By now you will probably have heard of the infamous Edward Snowden, who stole data that was held by the NSA then decided to announce key parts of it publicly. Well last week we actually found out that our best mate SharePoint, may have been a guilty party to!
First the facts…
To discover the source of this announcement watch this video and watch from about 27 minutes. The key phrase Alexander uses is “This leaker was a System Administrator and ran the SharePoint account at NSA Hawaii, so his responsibility was to move data..”
Interestingly, if you watch from 45:15, you will also hear “This leaker was a System Administrator who was trusted with moving information to actually make sure the right information was on the SharePoint Servers that NSA Hawaii needed.” This makes it sound as though he was loading it into SharePoint ,rather than downloading it.
This is contrary to a few reports that came out last week such as :
- ‘NSA chief leaks info on data sharing tech: It’s SharePoint‘ by the Register.
Anyway, for the purposes of this discussion, let’s get some artistic license and assume it WAS in SharePoint 😉
My question is to both SharePoint Administrators and Developers alike! What can we do to make SharePoint more secure and could this have been prevented ? All though they don’t say, let’s make the assumption that the data was stored in standard document libraries.
To help frame the answer, think about :
- What technologies in SharePoint and available as an add-on can we use ? (Some promo is fine 😉
- How can we ensure that the currently logged on user is that user ? Are there different log-on mechanisms that simple user name and password ?
- Can we encrypt the data in SharePoint ?
- Can we audit who, what, when where ?
- Can we put some extra controls in when the documents are being downloaded ?
- Can we lock down Sys Admin privileges ?
- Can we require certain actions in SharePoint to need two users to approve ?
- If he was a SysAdmin could he just go straight to the database ?
If you can’t answer all the questions that’s expected! If you know about a particular area, e.g. auditing then share your knowledge on that. Maybe there’s a nice reference document to be made out of all the answers! Share your experiences, especially if you have worked on a SP farm that requires security clearance!
There is a product on the market which makes it possible to encrypt the data on SharePoint. But your still able to move it as a System Administrator but your not able to view the content of the documents anymore.
This product is called: Cryptzone – http://www.cryptzone.com/products/sep/secured-ecollaboration/
Raul – 10 / 10 for that answer! Great points.
It’s an interesting discussion.
In my opinion, there are deeper and broader misconceptions I think we should consider in the first place
The use of the word system in the context of this conversation and the issue in discussion is narrowed to, mainly technology systems or platforms, and even just certain products. To simplify a common ground, and using Wikipedia definition, “A system is a set of interacting or interdependent components forming an integrated whole” (http://en.wikipedia.org/wiki/System).
That being said, I guess there are a couple of statements that seems innocuous, but are missing the structure:
“any system is only as strong as the people that use it and the planning around its implementation” – That sounds nice, but actually, the broader concept is any system is as strong as the weakest link, be it people, processes, plan & design, policies, products, technologies …
“It’s really easy to blame a system rather than people or a bad process” – idem to previous, seems like system in this context is replacing technology or platform, thus missing that “people or a bad process” should be part of the system itself
The current state of art for IT all over the world is largely focused on “T” rather than “I” (which is actually in complete reverse order for the grammatical semantic of the acronym of Information Technology, where the center piece of meaning is on information, and technology is a complement for that meaning)
Actually, even in the statements for the “Systems” Administrator role, there is an underlying structural failure, since a System cannot be solely administered by focusing mainly on the technology. A system is part of business and/or corporate goals thus should have a corporate wide responsibility (much broader than currently is) … I know, you may argument a sysadmin also may be responsible for roles, but is mainly technical and product/platform side implementation, and not necessarily the definition & design themselves.
Sorry if the intro has taken longer than expected, but I felt it necessary. Now, moving toward the center question of this post, I guess there are lots of things that should have been improved. Being the case of such level of sensitivity for this information system, I’m not aware of any risk management considerations. Starting that seems like a single point of failure full trust on a single individual. I guess this task should have been divided, at least among two (or more) sysadmins, where one solely sysadmin cannot complete sensitive data management tasks without the assistance/collaboration of additional peers.
I see there is another big missing on this issue, and is the fact of a sort of central control of the system. In my experience, SharePoint boasts its distributed nature, since sensitive data may be spread and accessible to users (usually in the form of document libraries or lists). I know, a sysadmin can access massive amounts of data, but on the other side, if no proper control and settings are in place, users can cause mainly the same damage. The latter is harder to detect and manage that the former. It’s a matter of scale and dispersion.
In this whole discussion about system, and processes, and policies, there is something extremely important (at least for me), for SharePoint: Governance.
In my experience with the product SharePoint, some challenges I have faced are related to:
– inability of the system to isolate access to metadata and data (actually, at the item permissions level, access is granted to both data and metadata indistinctively)
– Encryption works quite fine, and RMS aims for a decent data access policy. I still feel RMS is slightly weak or simple in terms that meet limitations on non MS files and content.
I have found some ways to work around this, and if you’ve seen this too and have some ideas, would be interesting to discuss (disclaimer: I am not a programmer/developer)
my two cents.
Agree that it was a data theft and a theft of data (playing with words :D) , even after signing NDA and etc people can still do it. I would say SharePoint security hardening is more on securing the hardware and best practices with service accounts, so password protecting sensitive files is all I can think of. Also, I believe security audits(not just compliance) can point out both existing open ends and the ones which are likely to be. I would go as far as saying Microsoft will not bother to do anything for this situation rather it has to do with the process of the organization.
Great reply Steph