Townsend Security Data Privacy Blog

Secure SharePoint with Remote Blob Storage (RBS) Encryption

Posted by Liz Townsend on Apr 10, 2013 2:42:00 PM

Since it's release in 2001, Microsoft SharePoint has quickly become one of the most widely used applications for document storage and collaboration.

SharePoint originally stored and organized documents and other critical information about those documents in rows and columns. However, as the use of SharePoint began to quickly grow, administrators Encryption-Podcast-SharePoint began to notice that the huge number and size of the documents being stored began to impact the performance of SharePoint, slowing down the application until it was fairly unusable. To rectify this issue Remote Blob Storage (RBS) was introduced to store the documents themselves outside of the SharePoint database so that the size of the documents wouldn't impact SharePoint performance. Now, when a SharePoint administrator starts to see performance impact from documents stored in SharePoint, they can store the files themselves separately, and SharePoint talks to the remote server in order to retrieve the files.

Now that SharePoint is so widely used, protecting data stored in SharePoint has become a big issue. Many companies use SharePoint to track customers, retail orders, personal health information, and other personally identifiable information (PII) that most industries (PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, etc.) and many state laws mandate the protection of. Typically these regulations mandate the protection of this data using encryption and encryption key management.

The good news is that encrypting data in SharePoint is pretty easy, and it's often only a two-step process. SharePoint administrators must:

  1. Encrypt the SQL Server database SharePoint runs on
  2. Encrypt the Remote Blob Storage (RBS) used to store documents.

Encrypting SharePoint on SQL Server is easy with transparent data encryption (TDE) for SQL Server 2008/2008 R2/2012. Extensible key management (EKM) also allows admins to manage encryption keys and meet compliance regulations using an external third-party encryption key management hardware security module (HSM).

Townsend Security offers FIPS 140-2 compliant encryption key management system for Microsoft SharePoint to help you protect SharePoint and meet compliance. To learn more about securing data in SharePoint, check out our podcast, “Securing SharePoint with Encryption & Key Management.

Download the Podcast

Topics: Data Privacy, SQL Server, SharePoint

Encrypting SharePoint is Easy with Microsoft SQL Server

Posted by Liz Townsend on Sep 19, 2012 2:56:00 PM

How easy is securing and protecting sensitive data on SharePoint?

Over time Microsoft has been moving SQL server underneath almost all of their core enterprise products (SharePoint, CRM, Dynamics, etc.), which is great news for IT administrators because SQL Server supports automatic encryption. This means that protecting your SharePoint database and meeting compliance regulations (PCI-DSS, FFIEC, HIPAA, etc) is easier than ever.

Encryption and key management for SQL Server SQL Server Enterprise and higher editions (starting with 2008 through 2012) fully implements extensible key management (EKM) and encryption to protect data. Installing encryption on that platform is the first step--administrators can then leverage the automatic encryption capabilities of SQL Server with only a few commands and no application changes. The second step is to understand the importance of protecting your encryption keys using separation of duties and dual control on an external Hardware Security Module (HSM).

The path to implementing encryption and key management for SharePoint is one of the most straightforward and easy paths. Townsend Security’s Alliance Encryption Key Management solution fully supports automatic SQL Server encryption and integrates with ease.

What impact does encryption have on SharePoint performance? Should users and administrators be concerned?

Encryption will always be a CPU intensive task and there will be some performance impact due to extra processing power needed for encryption and decryption. However, the Microsoft encryption libraries as well as the .NET environment are highly optimized for performance. I have always seen very good performance on SQL Server and the native encryption capabilities that it provides. Microsoft reports that Transparent Data Encryption (TDE) on SQL Server may cost you 2-4% penalty in performance, and our own tests show similar results that fall on the 2% end of things. There are also several encryption and encryption key management solutions on the market, and each one performs a little differently

Ultimately, performance depends on the amount of data you’re storing, and I always recommend that a customer take into account all factors that affect performance including encryption, number of users, size of documents, number of documents, and the underlying platform they’re using.

