By now you will probably have heard of the infamous Edward Snowden, who stole data that was held by the NSA then decided to announce key parts of it publicly. Well last week we actually found out that our best mate SharePoint, may have been a guilty party to!
First the facts…
To discover the source of this announcement watch this video and watch from about 27 minutes. The key phrase Alexander uses is “This leaker was a System Administrator and ran the SharePoint account at NSA Hawaii, so his responsibility was to move data..”
Interestingly, if you watch from 45:15, you will also hear “This leaker was a System Administrator who was trusted with moving information to actually make sure the right information was on the SharePoint Servers that NSA Hawaii needed.” This makes it sound as though he was loading it into SharePoint ,rather than downloading it.
This is contrary to a few reports that came out last week such as :
- ‘NSA chief leaks info on data sharing tech: It’s SharePoint‘ by the Register.
Anyway, for the purposes of this discussion, let’s get some artistic license and assume it WAS in SharePoint 😉
My question is to both SharePoint Administrators and Developers alike! What can we do to make SharePoint more secure and could this have been prevented ? All though they don’t say, let’s make the assumption that the data was stored in standard document libraries.
To help frame the answer, think about :
- What technologies in SharePoint and available as an add-on can we use ? (Some promo is fine 😉
- How can we ensure that the currently logged on user is that user ? Are there different log-on mechanisms that simple user name and password ?
- Can we encrypt the data in SharePoint ?
- Can we audit who, what, when where ?
- Can we put some extra controls in when the documents are being downloaded ?
- Can we lock down Sys Admin privileges ?
- Can we require certain actions in SharePoint to need two users to approve ?
- If he was a SysAdmin could he just go straight to the database ?
If you can’t answer all the questions that’s expected! If you know about a particular area, e.g. auditing then share your knowledge on that. Maybe there’s a nice reference document to be made out of all the answers! Share your experiences, especially if you have worked on a SP farm that requires security clearance!
Hi Mark,
Thanks for sharing. You really bring up some great points. Here is an article discussing similar questions about how the NSA scandal could have been prevented.
I have tidied it up and made it more accurate based on what Alexander says. It appears that SharePoint got a rough deal last week!
Agree. To that point. Actually I read another article that assumes SharePoint has a leak. Which I think is obvious to discuss. 😉
I think the whole leak discussion should be seen in a broader context. How can a company in general prevent leaking of information.
Assume someone is a system administrator then he/she have the ability to bypass SharePoint by simply connect to the computer of the CEO for example and look for files in the browser cache. IRM might help in some ways to encrypt all the documents.
Have you seen many companies that have a data security policy? That describes how files or data will be handled on the various devices starting from an encrypted file system and stuff like that?
Stefan – it’s not 100% clear how the data was used, but he does say later that his job was to move it to SharePoint. So, for the purposes of this, let’s assume we need to “harden” SharePoint, what extra processes, tools, techniques can we use ?
Alexander mentions the need to get 2 people to approve a download of data, how could we do that for example ?
What Alexander said was that Edward Snowden was a system administrator at NSA Hawaii and was responsible to move data to the SharePoint that NSA use in Hawaii.
There is no leak, backdoor or whatever in SharePoint as far as currently known. What we need to protect the data we need to remove the Edward Snowden account from our SharePoint Servers. 😉 Haven’t found one on my servers.
The more things we should be worried about being cloud services like Yammer, Skype and even office 365 where we don’t have control to lock down the data. In fact the 9/11 terror attacks was planned using Hotmail. http://www.nbcnews.com/id/30530283/ns/world_news-terrorism/t/document-alleged-planner-used-hotmail/#.UfDP8xbJ5gM
Even worry more about network devices where we have control about the firmware.
