welcome to XRM blog

Keep in touch with latest CRM/ERP articles

To remain competitive your organisation must be efficient across the business process spectrum. To do so you need to take sound decisions based on a balance between the cost and risk. To do so you will be heavily dependent on your content management in itself needs...


SharePoint Security - Part 2.

By Shreshth Gupta on 3/16/2021


In the Previous part of this Blog we took a look into the ways that SharePoint provides us for managing our security needs, so that  we can improve the security of our precious data which is under the constant threat of being misused by the malicious elements of this Digital era. In this second part of the blog we will take a look on the other Security features that SharePoint and Microsoft  offers us that helps us in keeping our data secure.

Other Security Features to Consider

Other than the options of fine tuning the Permissions in the Site and the Document libraries SharePoint also have some other advanced features to help us secure our data.


Multi-Factor Authentication (MFA)

Multi-Factor Authentication or MFA is one of the first non-SharePoint security option that springs to mind, MFA not only secure your identity but also gives you a power to keep a check on any misuse of your identity and credentials. There are various options for us to integrate the MFA with few other policies which allows us to limit the MFA for some IP addresses or range of them. MFA can help us keep malicious elements at bay from using our own identities to steel our data. 


Data Encryption

Data encryption can be split in two categories – mid-transit and at rest. Both are automatically protected using the most advanced technologies possible, like AES-256 encryption. There are some specific features: data mid-transit is protection using IPsec, TLS/SSL and more; data at rest is taking advantage of BitLocker and a variety of features tied to Microsoft’s Azure cloud storage – TDE (Transparent Data Encryption), Azure Disk Encryption and so on.


Encryption of data at rest

Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of customer content. BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology.

While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Further, every update to every file is encrypted using its own encryption key. Before they are stored, the keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across several containers throughout the datacenter, and each container has unique credentials. These credentials are stored in a separate physical location from either the content or the content keys.

File-level encryption at rest takes advantage of blob storage to provide for virtually unlimited storage growth and to enable unprecedented protection. All customer content in OneDrive for Business and SharePoint Online will be migrated to blob storage.


Here is how that data is secured:

All content is encrypted, potentially with multiple keys, and distributed across the datacenter. Each file to be stored is broken into one or more chunks, depending on its size. Then, each chunk is encrypted using its own unique key. Updates are handled similarly, the set of changes, or deltas, submitted by a user is broken into chunks, and each is encrypted with its own key. All these chunks—files, pieces of files, and update deltas—are stored as blobs in our blob store. They also are randomly distributed across multiple blob containers. The "map" used to re-assemble the file from its components is stored in the Content Database. Each blob container has its own unique credentials per access type (read, write, enumerate, and delete). Each set of credentials is held in the secure Key Store and is regularly refreshed.

In other words, there are three different types of stores involved in per-file encryption at rest, each with a distinct function:

-        Content is stored as encrypted blobs in the blob store. The key to each chunk of content is encrypted and stored separately in the content database. The content itself holds no clue as to how it can be decrypted.

-        The Content Database is a SQL Server database. It holds the map required to locate and reassemble all the content blobs held in the blob store as well as the keys needed to decrypt those blobs.

Each of these three storage components—the blob store, the Content Database, and the Key Store—is physically separate. The information held in any one of the components is unusable on its own. This provides an unprecedented level of security. Without access to all three it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt any chunk, or reconstruct a document from its constituent chunks.


Virus Detection

Virus detection is an automated feature that checks every file that is saved within a document library or site. It uses a highly sophisticated anti-malware engine to scan files for viruses and other contaminants. If any user tries to download an infected file – they will get a warning message about a possible infection within the file and the download is blocked with a warning message. The user is given a choice to download that file and attempt to fix it with their own standalone antivirus software or discard the download all together. This ensures that any virous or malicious code cannot be inserted into our SharePoint environment to affect the data stored in it.


Here are some articles that will allow you to understand the security offerings that Microsoft promises such as encryption, security features, etc.

-        https://docs.microsoft.com/en-us/microsoft-365/compliance/data-encryption-in-odb-and-spo?view=o365-worldwide

-        https://docs.microsoft.com/en-us/sharepoint/safeguarding-your-data



 As we have now seen that there are several ways to ensure our data’s security, some of which we can implement and some of them are offered out-of-the-box by SharePoint itself to make it more secure than it already is.

But if you still are afraid of losing your data here is something that can bring you at ease:


Your data is secure with Microsoft!!!


Microsoft continuously monitor their datacenters to keep them healthy and secure. This starts with inventory. An inventory agent scans each subnet looking for neighbors. For each machine, they perform a state capture.

