulated content through the use of encryption, access control and activity logging.

CipherPoint’s SharePoint products provide transparent data encryption for on-premise SharePoint installations, using technology that delivers distinct advantages over other approaches to securing SharePoint content:

• Inserts at the web tier, providing a higher level of threat protection against insiders and other threats to sensitive data • Transparent to end users • Gives security control back to IT security management • Enables compliance to numerous regulations requiring encryption of regulated content • Makes content protection for SharePoint easy, secure and scalable

End-to-end solution architecture

Server-side security

Protecting information stored in SharePoint with CipherPoint

SharePoint customer security challenges

Page 2 - Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach

CipherPointKM security management console.

The CipherPoint product solution for SharePoint comprises CipherPointKM, the central key management console providing administration capabilities for multiple SharePoint servers, and CipherPoint agent software, with three versions suitable for use by small SharePoint farms, mid-sized enterprises, and large enterprises with multiple locations and very large SharePoint farms.

CipherPointCS is a SharePoint content scanner that enables SharePoint administrators and security staff to scan SharePoint sites and find sensitive or compliance-regulated data. CipherPoint is pleased to provide this content scanning utility for free as part of its philosophy that SharePoint site security starts with understanding exactly what content is being stored in SharePoint sites.

Threats to SharePoint data while in use on client devices or when checked out from SharePoint sites can come from a variety of sources, including device loss or theft and malicious users who copy data to unauthorized devices or storage.

IGC’s Brava viewer allows SharePoint users access to their document content directly through the SharePoint portal without ever needing to download the document to their computer. Brava users are able to view and annotate virtually any document type and create redacted versions of documents with sensitive information removed. Brava’s capabilities provide end users easy access to the information they need while still securing sensitive document content. Brava protects sensitive content in multiple ways:

Untouched originals—When a document is viewed through the Brava viewer, the original document is never downloaded to the user’s computer. The Brava server converts documents from their native format to an IGC proprietary format, which is then streamed to the viewer.

This process is completely transparent to the user, who only has to click a link to see the document content directly inside the SharePoint portal. This prevents sensitive information from being lost when hard drives are replaced or sent outside an organization without being securely wiped, or when laptops are stolen, thumb drives are misplaced, or hackers access unsecured drives. Brava eliminates these concerns by allowing users to access the document content they need without the original document ever being downloaded.

Protected libraries—Brava Protected Libraries offer administrators even more options for securing their repositories. When the Brava Protected Library feature is activated on a library, users with read-only permissions on a document can access a document only through the Brava viewer. Users with write permissions on a document continue to work normally with a document, including checking in a new version, opening it in the original application or viewing it through Brava. When a read-only user tries to access the document, that user is automatically redirected to the Brava viewer.

Brava Protected Libraries do more than block a user’s ability to download a document through the SharePoint web interface. In addition, Brava will trap all requests for a document so users are automatically redirected to the Brava viewer, regardless of whether the user navigates to the document through SharePoint, clicks a link to the document in an email, or enters the URL of the document directly in a browser’s URL bar.

Read-only users are not able to copy and paste text from Brava, print the document, or save a PDF rendition. Brava even blocks the print screen command. Brava Protected Libraries protects from insider threats by ensuring that sensitive information never leaves the controlled confines of your SharePoint environment, while giving users access to the information they need to do their jobs.

Redaction—Sometimes you will need to share documents that include customers’ private information, trade secrets, sensitive human resources information or other privileged information. Corporate governance policies, compliance concerns or government regulations may restrict your ability to share that sensitive content. In these cases, Brava’s

Client-side security

Page 3 - Securing sensitive and compliance-regulated data in SharePoint: an end-to-end approach

CipherPointKM security management console.

Addressing information access and security with Brava!® for SharePoint

Viewing documents in Brava for SharePoint

redaction capabilities will assist you in securing sensitive information.

Brava allows you to mark sensitive information for redaction and generate a new document with that content completely removed. You can manually mark areas for redaction, search for common privacy information such as social security numbers or enter your own text patterns to redact. All the content not marked for redaction is transferred to the new document unchanged, so you are still able to search for and use everything except the sensitive content. The redacted information will never appear in the new document, so you never have to worry about someone extracting that information from the redacted document. This allows you to share documents while still complying with the policies and laws governing management of sensitive information.

Brava consists of a SharePoint solution, a web application and a client-side viewer control. When a user accesses a document through Brava, the document is sent from SharePoint to IGC’s proprietary format, which is then streamed to the viewer. The original document is never sent to the user’s computer. The Brava web application can live behind a corporate firewall. This ensures that your documents never even have to leave your corporate network, even if users are outside the network. All communication between the Brava viewer and server can be configured to use https, adding another degree of security to the communication.

Employing an end-to-end protection strategy for SharePoint can allow your organization to comply with relevant regulations, secure your sensitive information and avoid expensive data breaches and brand damage. When used in

concert, the CipherPoint and IGC solutions can also enable your organization to confidently deploy SharePoint as a platform for senior management, team collaboration, boards of directors, human resources, and more.

CipherPoint secures sensitive and regulated content in web-based application environments including cloud, SaaS and premise-based collaboration platforms such as Microsoft SharePoint. Headquartered in Denver, Colorado, CipherPoint was founded by IT security experts with deep experience in building successful security technology companies. CipherPoint is committed to helping customers meet their security objectives, building value for our shareholders, fostering a stimulating work environment for employees and improving the community through volunteering. Customers in manufacturing, financial services, federal and state government, defense, healthcare, and business services use CipherPoint’s content security solutions to secure their sensitive and compliance-regulated data. Customers throughout North America, the UK and Europe, the Middle East, and Asia rely on CipherPoint to secure their sensitive information. Learn more at http://www.cipherpoint.com.

IGC is a recognized leader in viewing, collaboration and redaction software, offering products that speed workflows, increase efficiency, and aid in regulation compliance. IGC solutions are deployed across almost every industry, with millions of installed seats worldwide.

Brava gives users access to needed information in documents quickly and allows them to make comments, remove sensitive information and create sanitized versions as PDFs, TIFFs or CSFs. Brava supports virtually any format, including office documents, images (e.g., TIFF, JPG, GIF) and CAD drawings. Redact-It® automatically creates public renditions of documents with sensitive content completely removed as part of a workflow. Blazon™, formerly known as Net-It®, automatically creates a TIFF or PDF version of the source document and enables users to add stamps, a watermark, or other information based on metadata from Microsoft SharePoint. Learn more at www.infograph.com/sharepoint.

© Copyright 2012 Informative Graphics Corporation

For more information, please contact:

Informative Graphics Corp.4835 E. Cactus Road, Suite 445Scottsdale, AZ 85254Phone: 800.398.7005 (intl +1.602.971.6061)URL: www.infograph.comEmail: info@infograph.com

CipherPoint Software4600 S. Syracuse, 9th FloorDenver, CO 80237-2719+1.888.657.5355URL: www.cipherpoint.comEmail: info@cipherpoint.com

Brava architecture

About CipherPoint

About IGC

Protect sensitive information with comprehensive SharePoint security

A redacted file in SharePoint.