Sensitive Data in SharePoint: New Standards for Security and Governance
What would happen if you asked your end users where they stored sensitive corporate data, like files containing personally identifiable information (PII) or intellectual property? In organizations that have deployed one or a combination of collaboration platforms, like SharePoint, Office 365, Box, Dropbox and G Suite, answering this question is no simple task.
Start with a Sensitive Data Definition
To start with, how are stakeholders defining the very concept of “sensitive data?” What does it include or exclude? Generally speaking, sensitive data encompasses personally identifiable information, company financial data and intellectual property that, if exposed, would cause harm to an organization’s competitive standing.
And, while an organization’s leadership may have a general (if unspoken) understanding of what constitutes as sensitive data, that definition can be fairly fluid among ordinary knowledge workers – i.e., the people who create, edit, share and delete that information on a daily basis. This is particularly problematic because if end users are confused about what information they need to protect, chances are that confidential data has been under-protected, and thus, already exposed. A solid definition of sensitive information will help your organization prioritize what needs to be protected, so efforts to monitor, audit and lock down sensitive data can be better executed both before and after an incident takes place.
Don't Start with the Breach
Understanding what sensitive data is – and is not – can help your security team plan and respond to a data breach. Incident response planning prioritizes the need to determine what data was compromised, where that data was compromised, and any evidentiary clues to suggest who did it. As a result, understanding what data is likely to be of high value to an attacker – financial account information and social security numbers, for example -- can help a security team focus on preventing theft or loss of an organization’s information.
Take an Inventory (and Do it Again)
Taking a comprehensive inventory of sensitive data is necessary for any security and governance planning. In short: if you don’t know where all your sensitive files are, there’s no way you can adequately protect them. Back in the days of SharePoint 2007, if an organization stored sensitive data within their SharePoint Farm and not solely on network drives, the default security model likely amounted to a mixture of permissions management and auditing. A SharePoint Admin would control access to a ‘sensitive’ site by managing user permissions, while potentially auditing site activity and access if real security concerns about site access emerged.
Historically, this type of perimeter security paradigm worked, in part because companies didn’t consider SharePoint as the principal repository for sensitive data. But times have changed! Ten years later, collaboration platforms and content management systems are the bedrock of a digital workplace, especially in companies with virtual workforces. End users are creating, storing and sharing sensitive content across a range of platforms (and not just SharePoint) and interacting with corporate data through a host of devices – tablets, smart phones and computers.
Organizations need to continually assess and reassess where data exists, where it should exist, and where it shouldn’t. Routinely inventorying content is absolutely vital because data is constantly in motion. Files are copied, duplicated, and shared on a daily basis, and without a tool to account for where it “lives” the data can’t be adequately protected.
Implement a Governance Strategy
At Metalogix, we talk a lot about information governance – and why governing SharePoint is critical for any organization, not just those in regulated industries with stringent data protection requirements. Governance planning can help an organization balance its business objectives and end user requirements of a platform like SharePoint against an organization’s information security and compliance requirements. In the process, good governance can lead to better ROI – a well-governed SharePoint will ultimately help users understand how to use the platform efficiently and safely and to meet their real-time collaboration needs.
Because data is constantly in motion, and because more sensitive information is pouring into SharePoint by the hour, administrators should think through what types of governance policies will work best to balance end user access with information security requirements.
So how secure is your sensitive data in SharePoint? If you don’t know, your organization is likely at risk. Learn how to detect, classify and secure content containing PII as well as enable on-demand scanning and real-time protection through a live demo of Metalogix Sensitive Content Manager.
Jai Dargan is a Senior Director of Product Management at Metalogix, where he directs the strategy Metalogix’s security and compliance solutions. In this capacity, Jai guides the direction of Metalogix products aimed at securing content collaboration, including ControlPoint, Sensitive Content Manager, and Insider Threat Index. Prior to Metalogix, Jai was a co-founder at Pim Labs, LLC, a startup company (acquired by Metalogix) that built solutions for securing social networks and sensitive content. He holds a Masters Degree from Georgetown University and an undergraduate degree from New York University.