23
Stop Those Prying Eyes Getting to Your Data Liam Cleary Solution Architect | SharePoint MVP

Stop Those Prying Eyes Getting To Your Data SPTechCon

Embed Size (px)

DESCRIPTION

Stop Those Prying Eyes Getting To Your Data SPTechCon

Citation preview

Page 1: Stop Those Prying Eyes Getting To Your Data SPTechCon

Stop Those Prying Eyes Getting to Your DataLiam ClearySolution Architect | SharePoint MVP

Page 2: Stop Those Prying Eyes Getting To Your Data SPTechCon

About Me• Solution Architect @ SusQtech (Winchester, VA)• SharePoint MVP since 2007• Working with SharePoint since 2002• Worked on all kinds of projects• Internet• Intranet• Extranet• Anything SharePoint Really

• Involved in Architecture, Deployment, Customization and Development of SharePoint

Page 3: Stop Those Prying Eyes Getting To Your Data SPTechCon

“The only real security that a man can have in this world is a reserve of knowledge, experience and ability.”Henry Ford

“We spend our time searching for security and hate it when we get it.” John Steinbeck

Page 4: Stop Those Prying Eyes Getting To Your Data SPTechCon

Agenda• SharePoint Security in General• SharePoint Topologies• Secure Topologies

• Protecting SharePoint• Authentication and Authorization• Firewall• DRM• Data Encryption

• Guidelines for Protecting SharePoint

Page 5: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Security in General

Terminologies• Permission: They are the unit of access that represents the individual task that can be

performed on a securable object. • Permission Level: Predefined sets of permissions that are given to users.• User: Is the smallest object that access can be granted. User could be Active Directory

account.• User Groups: Is set of users that are grouped for common properties and ease of

managing.• Securable Object: Web (Site), List, Library and Item.• Inheritance: When a securable object is created, it inherits user access of it`s parent

object.• Site Groups: When a new site is created group of sites are created automatically for the user.

Page 6: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Security in General• Logical Approach• Item• List or Library• Site• Site Collection• Web Application• Farm

• Service Applications• Farm• Cross Farm

• SharePoint performs Authorization• Valid Authentication Token• Role• Security Group• Claim Attribute

Page 7: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Topologies – Edge Firewall

• Advantages• This is the simplest solution that requires the

least amount of hardware and configuration.• The entire server farm is located within the

corporate network.• There is a single point of data:

• Data is located within the trusted network.• Data maintenance occurs in one place. • A single farm is used for both internal and external

requests; this ensures that all authorized users view the same content.

• Internal user requests are not passed through a proxy server.

• UAG pre-authenticates users.

• Disadvantage• This configuration results in a single

firewall that separates the corporate internal network from the Internet.

Page 8: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Topologies – Back-to-back Perimeter

• Advantages• Content is isolated to a single farm on the

extranet, simplifying sharing and maintenance of content across the intranet and the extranet.

• External user access is isolated to the perimeter network.

• If the extranet is compromised, damage is potentially limited to the affected layer or to the perimeter network.

• Disadvantage• The back-to-back perimeter topology

requires additional network infrastructure and configuration.

Page 9: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Topologies – Back-to-back Perimeter with Cross-Farm Services

• Advantages• Services are centrally managed inside the

corporate network.• Service applications that involve many

contributors, such as Managed Metadata, are located where the contributor accounts are located. Special access is not required for the perimeter network.

• Disadvantages• Some service applications require

two-way trust between domains, for example, User Profile and Secure Store Service.

Page 10: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Topologies – Back-to-back Perimeter with Content Publishing

• Advantages• Customer-facing and partner-facing

content is isolated in a separate perimeter network.

• Content publishing can be automated.• If content in the perimeter network is

compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained.

• Disadvantages• Additional hardware is required to

maintain two separate farms.• Data overhead is greater. Content is

maintained and coordinated in two different farms and networks.

• Changes to content in the perimeter network are not reflected in the corporate network. Consequently, content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative.

Page 11: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Topologies – Split Back-to-back

• Advantages• Computers running SQL Server are not

hosted inside the perimeter network.• Farm components within both the

corporate network and the perimeter network can share the same databases.

• Content can be isolated to a single farm inside the corporate network, which simplifies sharing and maintaining content across the corporate network and the perimeter network.

• Disadvantages• The complexity of the solution is greatly

increased.• Intruders who compromise perimeter

network resources might gain access to farm content stored in the corporate network by using the server farm accounts.

• Inter-farm communication is split across two domains.

Page 12: Stop Those Prying Eyes Getting To Your Data SPTechCon

SharePoint Topologies – Split Back-to-back optimized for Content Publishing

• Advantages• Computers running SQL Server are not

hosted inside the perimeter network.• Farm components within both the

corporate network and the perimeter network can share the same databases.

