By now you will probably have heard of the infamous Edward Snowden, who stole data that was held by the NSA then decided to announce key parts of it publicly. Well last week we actually found out that our best mate SharePoint, may have been a guilty party to!
First the facts…
To discover the source of this announcement watch this video and watch from about 27 minutes. The key phrase Alexander uses is “This leaker was a System Administrator and ran the SharePoint account at NSA Hawaii, so his responsibility was to move data..”
Interestingly, if you watch from 45:15, you will also hear “This leaker was a System Administrator who was trusted with moving information to actually make sure the right information was on the SharePoint Servers that NSA Hawaii needed.” This makes it sound as though he was loading it into SharePoint ,rather than downloading it.
This is contrary to a few reports that came out last week such as :
- ‘NSA chief leaks info on data sharing tech: It’s SharePoint‘ by the Register.
Anyway, for the purposes of this discussion, let’s get some artistic license and assume it WAS in SharePoint 😉
My question is to both SharePoint Administrators and Developers alike! What can we do to make SharePoint more secure and could this have been prevented ? All though they don’t say, let’s make the assumption that the data was stored in standard document libraries.
To help frame the answer, think about :
- What technologies in SharePoint and available as an add-on can we use ? (Some promo is fine 😉
- How can we ensure that the currently logged on user is that user ? Are there different log-on mechanisms that simple user name and password ?
- Can we encrypt the data in SharePoint ?
- Can we audit who, what, when where ?
- Can we put some extra controls in when the documents are being downloaded ?
- Can we lock down Sys Admin privileges ?
- Can we require certain actions in SharePoint to need two users to approve ?
- If he was a SysAdmin could he just go straight to the database ?
If you can’t answer all the questions that’s expected! If you know about a particular area, e.g. auditing then share your knowledge on that. Maybe there’s a nice reference document to be made out of all the answers! Share your experiences, especially if you have worked on a SP farm that requires security clearance!
Thank you for doing this discussion… too many assumptions, misinformation and fudging going on about this topic.
A rational dose of clarity goes a long way.
Now, let me reread this post.
BTW, this discussion wasn’t sponsored by Keith Alexander… was it?
How’s about “who released data publicly that was stolen by the NSA”?
Your article is incorrect where you say the following “By now you will probably have heard of the infamous Edward Snowden, who stole data from the NSA”.
The data was not stolen from the NSA. The NSA stole the data from every person that it illegally monitored both in the US and Internationally. The sooner people in the US understand that “fact” the better.
On the possibilities of taking data from SharePoint – it is enormously easy to take SharePoint data if you are an administrator of the system. It doesn’t specify how the data was being moved but if your job is to move data from one SharePoint farm to another then it is even easier because most likely you will be moving content databases i.e. backing up the database from one server and restoring it on another or using SQL Server Integration Services to move data from one database to another on a schedule.
In the above scenario it is simples to back up, take a copy, take a copy of the copy to a thumb drive, and restore the copy to the destination system and restore the thumb drive to a virtual machine.
I have done it many times for various legitimate testing purposes.
You can have any number of policies and throw any number of dumb auditors at the above situation. The policies won’t prevent a system admin from doing the job of moving the data. The data is only as secure as the person who has access to it. The auditors will tell you that your horse has bolted and charge you for doing so and then watch you as you run around the field looking for your horse. But you’ll be looking in the wrong place and blaming the wrong people.
I too agree with Francois. It’s really easy to blame a system rather than people or a bad process. It’s something that is seen with poor user adoption as well. If your users aren’t using it, surely it must be because the software sucks, and not because you failed to plan properly, or provide the proper training.
I’m not an expert on encryption, but that sounds like something that would be possible. Agree that auditing will only tell you after a breach has occurred, it won’t prevent it.
