In the Previous part of this Blog we took a look into the ways that SharePoint provides us for managing our security needs, so that we can improve the security of our precious data which is under the constant threat of being misused by the malicious elements of this Digital era. In this second part of the blog we will take a look on the other Security features that SharePoint and Microsoft offers us that helps us in keeping our data secure.
Other Security Features to Consider
Other than the options of fine tuning the Permissions in the Site and the Document libraries SharePoint also have some other advanced features to help us secure our data.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication or MFA is one of the first non-SharePoint security option that springs to mind, MFA not only secure your identity but also gives you a power to keep a check on any misuse of your identity and credentials. There are various options for us to integrate the MFA with few other policies which allows us to limit the MFA for some IP addresses or range of them. MFA can help us keep malicious elements at bay from using our own identities to steel our data.
Data encryption can be split in two categories – mid-transit and at rest. Both are automatically protected using the most advanced technologies possible, like AES-256 encryption. There are some specific features: data mid-transit is protection using IPsec, TLS/SSL and more; data at rest is taking advantage of BitLocker and a variety of features tied to Microsoft’s Azure cloud storage – TDE (Transparent Data Encryption), Azure Disk Encryption and so on.
Encryption of data at rest
Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of customer content. BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology.
While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Further, every update to every file is encrypted using its own encryption key. Before they are stored, the keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across several containers throughout the datacenter, and each container has unique credentials. These credentials are stored in a separate physical location from either the content or the content keys.
File-level encryption at rest takes advantage of blob storage to provide for virtually unlimited storage growth and to enable unprecedented protection. All customer content in OneDrive for Business and SharePoint Online will be migrated to blob storage.
Here is how that data is secured:
All content is encrypted, potentially with multiple keys, and distributed across the datacenter. Each file to be stored is broken into one or more chunks, depending on its size. Then, each chunk is encrypted using its own unique key. Updates are handled similarly, the set of changes, or deltas, submitted by a user is broken into chunks, and each is encrypted with its own key. All these chunks—files, pieces of files, and update deltas—are stored as blobs in our blob store. They also are randomly distributed across multiple blob containers. The "map" used to re-assemble the file from its components is stored in the Content Database. Each blob container has its own unique credentials per access type (read, write, enumerate, and delete). Each set of credentials is held in the secure Key Store and is regularly refreshed.
In other words, there are three different types of stores involved in per-file encryption at rest, each with a distinct function:
- Content is stored as encrypted blobs in the blob store. The key to each chunk of content is encrypted and stored separately in the content database. The content itself holds no clue as to how it can be decrypted.
- The Content Database is a SQL Server database. It holds the map required to locate and reassemble all the content blobs held in the blob store as well as the keys needed to decrypt those blobs.
Each of these three storage components—the blob store, the Content Database, and the Key Store—is physically separate. The information held in any one of the components is unusable on its own. This provides an unprecedented level of security. Without access to all three it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt any chunk, or reconstruct a document from its constituent chunks.
Virus detection is an automated feature that checks every file that is saved within a document library or site. It uses a highly sophisticated anti-malware engine to scan files for viruses and other contaminants. If any user tries to download an infected file – they will get a warning message about a possible infection within the file and the download is blocked with a warning message. The user is given a choice to download that file and attempt to fix it with their own standalone antivirus software or discard the download all together. This ensures that any virous or malicious code cannot be inserted into our SharePoint environment to affect the data stored in it.
Here are some articles that will allow you to understand the security offerings that Microsoft promises such as encryption, security features, etc.
As we have now seen that there are several ways to ensure our data’s security, some of which we can implement and some of them are offered out-of-the-box by SharePoint itself to make it more secure than it already is.
But if you still are afraid of losing your data here is something that can bring you at ease:
Your data is secure with Microsoft!!!
Microsoft continuously monitor their datacenters to keep them healthy and secure. This starts with inventory. An inventory agent scans each subnet looking for neighbors. For each machine, they perform a state capture.
After they have an inventory, they then monitor and remediate the health of machines. The security patch train applies patches, updates anti-virus signatures, and makes sure that they have a known good configuration saved. They have role-specific logic that ensures Microsoft only patch or rotate out a certain percentage of machines at a time.
Microsoft also have an automated workflow to identify machines that don't meet policies and queue them for replacement.
The Microsoft 365 "Red Team" within Microsoft is made up of intrusion specialists. They look for any opportunity to gain unauthorized access.
The "Blue Team" is made up of defence engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies.
Data with Microsoft is Highly available and always recoverable
Microsoft’s datacenters are geo-distributed within the region and fault tolerant. Data is mirrored in at least two datacenters to mitigate the impact of a natural disaster or service-impacting outage.
Metadata backups are kept for 14 days and can be restored to any point in time within a five-minute window.
In the case of a ransomware attack, you can use Version history to roll back, and the recycle bin or site collection recycle bin to restore. If an item is removed from the site collection recycle bin, you can call support within 14 days to access a backup. The Version History not just let us restore the data back but also allows us to keep a track of all the activities and interactions users had with the data present in our SharePoint environment, apart from that the version history also help us to maintain and review various levels of our work as we go forward.
So, now you can understand how much secure your data is with Microsoft and SharePoint regardless of the various threats out there to get hold of your valuable data and you can trust SharePoint to fulfil all your security needs for making your data much more secured in each way possible.