Lastly, it’s important to note that using an external HSM for key management (a critical piece of compliance), like our Alliance Key Manager, does not affect the performance profile of the database that is under protection.

In the end, if you are storing sensitive information on SharePoint, then you likely fall under industry regulations and state privacy laws. Regardless of your industry segment, whether its medical, financial, retail, education, or government bodies, you have a lot of choices to get your sensitive data data properly protected.  At the end of the day, if data gets out and it’s unencrypted, you have a data breach on your hands.

To learn more about securing SharePoint with Encryption and Key Management, listen to our latest podcast here.

Encryption and key management for SQL Server

 

 

Topics: Encryption, Encryption Key Management, SharePoint

What are the First Steps for Encrypting a SharePoint Database?

Posted by Liz Townsend on Sep 4, 2012 9:12:00 AM

Download Podcast: Securing SharePoint with Encryption & Key Management

university encryption

Listen to our podcast to learn how easy it is to secure your SharePoint data.

Click Here to View Now

Microsoft’s SharePoint is a great application that many organizations in the healthcare, retail, financial, and educational industries use to store data. Documents and files can be uploaded and managed within SharePoint to easily share, collaborate, and socialize. What many organizations fail to realize, however, is that a lot of the information that gets stored on SharePoint is often Personally Identifiable Information (PII) and Protected Health Information (PHI)--information that is protected under industry regulations and many state laws (PCI-DSS, HIPAA-HITECH, FFIEC, GLBA, etc.) If this data is not protected with AES encryption and proper key management, any data losses or breaches will result in data breach notification and hefty fines. I recently sat down with Patrick Townsend, CEO & Founder of Townsend Security, to discuss what first steps should be taken to protect your SharePoint database and how easy data protection is today:

Core steps to securing SharePoint:

1. Use Microsoft recommendations on how to secure SharePoint
Resources for IT professionals, administrators, and end users can be found on their website here. About half of SharePoint users don’t take basic security measures to protect data in SharePoint.

2. Encrypt your data in SharePoint
Implement NIST certified AES standard encryption. Disks and back-up drives also need to be protected.

3. Properly protect encryption keys using dual control and separation of duties
Compliance regulations and best practices state that proper key management includes FIPS 140-2 certification and the use of an external HSM to store encryption keys. These protocols eliminate points of failure and prevent unauthorized access.

To learn more about how easy encrypting Microsoft SharePoint can now be, listen to our podcast Securing SharePoint with Encryption and Key Management now!

Download the Podcast

Topics: Encryption, SharePoint

Securing Data in Microsoft SharePoint 2010

Posted by Patrick Townsend on Mar 6, 2012 1:05:00 PM

“I’m scared to death about what my users are putting into SharePoint!”

SharepointThis is what a Database Administrator said to me recently when I attended a SQL Saturday event on the Microsoft campus in Redmond, Washington. And I’m hearing that a lot from IT directors and CIOs in the financial and medical sectors. Microsoft SharePoint is a wonderful collaboration tool, and it supports a number of versions and deployment options. These options run the gamut from free versions that ship with Windows Server, to versions tailored to the Microsoft Office suite of applications, to web portals. And an industry has grown up around installing, customizing, and hosting SharePoint.

But IT managers are sweating about the risk of data loss. And they have reason to be afraid.

We know that users are creative about circumventing written policies about data security. Ever look at an audit of user passwords? It’s a good bet that “Password1” is the most common password on your network. It has upper and lower case letters, and at least one number. And even good employees can accidentally violate security policy. We ask a lot of our colleagues and security is often not on the top of their consciousness. So how likely is it that users are following your security policy requirement NOT storing sensitive data in SharePoint?

Somewhere close to zero.

And that’s why IT managers have good reason to be concerned. And that’s one reason why the uptake of SharePoint collaboration runs into resistance in the financial and medical segments.

