Five best practices to avoid data breaches
due to insider threat vulnerabilities

Insider leaks are among the most challenging threats to any organization’s data security. Such data breaches may be indirect—as in the case of Target and Home Depot breaches in 2014 that resulted from a compromise of third-party vendors—or malicious—as in the recent situations with Edward Snowden and Bradley Manning. Compromised credentials are the most common cause of data breaches, where the perpetrators may be “external” sources who have gained access to confidential internal information to carry out the breach. 

To understand how serious the possibility of data breaches from insiders can be to an organization, the Snowden and Manning cases present compelling cautionary tales. Federal News Radio stated that these individuals “personify the concept of the insider threat.” Snowden became known around the globe in 2013 as the leaker of confidential documents from the National Security Agency. A former CIA contractor, Snowden gained access to this classified communications intelligence information and supplied it to international media.

Manning betrayed the U.S. Military by providing 700,000 confidential and classified documents to Wikileaks. In his role as Army Private First Class of the 2nd Brigade Combat Team, Manning had unrestricted access to closed databases of sensitive military intelligence, and also had security clearance to download classified files to CDs. The massive amount of secret data that Manning shared with the world resulted in the most extensive leak of classified material in U.S. history.

While the Snowden and Manning cases are among the largest and highest profile when it comes to insider threats, every organization that stores sensitive business content and data must make security a top concern to avoid becoming the next victim that makes the headlines. The problem is increasing, with the annual cost of data breaches in the U.S now estimated at over $100 billion, according to a study by McAfee. Many companies have systems in place that attempt to deal with hacks from outside the organization, including encryption, preventing data from being downloaded onto mobile devices or moved via e-mail, and other common techniques. Most organizations, though, have a harder time assessing and combating vulnerabilities from threats that originate inside the organization.

According to Infosec Europe, 67 percent of IT professionals do have concerns about insider threats, but the majority of today’s security spending fails to address these insidious risks. That gap between expressed concern and actual funding indicates that too many companies are continuing to overlook the significant risk of a breach. They thus remain unprepared to prevent the potential damage that those within their own organization—sometimes unintentionally—can reap using sensitive content to undermine an organization.

According to AIIM.org, nearly 60 percent of organizations use SharePoint for content collaboration, but if unchecked SharePoint can be exposed to several serious security risks. Fortunately, there are steps that every organization can take to help mitigate security vulnerabilities from the inside and secure their SharePoint content to avoid data breaches.

The following Insider Threat Vulnerability Checklist offers five basic best practices to follow that are based on fundamentals but often overlooked:

• Avoid assigning direct permissions to users. In a rush to quickly grant access, site owners often grant users direct permissions. But as a security best practice, administrators should avoid applying direct permissions to users at all costs. Direct permissions can expose your critical business content to those who should not see it and leave the door open to leaks of sensitive data. Tools are available that can help site owners clean up direct permissions where a user has specific access to a SharePoint object. Such tools can be used to scan and match individual user permissions with corresponding SharePoint groups if the application of direct permissions fails to conform to best practice or governance policies. After matching direct permissions with groups, these tools can automate implementation of changes in access, assigning the appropriate users to the correct SharePoint groups and removing redundant permissions.

• Ensure correct usage of “allauthenticatedusers” group. Incorrect use of permissions for the “all authenticated users” group can inadvertently give access to sensitive content to everyone within your organization. To avoid misuse of permissions for this group, be sure to check regularly for correct usage and assignments of access. Administrators should always apply permissions using the “least privilege” principle, which requires that users be granted the minimum amount of permissions required to complete their job.

• Separation of duties for farm administrators. Members of the farm administrators group in SharePoint have full-control permissions to all servers in the server farm. Members of this group are able to perform all administrative tasks in central administration for the server farm and can assign administrators to manage service applications. It is important however to have separation of duties to perform multiple functions in SharePoint and to use different accounts to perform different duties. This also helps to maintain an accurate audit trail of exactly what was going on with the system at any given time. Failure to separate these access points is a common cause of data breaches from insider threats.

• Isolation of managed service accounts. Allowing managed service accounts (MSAs), which are used for the setup and administration of SharePoint, access to sites is an exposure risk to insider threats through misuse of account credentials to access business data. MSAs should never be used for day-to-day access and should not be assigned to sites and other locations beyond the purpose for which they are designed.

• Use broken inheritance responsibly. Permissions inheritance allows administrators to assign permission levels all at once through a hierarchy of sites, saving time and effort. However, when a site contains sensitive information that needs protection, the site owner can break the inheritance (block inheriting permissions) at any level in the hierarchy. A SharePoint security model with many instances of broken inheritance is a management overhead that site owners should try to avoid, as it often leads to overlooked security settings. By using the correct tools to help you better report, act on, and enforce broken permissions inheritance policies, you can close security loopholes as a best practice.

Maintaining a secure yet collaborative enterprise SharePoint system is crucial to any business. Yet while maintaining a healthy environment for users takes dedicated resources and thoughtful planning, it need not consume every hour of administration work. By focusing on these five best practices that every site owner can use, it becomes much easier to improve the security of any SharePoint system.