After they have an inventory, they then monitor and remediate the health of machines. The security patch train applies patches, updates anti-virus signatures, and makes sure that they have a known good configuration saved. They have role-specific logic that ensures Microsoft only patch or rotate out a certain percentage of machines at a time.

Microsoft also have an automated workflow to identify machines that don't meet policies and queue them for replacement.

The Microsoft 365 "Red Team" within Microsoft is made up of intrusion specialists. They look for any opportunity to gain unauthorized access. 

The "Blue Team" is made up of defence engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies.


Data with Microsoft is Highly available and always recoverable

Microsoft’s datacenters are geo-distributed within the region and fault tolerant. Data is mirrored in at least two datacenters to mitigate the impact of a natural disaster or service-impacting outage.

Metadata backups are kept for 14 days and can be restored to any point in time within a five-minute window.

In the case of a ransomware attack, you can use Version history to roll back, and the recycle bin or site collection recycle bin to restore. If an item is removed from the site collection recycle bin, you can call support within 14 days to access a backup. The Version History not just let us restore the data back but also allows us to keep a track of all the activities and interactions users had with the data present in our SharePoint environment, apart from that the version history also help us to maintain and review various levels of our work as we go forward.


So, now you can understand how much secure your data is with Microsoft and SharePoint regardless of the various threats out there to get hold of your valuable data and you can trust SharePoint to fulfil all your security needs for making your data much more secured in each way possible. 

Blog Calendar
Blog Calendar List
2024 Apr  1  4
2024 Mar  19  4
2024 Feb  19  3
2024 Jan  6  7
2023 Dec  9  6
2023 Nov  25  5
2023 Oct  76  12
2023 Sep  183  9
2023 Aug  55  7
2023 Jul  31  5
2023 Jun  20  4
2023 May  43  5
2023 Apr  30  5
2023 Mar  88  6
2023 Feb  99  5
2023 Jan  37  4
2022 Dec  94  7
2022 Nov  247  2
2022 Sep  13  1
2022 Aug  27  2
2022 Jun  7  2
2022 May  3  2
2022 Apr  6  2
2022 Mar  1  1
2022 Feb  2  1
2022 Jan  1  1
2021 Dec  3  1
2021 Nov  2  1
2021 Oct  1  1
2021 Sep  11  1
2021 Aug  37  5
2021 Jul  36  4
2021 Jun  1200  5
2021 May  31  3
2021 Apr  1986  3
2021 Mar  188  5
2021 Feb  2061  7
2021 Jan  2939  9
2020 Dec  431  7
2020 Sep  73  3
2020 Aug  669  3
2020 Jul  124  1
2020 Jun  74  3
2020 Apr  68  3
2020 Mar  12  2
2020 Feb  27  5
2020 Jan  34  7
2019 Dec  17  4
2019 Nov  29  1
2019 Jan  23  2
2018 Dec  58  4
2018 Nov  68  3
2018 Oct  18  3
2018 Sep  1128  11
2018 Aug  7  2
2018 Jun  13  1
2018 Jan  68  2
2017 Sep  585  5
2017 Aug  17  1
2017 Jul  17  2
2017 Jun  62  2
2017 May  21  1
2017 Apr  35  2
2017 Mar  135  4
2017 Feb  773  4
2016 Dec  203  3
2016 Nov  820  8
2016 Oct  304  10
2016 Sep  695  6
2016 Aug  39  1
2016 Jun  1868  6
2016 May  110  3
2016 Jan  71  2
2015 Dec  460  6
2015 Nov  4  1
2015 Oct  13  1
2015 Sep  1464  6
2015 Aug  14  1
2015 Jul  128  2
2015 Jun  10  1
2015 May  20  1
2015 Apr  30  3
2015 Mar  80  3
2015 Jan  5334  4
2014 Dec  17  1
2014 Nov  2257  4
2014 Oct  68  1
2014 Sep  107  2
2014 Aug  5272  1
2014 Jul  48  2
2014 Apr  2578  12
2014 Mar  300  17
2014 Feb  220  6
2014 Jan  1510  16
2013 Dec  21  2
2013 Nov  688  2
2013 Oct  256  3
2013 Sep  11  1
2013 Aug  40  3
2013 Jul  214  1
2013 Apr  57  6
2013 Mar  2272  10
2013 Feb  127  3
2013 Jan  340  2
2012 Nov  57  2
2012 Oct  498  10
Tag Cloud
Interested in our services? Still not sure about project details? get a quote