Fortunately, Microsoft added some important security features to SharePoint 2010. One of those is support for Transparent Data Encryption (TDE) when you use SQL Server 2008 as the storage mechanism for SharePoint. The great thing about TDE is that it is easy to implement. You get good encryption performance, separated key management, and a high level of automation. Your IT staff can deliver it with a minimum of fuss and delay.

Will encryption with TDE solve all of the SharePoint security concerns? No. But it will protect you from data loss in the event of a lost backup or hard drive, and a server breach that just steals a copy of the database or log files won’t compromise your data. That’s one big step in the right direction.

Take a look at our encryption key management solution built for Microsoft SQL Server. You can start to build the confidence you and your management team needs to move forward with SharePoint collaboration, and at a reasonable cost and in a reasonable time frame.

For even more information, view our webinar “Encryption Key Management with Microsoft SQL Server.”  See how easy it can be to implement strong key management and hear what hundreds of attendees learned at PASS last week.

Patrick

Click me

Topics: Alliance Key Manager, SQL, SharePoint

Securing SharePoint 2010 Content with Encryption and Key Management

Posted by Patrick Townsend on Sep 20, 2011 12:00:00 AM

share point encryptionMicrosoft has a great hit in the SharePoint suite of products. I am guessing that this might have taken them at bit by surprise, but SharePoint turns out to be very popular with organizations large and small. In the early days it was a free component that tagged along with Windows Server. Now there are many varieties of SharePoint that include flavors for Office, web portals, collaboration, Customer Relationship Management, and on and on. And a whole ecology of Microsoft partners and ISVs are building solutions on top of SharePoint, or incorporating support for SharePoint in their business applications.

What a great success story!

Download White Paper on EKM for SQL Server Securing SharePoint is now a big focus for those same Microsoft customers. Once you have a user friendly collaboration tool in place, it’s hard to know what those pesky users are going to put in there. Are they storing credit card numbers or social security numbers? Perhaps bank account numbers? Could our users be uploading spreadsheets with thousands or even millions of records with sensitive data?

You bet they are!

And this is keeping security administrators and compliance auditors awake at night.

What you might not know is that SharePoint is built on top of Microsoft SQL Server as its data store. And in SharePoint 2010 you can now deploy SQL Server 2008 R2 with Extensible Key Management (EKM) and Transparent Data Encryption (TDE) to get data-at-rest protection for your SharePoint content. This is a great step forward in content protection, and many security administrators are now using this facility.

Of course, our Alliance Key Manager for SQL Server solution works naturally with SharePoint 2010 built on SQL Server EKM. You get full support for a compliant and best practice approach for separating encryption keys from sensitive data as required by PCI DSS and other regulations. If you are already running our key manager to protect SQL Server database applications, you have what you need to protect SharePoint.

Many SharePoint customers are rightfully concerned about the performance impacts of encryption. I think Microsoft has done a good job in this area, too. Microsoft will tell you that the likely performance impact with SQL Server Transparent Data Encryption (TDE) is from 2 to 4 percent. Our own performance tests have similar results, and in some cases are below 2 percent. This is really astounding performance when you consider that the entire table space is being protected by strong encryption. Of course, customer environments vary a great deal, and you should always model your environment to determine the likely impacts. But I think that the large majority of SharePoint 2010 installations will benefit from SQL Server TDE encryption.

For further information, download our white paper "Encryption Key Management for Microsoft SQL Server 2008" and learn about meeting encryption and key management challenges on your Microsoft SQL Server.  Additionally, I’ve added some resource links below if you want to explore SharePoint 2010 and SQL Server encryption in more detail.

Patrick

  Click me

 

Resources

Here is a blog by Margo Crandell of Microsoft on SharePoint and SQL Server.  It’s a good entry point for a discussion of SharePoint with SQL Server.

This TechNet article talks about planning and deploying SharePoint with SQL Server, including how to migrate to newer versions of SQL server.

I’ve found this Microsoft Whitepaper very informative on security and SharePoint. You will find a good, basic discussion about SQL Server TDE in this document.

Topics: Alliance Key Manager, Microsoft, Encryption Key Management, SQL Server, SharePoint