welcome to XRM blog

Keep in touch with latest CRM/ERP articles

To remain competitive your organisation must be efficient across the business process spectrum. To do so you need to take sound decisions based on a balance between the cost and risk. To do so you will be heavily dependent on your content management in itself needs...


SharePoint Security - Part 2.

By Shreshth Gupta on 3/16/2021


In the Previous part of this Blog we took a look into the ways that SharePoint provides us for managing our security needs, so that  we can improve the security of our precious data which is under the constant threat of being misused by the malicious elements of this Digital era. In this second part of the blog we will take a look on the other Security features that SharePoint and Microsoft  offers us that helps us in keeping our data secure.

Other Security Features to Consider

Other than the options of fine tuning the Permissions in the Site and the Document libraries SharePoint also have some other advanced features to help us secure our data.


Multi-Factor Authentication (MFA)

Multi-Factor Authentication or MFA is one of the first non-SharePoint security option that springs to mind, MFA not only secure your identity but also gives you a power to keep a check on any misuse of your identity and credentials. There are various options for us to integrate the MFA with few other policies which allows us to limit the MFA for some IP addresses or range of them. MFA can help us keep malicious elements at bay from using our own identities to steel our data. 


Data Encryption

Data encryption can be split in two categories – mid-transit and at rest. Both are automatically protected using the most advanced technologies possible, like AES-256 encryption. There are some specific features: data mid-transit is protection using IPsec, TLS/SSL and more; data at rest is taking advantage of BitLocker and a variety of features tied to Microsoft’s Azure cloud storage – TDE (Transparent Data Encryption), Azure Disk Encryption and so on.


Encryption of data at rest

Encryption at rest includes two components: BitLocker disk-level encryption and per-file encryption of customer content. BitLocker is deployed for OneDrive for Business and SharePoint Online across the service. Per-file encryption is also in OneDrive for Business and SharePoint Online in Microsoft 365 multi-tenant and new dedicated environments that are built on multi-tenant technology.

While BitLocker encrypts all data on a disk, per-file encryption goes even further by including a unique encryption key for each file. Further, every update to every file is encrypted using its own encryption key. Before they are stored, the keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across several containers throughout the datacenter, and each container has unique credentials. These credentials are stored in a separate physical location from either the content or the content keys.

File-level encryption at rest takes advantage of blob storage to provide for virtually unlimited storage growth and to enable unprecedented protection. All customer content in OneDrive for Business and SharePoint Online will be migrated to blob storage.


Here is how that data is secured:

All content is encrypted, potentially with multiple keys, and distributed across the datacenter. Each file to be stored is broken into one or more chunks, depending on its size. Then, each chunk is encrypted using its own unique key. Updates are handled similarly, the set of changes, or deltas, submitted by a user is broken into chunks, and each is encrypted with its own key. All these chunks—files, pieces of files, and update deltas—are stored as blobs in our blob store. They also are randomly distributed across multiple blob containers. The "map" used to re-assemble the file from its components is stored in the Content Database. Each blob container has its own unique credentials per access type (read, write, enumerate, and delete). Each set of credentials is held in the secure Key Store and is regularly refreshed.

In other words, there are three different types of stores involved in per-file encryption at rest, each with a distinct function:

-        Content is stored as encrypted blobs in the blob store. The key to each chunk of content is encrypted and stored separately in the content database. The content itself holds no clue as to how it can be decrypted.

-        The Content Database is a SQL Server database. It holds the map required to locate and reassemble all the content blobs held in the blob store as well as the keys needed to decrypt those blobs.

Each of these three storage components—the blob store, the Content Database, and the Key Store—is physically separate. The information held in any one of the components is unusable on its own. This provides an unprecedented level of security. Without access to all three it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt any chunk, or reconstruct a document from its constituent chunks.


Virus Detection

Virus detection is an automated feature that checks every file that is saved within a document library or site. It uses a highly sophisticated anti-malware engine to scan files for viruses and other contaminants. If any user tries to download an infected file – they will get a warning message about a possible infection within the file and the download is blocked with a warning message. The user is given a choice to download that file and attempt to fix it with their own standalone antivirus software or discard the download all together. This ensures that any virous or malicious code cannot be inserted into our SharePoint environment to affect the data stored in it.


