Edward Snowden, SharePoint, and Security

In June of 2013, Edward Snowden used his system administrator privileges to access, download, and distribute thousands of highly classified NSA documents to several media outlets all over the world, making him the most infamous rogue system administrator in recent history. What a lot of people don’t know is that these documents were living in SharePoint!

This example is a classic case of privilege abuse. Organizations are constantly struggling with how to give administrative access to those managing and maintaining your SharePoint farm while also limiting their ability to leverage or see the content they have access to. My colleague, Joshua Grear, and I recently presented at SharePoint TechFest demonstrating how you can address this concern. You can view our presentation here.

The Department of Homeland Security determined that our country’s security agencies were working in siloes, and that collaboration and information sharing were critical to staying ahead of both foreign and domestic threats. Many organizations realize they must collaborate in order to stay ahead of their competition. In fact according to Gartner, organizations that are successful collaborators by 2015 will outperform their industry peers financially by over 20%.

The challenge is that security remains a top concern among organizations and is the reason why many restrict or do not allow online collaboration (Terri McClure – Enterprise Strategy Group). Not surprising, as we live in a world were:

• There are over 1.5 million monitored cyber-attacks each year in the US

• 71% of cyber-attacks go undetected, thus we never find out about them

• The economic impact of cyber-attacks and data breaches are over $400 billion a year

Those who believe the benefits outweigh the risks operate in an information ecosystem where – 80% of enterprise data is unstructured and 70% of organizations have little to no visibility into what regulated content they own and who has access to it. A study performed by CipherPoint in 2014 (“The State of Collaboration Security”) surveyed 100 IT professionals about their top security concerns for online collaboration. The top security concerns were:

• Unauthorized sharing

• Permissions Management

• Privilege Abuse

Top Collaboration Security Concerns

(Ref: CipherPoint 2014 State of Collaboration Security)

Unauthorized Sharing is the use of unapproved tools or technology to share content with your peers. There are so many sharing options for employees (e.g.,Google Docs, Dropbox, OneDrive, Filedropper, etc.), and an email is all that is typically required to get started. The ease of use is why over 72% of employees use unauthorized tools to share and access information on unauthorized platforms.

Many companies try to limit unauthorized tools by setting restrictive policies; however, the above statistic proves that workarounds are just too easy. Consequently, you are actually making your organization less secure by not providing a robust solution that is just as easy for your employees to utilize. In our recorded demo, we show you how to drive toward a simple solution.

Permissions Management is always a challenge. SharePoint’s security model and most other tools’ security models are decentralized by design. In the case of SharePoint, it is common for organizations to create site collections for teams that need to collaborate. This gives them the flexibility to make customizations, scale their content databases better, and tailor many settings specific to their needs. The downside to this is that the security management burden typically falls on the end user.

The security management burden can be alleviated by encrypting sensitive content and utilizing tools that better help you to enforce security policies. The result is a much simpler, manageable, and straightforward security model. In our demo, you will see how separating security administration from your system administration accomplishes this and allows you to better enforce security policies.

Edward Snowden was the classic Privilege Abuse example. I doubt the highest ranks of the NSA had any idea who Edward Snowden was until it was too late. One of the biggest reasons for this is what I like to call the “System Administrator’s Paradox”. Take a look at the following illustration:

System Administrator’s Paradox

Those with System Authority are typically not at the same level as the upper ranks of any organizational structure. However, this doesn’t mean that the damage they can do is limited. In fact, the primary result is that management typically doesn’t have visibility into their true exposure. So if you can’t have this visibility, what do you do? You must protect the data!!!!

For more information on dealing with security concerns and to view a demonstration of how to address the system administrator’s paradox, check out our recorded presentation.

Thank you!

• Edward Snowden
• Sharepoint Security