Securing Sharepoint In The Cloud: Best Practices And Common Pitfalls
Understanding SharePoint Security Needs
As organizations continue adopting cloud-based SharePoint platforms, they must implement robust security measures to safeguard sensitive data and documents. SharePoint contains valuable information such as financial reports, product designs, customer data and other intellectual property that cybercriminals actively target.
Key security considerations when moving SharePoint to the cloud include:
- Managing user identities and access controls to prevent unauthorized access
- Encrypting sensitive SharePoint libraries and files stored in the cloud
- Protecting SharePoint data in transit and at rest against data breaches
- Implementing data loss prevention controls to avoid accidental leaks
- Auditing site collections, documents, and user activities to maintain compliance
Identity and Access Management Challenges
Governing identity and access remains an ongoing challenge with cloud SharePoint. Organizations struggle to:
- Provision and deprovision user access rights as personnel join, move, or leave the company
- Enforce least privilege permissions across dynamic SharePoint sites
- Prevent unauthorized external sharing of sensitive documents
- Reduce risk of compromised credentials and identities
Protecting Sensitive Data and Documents
SharePoint supports collaborative document sharing across an organization. While convenient, this introduces risks of data leaks, data theft, and non-compliance such as:
- Users accidentally sharing sensitive documents with unauthorized internal or external recipients
- Hackers exploiting misconfigured libraries to access intellectual property
- Departing employees downloading or deleting proprietary information
- Failure to classify and protect regulated data stored in SharePoint
Maintaining Regulatory Compliance
Industry regulations such as SOX, HIPAA, GDPR impose strict controls around securing and monitoring sensitive data. Organizations must evaluate their SharePoint environment to:
- Identify regulated data such as PII or PHI contained in SharePoint
- Classify and protect information assets appropriately
- Log user activities for forensic audits
- Govern data retention policies
- Produce reports demonstrating compliance
Implementing Robust Authentication
Enforcing strong user authentication is crucial for securing access to cloud SharePoint. Organizations should leverage modern protocols and implement prudent access policies.
Enforcing Multi-Factor Authentication
Multi-factor authentication (MFA) adds an extra layer of user validation beyond just passwords. Successful MFA adoption requires:
- Enabling MFA at the tenant level to secure Office 365
- Configuring conditional access policies triggering MFA under high-risk scenarios
- Blocking legacy authentication protocols susceptible to password spray attacks
- Training users on supported MFA methods like app verification codes or security keys
Leveraging Identity Providers
Organizations can integrate Azure AD or compatible identity providers (IdP) with SharePoint Online for improved identity lifecycle management through:
- Automated user provisioning and deprovisioning
- Centralized authentication using single sign-on
- Rich user attributes for access policy decisions
- Reduced burden on IT help desks
Setting Up Login Policies and Account Lockouts
Prudent login policies thwart unauthorized access attempts by:
- Blocking common passwords
- Requiring minimum password lengths and complexity
- Limiting login attempts before lockout
- Imposing password expiration periods
Controlling File Access
Managing permissions across SharePoint sites, libraries, folders and files minimizes data exposure while facilitating information sharing needs.
Configuring Permission Levels
Well-planned permission levels enable precise access by:
- Matching user roles to appropriate privilege levels
- Granting minimal required permissions
- Leveraging groups for manageability
- Imposing need-to-know restrictions using audience targeting
Managing External Sharing
External sharing presents data leakage risks but remains essential for collaboration. A secure configuration involves:
- Permitting sharing only with specific business partners
- Restricting accessible content for guest users
- Expiring anonymous access links automatically
- Disallowing guests to involuntarily share items externally
Auditing Site Collections and Libraries
Regular audits help ensure appropriate protections remain enforced by:
- Reviewing site access and modification logs
- Verifying classification labels on sensitive documents
- Examining current permission levels
- Rescinding stale guest accounts
Encrypting Sensitive Data
Powerful encryption safeguards confidential SharePoint data throughout its lifecycle and across transit channels.
Enabling SQL and Database Encryption
Microsoft automatically encrypts data at rest but further database and cell-level encryption improves confidentiality by:
- Encrypting data prior to storage in SQL databases
- Leveraging client-side and labelled row-level encryption features
- Masking last displayed rows to curb shoulder surfing
Protecting Data In Transit and At Rest
Text and document encryption ensure only authorized parties view information by:
- Encrypting sensitive columns in SharePoint lists
- Classifying files containing restricted data as confidential
- Blocking access from insecure protocols
- Validating data security controls of connected services
Avoiding Misconfigurations
Deviating from Microsoft’s prescribed security guidance introduces vulnerabilities. Organizations must vigilantly avoid common pitfalls like:
Disabling Insecure Default Settings
Microsoft enables certain permissive settings by default for usability. Hardening SharePoint requires:
- Removing guest access to OneDrive for Business
- Blocking Office document links from anonymous users
- Prohibiting group membership changes by email
Regularly Reviewing Permissions and Sharing Links
Preserving least privilege through ongoing reviews by:
- Revoking stale external user access
- Verifying appropriate group memberships
- Examining sharing links and expirations
Testing Backup Routines
Validating operational recovery capabilities by:
- Restoring content from backups
- Scrutinizing administrator backup logs
- Rotating passwords for service accounts
Monitoring Threats Proactively
Preventing security incidents requires continuous monitoring of the SharePoint environment.
Enabling Auditing and Alerts
Auditing user activities and configuring alerts improves threat visibility by:
- Tracking file and folder access
- Monitoring administrative actions
- Logging custom queries
- Emailing alerts on suspicious events
Conducting Vulnerability Scans
Proactively testing security defenses through:
- Automated vulnerability scanning
- Manual penetration testing
- Remediating detected weaknesses
Developing an Incident Response Plan
Preparing a formal response plan for security events detailing:
- Escalation procedures
- Breach notification processes
- Investigation and remediation workflows
- Internal and external communications