Lack of information prompted me to write this blog. SharePoint at an enterprise level is being deployed to serve various needs. There are times when you want to utilize SharePoint to store confidential information , this is when you think of security.
There are few things that we can control and few things which we can't . For example I can give user a read permission and disable copy/paste but I can't stop user from memorizing the content, writing content on a piece of a paper or from taking a picture of his Monitor.
In this blog, I am going to talk about the things we can control.
Infrastructure - A solid infrastructure gets half the job done. Take a look at couple of Extranet designs
Secure Login - The very first thing you want to implement is Secure Login. By default SharePoint is going to prompt for credentials if you are logging in to the portal from a computer which is not connected to corpnet. For environments which are going to use information which is going to be conferential in nature, I recommend implementing Two factor Authentication.
Two Factor Authentication ?
This is where user need to provide two pieces of ID to get authenticated. In a normal scenario User will provide user name and password and that is good enough for user to get access in to the portal. Adding another factor will make this a Two factor authentication. For Example, You can implement RSA in your environment. RSA does make login mechanism quite secure
Protection against download copies - All a user needs is a read access to download data and use it offline. Data downloaded then can't be monitored and can be send to anyone. You can implement IRM in order to protect data in such scenario.
IRM can be applied at the document level and also at a library level, best approach will be to apply IRM policy on the document before uploading it.
Once you have applied IRM to the document, only the user who have access to the document will be able to open the online/offline copy of the document.
OOB SharePoint protects Office documents, you will need to install protectors for other file types
Scan the data - It is very important to know where the confidential/sensitive/PPI information is stored. Imagine a situation where some sensitive information is stored in a library which is not monitored aggressively or is not supposed to contain sensitive data .
Unfortunately there is no OOB way of scanning and reporting such content unless you create bunch of scripts to find it.
There are plenty of third party tools which do a good job in scanning the environment for patterns and then generating reports. I would recommend you to look for something which scans in a background and sends you a report as there will be lots of false positive.
This approach will help you in taking necessary actions and make sure data is stored in right places.
Abuse of Rights - This is where things gets interesting, how to protect data from the users who have access to it?
Honestly I have not found a way which protects you from this fully, main reason being they have access to edit the file.
Few things that you can do is to disable features such as copy/paste. IRM by default disables copy/paste for users with read access but not for users who have write access. There are third party tools available for doing this job along with scanning the data.
Please note, if you are storing content in excel then disabling copy/paste will be bit hard as that needs to be done through macros.
Another approach could be do develop a custom web part to show information and restrict the actions a user can take.
Auditing - You really need a detailed auditing, OOB SharePoint does a good job in auditing but you can always buy a third party product to get more detailed Auditing. Do not ignore Auditing.
I hope you find this information useful when planning a secure environment.