Problem Overview

Threats to sensitive data from insiders are not new. The 2010 CSI/FBI study found that 43.2% of respondents attributed some loss to malicious insiders. The 2010 Verizon Data Breach Investigations Report found that 48% of data breaches were caused by insiders. A recent Ponemon study on cyber crime cost found that the median cost to respondent companies for cyber crime was $3.8M/year. 

Clearly, the insider threat is real, and for collaboration environments such as SharePoint, the threat is rapidly escalating as more sensitive information is stored in them.  In regards to SharePoint and the insider threat, the reality is SharePoint makes it so easy to setup collaboration sites, and then to store and share information, that use of the platform to store confidential information (whether planned or unplanned) is happening at an alarming rate.

A recent study reported by Network World found that 67% of IT professionals have accessed information not relevant to their role, and 41% of IT staff have abused administrative passwords to snoop on sensitive or confidential information. IT staff, including database and SharePoint administrators, are the ultimate insiders in respect to the information they can access. These are dedicated and highly trained staff but they do not have a business need to know for the vast majority of information they manage. As a result, administrative access to sensitive information presents a significant risk to the confidentiality of sensitive information and the compliance posture of any organization.

CERT Guidance

A publication from Carnegie Mellon/CERT identifies a number of best practices to address insider threats. These include:

PRACTICE 1: CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK ASSESSMENTS.

PRACTICE 2: CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS.

PRACTICE 3: INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES.

PRACTICE 4: MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS. 

PRACTICE 5: ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES

PRACTICE 6: TRACK AND SECURE THE PHYSICAL ENVIRONMENT

PRACTICE 7: IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.

PRACTICE 8: ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE.

PRACTICE 9: CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE

PRACTICE 10: USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS.

PRACTICE 11: IMPLEMENT SYSTEM CHANGE CONTROLS.

PRACTICE 12: LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS. 

PRACTICE 13: USE LAYERED DEFENSE AGAINST REMOTE ATTACKS.

PRACTICE 14: DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION.

PRACTICE 15: IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES.

PRACTICE 16: DEVELOP AN INSIDER INCIDENT RESPONSE PLAN.

Specific to content security for sensitive information stored in SharePoint, the native security controls provided in the SharePoint platform are insufficient (by themselves) to address best practices 6, 8, 10, and 13. In fact, even with well designed access controls and permissions in place, it is trivial for multiple tiers of SharePoint administrators to circumvent controls and view sensitive information stored in SharePoint by users.

CipherPoint Insider Threat Solution

The CipherPoint solution protects sensitive content stored in SharePoint sites, and ensures that only authorized users are allowed access to this information. CipherPoint’s solution isolates the security management interface from SharePoint administrators, and adds separation of duties to SharePoint implementations. CipherPoint also enforces the principle of least privilege for SharePoint stored content. CipherPointSP Enterprise delivers true defense in depth security for SharePoint. CipherPoint’s technology effectively blinds administrators to data stored in SharePoint, regardless of the type of storage utilized.

CipherPoint provides threat protection against these threats:

- Server theft or loss

- Media theft or loss, including backup media

- Misuse and data theft by insiders, including SQL/storage administrators, and all levels of SharePoint administrators

CipherPoint's comprehensive solution for the insider threat includes simple, cost-effective content encryption with CipherPointSP, and can be extended to address the sophisticated security and key management needs of large organizations using our CipherPointSP Enterprise software and CipherPointKM, our central security console and key management platform. CipherPointSP Enterprise and CipherPointKM deliver true defense-in-depth, with separation of duties, and least privilege enforcement for content stored in SharePoint.

Benefits

The CipherPoint solution provides significant benefits to organizations concerned about the insider threat:

- Eliminate the insider threat for content stored in SharePoint

- Avoid significant fines associated with non-compliance, and data breaches

- Avoid disclosing breaches for data which is lost (and which is encrypted)

- Secure sensitive information of all kinds, including IP, financial information, business plans, and regulated content

- Delivers true insider threat protection, which cannot be obtained by using lower level encryption approaches such as EFS, or SQL TDE

- Enables all organizations to broaden their usage of SharePoint and be assured their private and confidential content within SharePoint is strongly protected

The CipherPoint Insider Threat solution brief may be downloaded here.