• Content can be isolated to a single farm inside the corporate network, which simplifies sharing and maintaining content across the corporate network and the perimeter network.

• Disadvantages• The complexity of the solution is greatly

increased.• Intruders who compromise perimeter

network resources might gain access to farm content stored in the corporate network by using the server farm accounts.

• Inter-farm communication is split across two domains.

Page 13: Stop Those Prying Eyes Getting To Your Data SPTechCon

Protecting SharePoint - Authentication and Authorization

• Windows• NTLM• Kerberos• Basic• Anonymous• Digest

• Forms-based Authentication• Lightweight Directory Access Protocol (LDAP)• Microsoft SQL Server• ASP.NET Membership and Role Providers

• SAML Token-based Authentication• Active Directory Federated Services• 3rd Party Identity Provider• Lightweight Directory Access Protocol (LDAP)

Page 14: Stop Those Prying Eyes Getting To Your Data SPTechCon

Claims Authentication?• Wide Support• Standards Based

• WS-Federation 1.1• WS-Trust 1.4• SAML Token 1.1 AuthN

• Single Sign On• Federation

• Already many providers, Live, Google, Facebook etc.• Microsoft standard approach• Fed up custom coding everything, every time• Gets round (some) Office Integration problems• Easy to configure with little effort

• Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider

Protecting SharePoint - Authentication and Authorization

Page 15: Stop Those Prying Eyes Getting To Your Data SPTechCon

• Standard Based Authentication• Supports Multiple Authentication Mechanisms• Enables Federation – federationmetadata.xml• No “Code” claims augmentation• Claim Rules

• Custom Mappings• Custom Connections

• Unique Scripting Language• Supports Custom Connections

• Inherit from “IAttributeStore” class

• Central “off-loaded” security mechanism• SSO Support

Protecting SharePoint – ADFS 2.0

Page 16: Stop Those Prying Eyes Getting To Your Data SPTechCon

ADFS

Page 17: Stop Those Prying Eyes Getting To Your Data SPTechCon

• Protection over the Access Control• Integration with Office• Office & SharePoint• .NET & Silverlight

• Internal & External• Requires Certificates for Encryption

• Protects more than just documents• Email too

Protecting SharePoint – Digital Rights Management

Page 18: Stop Those Prying Eyes Getting To Your Data SPTechCon

RIGHTS MANAGEMENT

Page 19: Stop Those Prying Eyes Getting To Your Data SPTechCon

• Various Options• Cell Level – Encrypts Cells in Databases

• Not Usable with SharePoint• File Level (Bit Locker, EFS)

• Could be used with SharePoint• RMS

• Could be used with SharePoint

• Transparent Data Encryption• SQL Level• Content Database Level

• Specifically set• Backups cannot be restored to other servers without the “Private

Key”• Does not protect data in memory – potential security risk• Prescribed Approach: http://

www.slideshare.net/michaeltnoel/transparent-data-encryption-for-sharepoint-content-databases

Protecting SharePoint – Data Encryption

Page 20: Stop Those Prying Eyes Getting To Your Data SPTechCon

SHOW ME THE MONEY

Page 21: Stop Those Prying Eyes Getting To Your Data SPTechCon

• Block the standard SQL Server ports• Configure SQL Server database instances to listen on a

nonstandard port• Configure SQL client aliases• Bypass the actual server name

• Implement Windows Firewall / IPsec Policies• Custom Rules as needed

• Utilize Group Policies• Utilize Claim Attributes • Implement ADFS when using Claims Authentication• Add Attribute Store• Add Custom Attribute Rules• Secure Communication with SSL

• Follow server hardening plan• http://technet.microsoft.com/en-us/library/cc262849.aspx

Protecting SharePoint – Server Guidelines

Page 22: Stop Those Prying Eyes Getting To Your Data SPTechCon

• Make it Clear What Content Is Permissible• Security and Permission• Rights Management Services

• Educate Employees• Use Classification to Guide Behavior• Don't Forget to Enforce the Policies• Utilize Claim Attributes• Augmentation using ADFS

• Use out of the box configuration• Users or Active Directory Groups• Provider Roles• SharePoint Site Groups• Permission Groups assigned to SharePoint Site Groups

Protecting SharePoint – General Guidelines

Page 23: Stop Those Prying Eyes Getting To Your Data SPTechCon

www.cloudshare.com

Thank You

• Personal Email: [email protected]• Work: http://www.susqtech.com • Twitter: @helloitsliam • Blog: www.helloitsliam.com

www.susqtech.com