Securing Sharepoint In The Cloud: Best Practices And Common Pitfalls

ByThe SharePoint FAQs Team

Understanding SharePoint Security Needs

As organizations continue adopting cloud-based SharePoint platforms, they must implement robust security measures to safeguard sensitive data and documents. SharePoint contains valuable information such as financial reports, product designs, customer data and other intellectual property that cybercriminals actively target.

Key security considerations when moving SharePoint to the cloud include:

  • Managing user identities and access controls to prevent unauthorized access
  • Encrypting sensitive SharePoint libraries and files stored in the cloud
  • Protecting SharePoint data in transit and at rest against data breaches
  • Implementing data loss prevention controls to avoid accidental leaks
  • Auditing site collections, documents, and user activities to maintain compliance

Identity and Access Management Challenges

Governing identity and access remains an ongoing challenge with cloud SharePoint. Organizations struggle to:

  • Provision and deprovision user access rights as personnel join, move, or leave the company
  • Enforce least privilege permissions across dynamic SharePoint sites
  • Prevent unauthorized external sharing of sensitive documents
  • Reduce risk of compromised credentials and identities

Protecting Sensitive Data and Documents

SharePoint supports collaborative document sharing across an organization. While convenient, this introduces risks of data leaks, data theft, and non-compliance such as:

  • Users accidentally sharing sensitive documents with unauthorized internal or external recipients
  • Hackers exploiting misconfigured libraries to access intellectual property
  • Departing employees downloading or deleting proprietary information
  • Failure to classify and protect regulated data stored in SharePoint

Maintaining Regulatory Compliance

Industry regulations such as SOX, HIPAA, GDPR impose strict controls around securing and monitoring sensitive data. Organizations must evaluate their SharePoint environment to:

  • Identify regulated data such as PII or PHI contained in SharePoint
  • Classify and protect information assets appropriately
  • Log user activities for forensic audits
  • Govern data retention policies
  • Produce reports demonstrating compliance

Implementing Robust Authentication

Enforcing strong user authentication is crucial for securing access to cloud SharePoint. Organizations should leverage modern protocols and implement prudent access policies.

Enforcing Multi-Factor Authentication

Multi-factor authentication (MFA) adds an extra layer of user validation beyond just passwords. Successful MFA adoption requires:

  • Enabling MFA at the tenant level to secure Office 365
  • Configuring conditional access policies triggering MFA under high-risk scenarios
  • Blocking legacy authentication protocols susceptible to password spray attacks
  • Training users on supported MFA methods like app verification codes or security keys

Leveraging Identity Providers

Organizations can integrate Azure AD or compatible identity providers (IdP) with SharePoint Online for improved identity lifecycle management through:

  • Automated user provisioning and deprovisioning
  • Centralized authentication using single sign-on
  • Rich user attributes for access policy decisions
  • Reduced burden on IT help desks

Setting Up Login Policies and Account Lockouts

Prudent login policies thwart unauthorized access attempts by:

  • Blocking common passwords
  • Requiring minimum password lengths and complexity
  • Limiting login attempts before lockout
  • Imposing password expiration periods

Controlling File Access

Managing permissions across SharePoint sites, libraries, folders and files minimizes data exposure while facilitating information sharing needs.

Configuring Permission Levels

Well-planned permission levels enable precise access by:

  • Matching user roles to appropriate privilege levels
  • Granting minimal required permissions
  • Leveraging groups for manageability
  • Imposing need-to-know restrictions using audience targeting

Managing External Sharing

External sharing presents data leakage risks but remains essential for collaboration. A secure configuration involves:

  • Permitting sharing only with specific business partners
  • Restricting accessible content for guest users
  • Expiring anonymous access links automatically
  • Disallowing guests to involuntarily share items externally

Auditing Site Collections and Libraries

Regular audits help ensure appropriate protections remain enforced by:

  • Reviewing site access and modification logs
  • Verifying classification labels on sensitive documents
  • Examining current permission levels
  • Rescinding stale guest accounts

Encrypting Sensitive Data

Powerful encryption safeguards confidential SharePoint data throughout its lifecycle and across transit channels.

Enabling SQL and Database Encryption

Microsoft automatically encrypts data at rest but further database and cell-level encryption improves confidentiality by:

  • Encrypting data prior to storage in SQL databases
  • Leveraging client-side and labelled row-level encryption features
  • Masking last displayed rows to curb shoulder surfing

Protecting Data In Transit and At Rest

Text and document encryption ensure only authorized parties view information by:

  • Encrypting sensitive columns in SharePoint lists
  • Classifying files containing restricted data as confidential
  • Blocking access from insecure protocols
  • Validating data security controls of connected services

Avoiding Misconfigurations

Deviating from Microsoft’s prescribed security guidance introduces vulnerabilities. Organizations must vigilantly avoid common pitfalls like:

Disabling Insecure Default Settings

Microsoft enables certain permissive settings by default for usability. Hardening SharePoint requires:

  • Removing guest access to OneDrive for Business
  • Blocking Office document links from anonymous users
  • Prohibiting group membership changes by email

Regularly Reviewing Permissions and Sharing Links

Preserving least privilege through ongoing reviews by:

  • Revoking stale external user access
  • Verifying appropriate group memberships
  • Examining sharing links and expirations

Testing Backup Routines

Validating operational recovery capabilities by:

  • Restoring content from backups
  • Scrutinizing administrator backup logs
  • Rotating passwords for service accounts

Monitoring Threats Proactively

Preventing security incidents requires continuous monitoring of the SharePoint environment.

Enabling Auditing and Alerts

Auditing user activities and configuring alerts improves threat visibility by:

  • Tracking file and folder access
  • Monitoring administrative actions
  • Logging custom queries
  • Emailing alerts on suspicious events

Conducting Vulnerability Scans

Proactively testing security defenses through:

  • Automated vulnerability scanning
  • Manual penetration testing
  • Remediating detected weaknesses

Developing an Incident Response Plan

Preparing a formal response plan for security events detailing:

  • Escalation procedures
  • Breach notification processes
  • Investigation and remediation workflows
  • Internal and external communications

Leave a Reply

Your email address will not be published. Required fields are marked *