I am glad you asked that. In recent times, it is one of the widely asked questions from the folks who are thinking about using SharePoint. I’ll try to answer this question about the data security in SharePoint server in this article.
When we think about the data security, we mostly think about three phases of data, how data is accessed, how data travels over the network and how data is stored. As a standard practice, all these phases have their own security techniques and protocols already in place and when we talk about the security of a product (like SharePoint), we are essentially checking how well the product can integrate with the security settings we already have in place.
The above described all the phases that carry equal importance, but the “data access” part is the most crucial as most of the security leaks happen there. Like any other web portal, in SharePoint, the “data access” is secured by authentication followed by authorization.
SharePoint Server supports a variety of authentication methods and authentication providers for the authentication types like Windows Authentication, Form-Based Authenticationand SAML Token based authentication. It is also possible to use more than one authentication types in the same farm. Two or three different authentications types are also possible for a single web application. What it means? It means that SharePoint Server gives flexibility to use different methods of asserting user’s identity (as per your business and infrastructure requirements).
To be little more specific, SharePoint server supports all the windows authentication types like NTLM, Windows Claims, Digest, Kerberos and Basic (basic authentication is not supported in SharePoint server 2016). Forms-based authentication can be used against credentials that are stored in an authentication provider such as ADDS, SQL Database and LDAP data stores like Novell or Sun ONE. And, since we are talking about the data security, I’ll abstain myself from talking about the Anonymous authentication, which is absolutely supported by SharePoint.
Authorization (User Access)
This is the part where SharePoint really exceeds the expectation. There is a complete hierarchy of access levels and a site collection administrator has the privilege to organize the initial permission levels which then carry down the hierarchy. SharePoint groups can be created and users can be put under these groups. Groups can be assigned different access levels like read, write, edit and so on. It is further possible to create your own customized access level (consider the scenario where you don’t want users to delete anything but they should be able to add the content – possible!). As you go down the hierarchy, you can also fine tune the accesses, i.e you can choose whether a sub site inherits the access from parent site or you can choose to define altogether separate access levels and permissions for the sub site(s). You can even define the unique access on the item level.
User permissions in SharePoint is a huge topic but the point I am trying to put here is, SharePoint gives you all the flexibility and options to control “who can access what.”
If an external component of SharePoint store app must access a secured SharePoint resource, stringent app authentication and app authorization procedures are in place to facilitate this sort of scenarios.
Just to give a hint, app authentication is based on obtaining an access token signed by the certificate that SharePoint trusts.
Now, to another phase, how data travels over the network, as an IT guy I’d say this is not a burden that needs to be put on SharePoint. We all spend countless money in securing our network, establishing network access controls, antivirus, intrusion prevention system, firewalls and so on. SharePoint goes with all of them. Whether you use ISA or reverse proxy for internet facing sites, SharePoint is flexible enough to work with them. SharePoint 2013 support TLS 1.0, TLS 1.1, TLS 1.2 and SSL 3.0.
SQL Server Security
How is data stored? SharePoint stores its data in SQL database, all documents, images, videos, settings, configurations and everything is stored in SQL databases. It’s important to properly secure your SQL Server. Make sure to use a separate SQL, not to have same server for SharePoint and SQL and disable any unused services and components. A basic deployment uses SQL Server’s database engine, the SQL Server Agent, and the SQL Server browser components. Microsoft’s SQL Server Surface Area Configuration Tool can disable anything that’s not used. This utility can be run once the SharePoint is Up and Running. You see, we are talking about the SQL server’s security because SharePoint data resides on SQL. Perhaps you want to have a SQL Admin’s opinion in securing your SharePoint’s SQL instance but one thing I would emphasise is using Windows mode for SQL Authentication because it’s more secure than mixed mode as it uses the Kerberos security protocol during the authentication process.
SharePoint also provides some additional measures to level up the security of your SharePoint farm.
Least Privileged Administration
The concept of least-privileged administration is to provide the minimum privileges to the users/accounts which are absolutely required to accomplish the task. The Least-Privileged administration enhances the security of the entire farm but this security comes at the cost of maintenance overhead. The result is that if one account is compromised, by any chance, it only affects a small part of the farm and not the entire farm and this further minimizes the outage.
Automatic Password Change
You’ll need multiple managed accounts to implement Least Privileged administration, and to enhance the security you might want to change the passwords for these accounts frequently. To simplify password management, the automatic password change feature enables you to update and deploy passwords without having to perform manual password update tasks across multiple accounts, services, and web applications. The automatic password change features determine if the password is about to expire and change it with a strong password string.
Just in case, if you are still paranoid about the security of your data, Microsoft describes some additional steps for Security Hardening of SharePoint servers, which you can implement and be little bit more sure about the data security in your environment.
As mentioned, all of these settings are closely related to the SharePoint server only. But when it comes to using SharePoint Online as a part of Office 365 family, Microsoft ensures all the security of your data. They have published many articles and blogs and FAQs to address security concerns about O365 and it would answer most of your questions but the ultimate questions will be, do you trust Microsoft with your data? If not, then go with the SharePoint server and you can enhance your security settings to the level of your satisfaction.
I would conclude this article with restating the fact that most of security incidents and data leaks happen due to privilege abuse. We can stop the malware and adware attacks but a mischievous thought in a user’s mind is all it takes to breach the security and leak the data.
For additional resources please download our SharePoint white papers here.
The “ORA-12154: TNS:could not resolve the connect identifier specified” Oracle error is a commonly seen message for database administrators.
This blog reviews how you can generate scripts for SQL server logins, role assignments, and server permissions for a smooth migration.