Here at CipherPoint, we talk a lot about confidential documents and content, administrators, and SharePoint. We also talk a lot about the insider threat as it relates to sensitive and regulated content being stored in SharePoint sites. Our intent isn't to impugn the integrity of administrators. The overwhelming majority of IT administrators are honest, scrupulous, and hard-working.

Our intent in talking about confidential information, SharePoint, administrators, and the insider threat is to simply highlight what is one of the bigger threats in IT security generally. To be clear, this isn't just a SharePoint issue, it's a huge concern with structured data in databases as well.

In terms of SharePoint, the platform is often brought in to organizations at a departmental level, without a whole lot of IT and IT Security oversight. Business leaders who want the benefits afforded by the SharePoint platform may not be aware of the threats to their data, nor are they usually aware of the relative ease with which the various tiers of SharePoint administrators can access information for which they have no valid "need to know".

At CipherPoint, we see many prospects and customers with various kinds of sensitive information being stored in SharePoint. Just in the last few weeks, various customers we're working with have had concerns regarding HR data, customer financial data, EPHI, confidential business plans, and credit card data being stored in SharePoint sites. The drivers in terms of why the customers are concerned vary from "we consider this information confidential", to "HIPAA and PCI DSS require higher levels of protection for this data". Regardless of what's driving the concern, the common denominator in each situation has been the real concern that it is far too easy for administrators to circumvent native security controls in the SharePoint platform.

Various industry studies over the years have looked at the insider threat, and if you look through some of our previous blog posts, you'll see references to lots of information on this.

CipherPoint's view is that the SharePoint platform is an excellent choice for sensitive data of all sorts, and for compliance regulated data including credit card information, EPHI, customer financial information, and export controlled information, as long as you consider the security risks, and apply the appropriate security controls. In most cases, encryption of this information is the right solution to address multiple security threats, including from insiders, and to achieve compliance requirements.

In terms of how SharePoint administrators will view this sort of protection mechanism, in our experience most recognize that locking down the platform is in everyone's best interest, as it protects the business, and encourages the wider adoption of SharePoint through the use of the platform in many more use cases.

JD