Protiviti / SharePoint Blog

SharePoint Blog

October 15
SharePoint Security Methodology

​I recently presented in Seattle at SharePoint Fest on something I have coined as the “3 Pillars of SharePoint Security.” This isn’t some fantastical application or technical solution to fix all of our Security problems, it is more of an approach we can take.

The reason for even talking about this is based on experience over the past few years as I have seen many types of configurations for the Security problem in SharePoint. Although SharePoint does have its limitations in some areas of Security, as a whole it works as expected and in reality we make it a little too complicated sometimes.

So before we break down the pillars, let’s step back and understand a core principle. An Attack Vector is a path or means by which a hacker (or cracker) can gain access to a computing system or network in order to deliver a malicious payload or orchestrate a desired outcome. These attack vectors can include both systems and people. Below we can see that everything from the end user to the core infrastructure should be included.

Understanding these attack vectors clarifies who we should be protecting ourselves from, allowing us to make Threat Assumptions.
Now, of course, knowing this is helpful only if we are going to do something after we understand the attack vectors and the threatening actors we need to be protected from. Too often we spend our time being reactive to issues, whether they are platform specific or responding to a security/data breach. We live in a world where we need to be more proactive to enable us to mitigate these risks. This is where the “3 Pillars” framework comes into effect.

Protection can be more easily managed, configured, and monitored utilizing the tasks associated with the “3 Pillars” framework.

Infrastructure Audit (Pillar 1)

The first pillar is all about keeping track of the environment(s), checking patch levels, and ensuring that any errors or issues are monitored. Keeping documentation of your environment(s) and then periodically updating it will help with knowing, at any point in time, how the infrastructure is configured. This helps ensure that when a vulnerability is announced, which could potentially impact your environment(s), that it can be easily checked against the readily accessible and validated documentation.
Security Access Audit (Pillar 2)

Knowing user permissions, access control lists, and the user authentication flow is imperative for ensuring the security of any application or environment. Using out of the box capabilities or 3rd party tools to review access frequently will increase how beneficial the documentation will be, as well as giving you the ability to pin point potential issues up front.


Penetration Test (Pillar 3)

A penetration test is the ultimate benchmark and validation of all the security controls that have been implemented. Performing a penetration test from both the inside and outside of the network will allow for a holistic understanding of the organization’s attack surface.

Performing the “3 Pillars” tasks won’t fix the problem completely but they will allow you and your organization to be better prepared, more knowledgeable of the infrastructure, and better understand the solutions that you manage.
In summary the “3 Pillars” are Infrastructure Audit, Security Access Audit, and Penetration Testing, which, when combined, will enable better security and protection.


Quick Launch

© Protiviti 2021. All rights reserved.   |   Privacy Policy