Here are some articles that will allow you to understand the security offerings that Microsoft promises such as encryption, security features, etc.

-        https://docs.microsoft.com/en-us/microsoft-365/compliance/data-encryption-in-odb-and-spo?view=o365-worldwide

-        https://docs.microsoft.com/en-us/sharepoint/safeguarding-your-data



 As we have now seen that there are several ways to ensure our data’s security, some of which we can implement and some of them are offered out-of-the-box by SharePoint itself to make it more secure than it already is.

But if you still are afraid of losing your data here is something that can bring you at ease:


Your data is secure with Microsoft!!!


Microsoft continuously monitor their datacenters to keep them healthy and secure. This starts with inventory. An inventory agent scans each subnet looking for neighbors. For each machine, they perform a state capture.

After they have an inventory, they then monitor and remediate the health of machines. The security patch train applies patches, updates anti-virus signatures, and makes sure that they have a known good configuration saved. They have role-specific logic that ensures Microsoft only patch or rotate out a certain percentage of machines at a time.

Microsoft also have an automated workflow to identify machines that don't meet policies and queue them for replacement.

The Microsoft 365 "Red Team" within Microsoft is made up of intrusion specialists. They look for any opportunity to gain unauthorized access. 

The "Blue Team" is made up of defence engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies.


Data with Microsoft is Highly available and always recoverable

Microsoft’s datacenters are geo-distributed within the region and fault tolerant. Data is mirrored in at least two datacenters to mitigate the impact of a natural disaster or service-impacting outage.

Metadata backups are kept for 14 days and can be restored to any point in time within a five-minute window.

In the case of a ransomware attack, you can use Version history to roll back, and the recycle bin or site collection recycle bin to restore. If an item is removed from the site collection recycle bin, you can call support within 14 days to access a backup. The Version History not just let us restore the data back but also allows us to keep a track of all the activities and interactions users had with the data present in our SharePoint environment, apart from that the version history also help us to maintain and review various levels of our work as we go forward.


So, now you can understand how much secure your data is with Microsoft and SharePoint regardless of the various threats out there to get hold of your valuable data and you can trust SharePoint to fulfil all your security needs for making your data much more secured in each way possible. 

Blog Calendar
Blog Calendar List
2021 Jun  7  2
2021 May  10  2
2021 Apr  20  3
2021 Mar  27  5
2021 Feb  51  7
2021 Jan  58  9
2020 Dec  33  7
2020 Sep  33  3
2020 Aug  70  3
2020 Jul  56  1
2020 Jun  26  3
2020 Apr  14  3
2020 Mar  11  2
2020 Feb  23  5
2020 Jan  23  7
2019 Dec  15  4
2019 Nov  11  1
2019 Jan  33  3
2018 Dec  36  4
2018 Nov  66  3
2018 Oct  12  3
2018 Sep  349  11
2018 Aug  6  2
2018 Jun  11  1
2018 Jan  57  2
2017 Sep  563  5
2017 Aug  17  1
2017 Jul  17  2
2017 Jun  53  2
2017 May  21  1
2017 Apr  33  2
2017 Mar  119  4
2017 Feb  470  4
2016 Dec  183  3
2016 Nov  427  8
2016 Oct  254  10
2016 Sep  366  6
2016 Aug  39  1
2016 Jun  1790  6
2016 May  104  3
2016 Jan  71  2
2015 Dec  392  6
2015 Nov  4  1
2015 Oct  13  1
2015 Sep  1382  6
2015 Aug  13  1
2015 Jul  127  2
2015 Jun  10  1
2015 May  20  1
2015 Apr  28  3
2015 Mar  78  3
2015 Jan  5269  4
2014 Dec  17  1
2014 Nov  2229  4
2014 Oct  64  1
2014 Sep  106  2
2014 Aug  4716  1
2014 Jul  46  2
2014 Apr  2484  12
2014 Mar  291  19
2014 Feb  238  8
2014 Jan  1510  16
2013 Dec  21  2
2013 Nov  653  2
2013 Oct  252  3
2013 Sep  11  1
2013 Aug  38  3
2013 Jul  209  1
2013 Apr  50  6
2013 Mar  1927  10
2013 Feb  311  4
2013 Jan  270  2
2012 Nov  39  2
2012 Oct  460  10
Tag Cloud
Interested in our services? Still not sure about project details? get a quote