I ran across an article recently that described how improperly controlled SharePoint access was apparently involved in the Wikileaks security breach. The court proceedings were covered by Wired magazine, and their report from 12/18/11 describes how the forensic analyst found a simple program to allow bulk downloading of SharePoint files on Private Manning's computer. When run, the output of the scripts exactly matched the information that was leaked to Wikileaks and disclosed in April, 2011. The information in question contained classified threat assessment reports on more than 700 detainees being held at Guantanamo Bay. To be clear, this is only a portion of the information that was allegedly gathered by Private Manning and leaked to Wikileaks.

There are many unanswered but interesting questions relative to how the organization secured the information in SharePoint:

1. Did Manning have authorized access to the SharePoint server, or did he circumvent access controls?
2. Was there adequate governance around the kinds of data that could be stored in this SharePoint server?
3. What sorts of access controls were actually in place?
4. Why wasn't appropriate encryption technology in use?
5. Did the organization have a chance to detect that a single individual had downloaded 700 classified documents from a single repository?
6. Were audit controls enabled for the SharePoint server in question?

Without digging through DoD policies, I'm pretty sure that strong access controls and encryption are specified for Sensitive but Unclassified (SBU) information, and they are almost certainly required for classified data. The implementation of these controls, however, needs to match the threats to the information. For example, disk level encryption in a tiered solution like SharePoint does absolutely nothing to stop the access that occurs through the web portal, database, or other points. Likewise, strong authentication of an individual doesn’t stop him from abusing access once his identity has been verified. Even without knowing all the details of Manning’s activities, it’s clear there were insufficient layers of defense on the SharePoint implementation.

The Wired article also describes the security challenges associated with shared use computers, and shared network drives. Bringing this back to SharePoint, we know that many organizations use SharePoint as a file server replacement. SharePoint can provide better security than a file server, however SharePoint's out of the box security functionality is not adequate for sensitive or regulated information. To secure SharePoint sites to the level required in order to store sensitive or regulated information, or classified or SBU information, 3^rd party controls including encryption are necessary.

When we started CipherPoint, it was with the intent to address this exact threat: Insiders accessing information for which they had no valid "need to know." Simple encryption coupled with strong access control capabilities would have absolutely prevented this information from being removed in usable form from the SharePoint site in question.

For commercial organizations, it may seem like this doesn't apply to you. From the standpoint of having government secret information, that's true for most businesses. However, most every commercial organization does have highly sensitive information in the form of Intellectual Property, customer lists, financial information, business plans, Human Resources data, and more. This exact threat, insiders abusing their privileges or abusing their knowledge of your IT systems and networks inner-workings, exists in every commercial organization. If you are using SharePoint to process and store sensitive or regulated information, using content encryption is highly recommended. Not all encryption solutions are created equal. Encryption solutions that were built for storage subsystems are inadequate to the challenge of securing web-based platforms like SharePoint. Look for products that are built for securing collaboration platforms, and that insert at the web tier to provide complete threat protection, including against insiders and administrators- new encryption for a new way of working. You can learn more about CipherPoint's solutions to this problem at www.cipherpoint.com.

The Wired magazine article which describes the investigative details may be found here:

http://www.wired.com/threatlevel/2011/12/cables-scripts-manning/

Mike Fleck, CEO