This month we're going to cover how ClearPeople provide preemptive patching and security best practices to your environments so you never find yourself in a compromising position, and we also have one of our SharePoint experts, Vishan Sondhi, talk about specific measures you can take to keep your instance of SharePoint protected from security violations.
ClearPeople Managed Services, outsource your security stresses
'WannaCry', the now infamous ransomware that held NHS IT networks hostage last month is a glimpse into the future of cyber terrorism and the kind of critical situations your organisation could find itself in. When it comes to 'how' it happened, we learnt that it wasn't some elaborate phishing scam or through some sort of user naivety, but rather because the systems in place were easily exploited after not being updated with the necessary security fixes.
This itself is a result of a larger issue in the political environment and tight purses allocating funds to the NHS, but the lesson we should take away from this is the importance of ensuring and safeguarding IT security budgets in even the most austere of times. Microsoft were providing security updates exclusively to the NHS for their outdated Windows XP operating systems (which are still plentiful in the organisation and unfortunately, quite necessary for compatibility with a lot of medical equipment), but under the current government this lifeline provided by Microsoft was severed, most likely for being seen as a superfluous luxury.
ClearPeople Managed Services recognise the importance of acting reactively, acting proactively and providing your organisation with ongoing assurance that your online presence and critical cloud based systems remain intact and functioning, secure from external threats. As part of our critical patching reports we provide a breakdown of your environments (whether they are hosting your intranet or your website) and what security measures/updates we have installed or undertaken since our last update.
Furthermore, we take pride in providing these reports in a timely and concise manner. We know you don't want to be stressing about super technical updates fixing 'XYZ', so we take the liberty of conducting all the due diligence around the update and explaining everything that's relevant to you clearly. This takes away the stress of carrying out system/server updates (often out of business hours) and also frees up your time to do your job.
Measures to keep your SharePoint Intranet safe, with Vishan Sondhi
In light of the NHS attack, I wanted to write a blog about Security and re-emphasise what we should be doing to protect our data, especially in regard to SharePoint.
This blog will focus on SharePoint within Office 365 and On Premise and give 3 (of many) pointers of defence to help protect SharePoint.
1) A common security issue I see with many clients is permission governance.
A SharePoint governance plan can help keep your data secure and compliant. By helping you structure, create policies and procedures and implement controls, such as designing security controls, permissions and roles for assigning permissions etc. for e.g., who controls the security of SharePoint, many of my clients would say the IT department.
SharePoint is used to store data, and on most occasions, sensitive data. It is important to ensure that this sensitive data is not accessible to the people who do not need to see it, especially as data if shared with external parties, such as contractors, partners etc, therefore it is vital to ensure that access rights remain aligned with the business needs. There have been many cases known where data has got into the wrong hands, for example more recently, the Bradley Manning incident.
This also includes using the least privileged accounts and use specific accounts for specific purposes. I have seen many SharePoint systems where IT use the farm account as their admin account which is not best practice. Plan for administrative service accounts.
You should also use Groups to manage users as much as you can. Using groups gives you a more maintainable security model, meaning if you want to make a change to a permission, you apply it to a group, not individual people.
Different sites require different governance policies. Sites such as the homepage require less governance as it would typically be available to everyone in the organisation, whereas the HR department for example, must be more tightly governed due to the confidential nature of the data it contains.
2) Multi Factor Authentication
Within Office 365, Multi Factor Authentication (MFA) increases the security of user login. With MFA, users are required to enter a second stage of authentication after the initial entering of their password. The second stage requires the user to receive an email, app notification, phone call or text message to enter a number. Only after the second stage is complete will the user be authenticated to sign in.
3) Virus Protector
- Bit Defender
- Trend Micro
Within Office 365, files are scanned as they are uploaded. If a file is found to be infected, a property is set so that users can’t download that file from the browser or sync the file in the OneDrive for Business client.
Installing VS API is an additional security measure and does not replace the need for a standard virus protector on your local machine.
I said I would only give 3 pointers, but I thought I would add one more.
Now this next step is not strictly a SharePoint security setting. With SharePoint Online and On-Premise, it's important to have some sort of lock or password on your device, especially as users now bring their own devices into work. SharePoint is available on mobile, apps like Yammer and OneDrive for Business can be exposed thus potentially leaking sensitive data.
In addition to this, I wrote a blog on Data Loss Prevention, which is another great way of ensuring that sensitive data does not leave the corporate domain.