At a high level, the Snowden and Wikileaks security breaches both highlight the insider threat to sensitive information. The “insider threat” has been well understood (for a very long time) to be very serious (significant impacts are likely from insider security breaches). Also well known is the difficulty in implementing controls that fully mitigate the threat.
Without proper security controls in place, it is fairly easy for insiders to access sensitive information in SharePoint. Note that this problem is not specific to SharePoint. Most IT technologies can be compromised by a malicious individual with administrator privilege.
While both PRISM and Wikileaks involved government entities (a national intelligence agency and the DoD), the threat from insiders and system administrators is a universal one. Every year, we see numerous stories about insiders from a myriad of different companies and industries walking off with sensitive or valuable data.
A few key takeaways regarding the insider threat and SharePoint:
- SharePoint security should start with understanding the information assets that exist on your SharePoint sites. It’s fundamentally not possible to assess risk without this understanding. I talk with many SharePoint users, and it’s frankly alarming how many have no real idea if there’s sensitive or regulated content stored on the platform, or where it exists. If you’re in this boat, you should scan your SharePoint content periodically looking for sensitive and regulated data.
- Any organization with sensitive or valuable information in SharePoint is at risk. Certainly this includes defense and intelligence organizations, but it also includes commercial organizations with high-value IP, trade secrets, financial information, M&A information, Human Resources information, and many other categories of valuable information.
- In any given organization, controls aimed at fully mitigating the insider threat will likely need to include both technical controls, and administrative controls. Most IT platforms do not provide native security controls capable of preventing administrators from accessing information for which they have no “need to know”. This is obviously true for SharePoint deployed with out-of-the box security controls implemented on-premises. It’s also true for cloud collaboration platforms such as SharePoint Online, Office365, Box, and others. In addition, technical controls will need to include a mix of preventive controls (access controls and encryption), and detective controls (audit and reporting).
- Platforms like SharePoint can be used in high security applications. 3rd party security tools can enable businesses to expand their use of SharePoint, and to bring the benefits of collaboration to new use cases involving sensitive and regulated data (while maintaining security, even against malicious insiders).
Here’s a few external articles involving security breaches where malicious insiders were the source of attack:
- Interview with Robert Bigman, ex-CIA CISO, on preventing insider security breaches.
- Slashdot article on preventing insider breaches
- Information Week article on preventing insider security breaches
The folks at Carnegie Mellon US CERT have done some good work in characterizing insider threats and attacks. They’ve also created an insider threat security architecture that describes the sorts of controls needing in an IT architecture to thwart malicious insiders. See their resources here.