Security Management and Risk Management in SharePoint

Security Management and Risk Management in SharePoint

Security management or Security Governance is a practice that is tailored to protect a companies assets. The practice of security management is built upon the basis of the CIA triad, which is discussed more exhaustibly in other sections. One of the largest practices that occurs during the defining of security governance within a SharePoint environment is performing risk management. The concept of risk management simply identifies an organizational set of assets, defining and discovery the risks that may afflict those assets, and producing an estimate of operational cost that may occur if damage or loss occurs. Once the risk policies are defined for the SharePoint environment, it is possible to then generate relevant security policies that will in turn protect the organizational SharePoint assets.

Three Controls That Build SharePoint Security Management

There are five major concepts that will build up the practice of security management that will help to protect an arbitrary company. Controls, in general, are simply meant to manage organizational security management. There are 5 major control measures (also known as types) that build up the concept of a security environment , administrative controls / type 1, preventive controls/ type 2, detective controls / type 3, corrective controls / type 4, and recovery controls / type 5. Preventive controls are further broken down into 3 sub-control measures, and can be defined as administrative controls, technical controls, and physical controls. 

Administrative Controls Type 2 Preventive Sub-control

Administrative controls provide the basis for executive and managerial directives. Administrative controls define the publication of such things as security policies, procedures, standards, system activity monitoring, change control, and security awareness training. In administrative controls, there is also the activity of screening employees and other parties that may be involved with the organization, as well as monitor implementing the administrative systems that will proactively monitor the SharePoint environment.

There are several examples of SharePoint security policies that are provided throughout the site. However, a security policy is simply a control that is implemented in order to procure a plan for how SharePoint security should be implemented throughout an organization. The security policy provides a high level overview for actions that should be taken, what actions are considered acceptable, and what level of risks that an organization is willing to take in their SharePoint environment.

In administrative controls, there also exists the concept of personnel controls that will define how employees should interact with relevant security systems. The largest two concepts in personnel controls are separating duties, as well as the rotation of duties within an arbitrary SharePoint environment. Separating duties simply means that no one person is responsible for the critical tasks that may affect a SharePoint environment. Rotating of duties simply ensures that more than one organizational employee can execute critical tasks that may afflict SharePoint.

In relation to the concept of personnel, there is also the notion of training. Security training is an administrative control that ensures that personnel are aware of threats to collaborative technology and the appropriate actions that should be taken in order to properly mitigate those threats. Ensuring that users are trained leads to the concept of supervisory structure, whereby supervisors should always take an interest in the security awareness of users, therefore instigating a vested interest in heightening security awareness. Supervisors should also be responsible for ensuring that all security mechanisms and users are security trained. Users, at all times, should be trained in order to support the organizational global security policy, security goals, and overall security objectives set in order to procure the most secure collaboration environment.

Technical Controls Type 2 Preventive Sub-control

Technical controls within a SharePoint environment include a variety of mechanisms:

  • Security Devices
  • Authentication Controls
  • Configuration of SharePoint and related Network Devices
  • Identification Controls
  • Password Management
  • Resources Management
  • Access Control Mechanisms

Security devices and network architecture are the backbone of protection within a networked computing environment. The network architecture can be something as simple as a wall promoting segregation between two segments and the location of network devices. It doesn’t have to be physical as well, and can involve separation through VLAN’s and different filtering devices. The network access mechanisms can in turn provide control over what network systems can be accessed, as well as what actions that an individual can take on a particular network segment. Security devices can also procure the concept of encryption in order to protect the relevant information as it is sent across a pipe (un-trusted medium). For the tracking of such activity (as information is sent across the medium), there is the notion of audit controls that are meant to target and record traffic activity as it occurs through a segment.

Physical Controls Type 2 Preventive Sub-control

Physical controls are a relatively broad concept, and encompass such things as controlling

  • Access to a building or facility
  • Locking systems on physical devices
  • Removing and wiping unused electronic mediums

Physical controls are mainly targeted ad controlling the overall environment of where you are housing SharePoint, but also will promote control of the perimeter, and monitor for physical intrusion that might also compromise a SharePoint environment. 

The largest portion of physical security is the concept of perimeter security, meaning that it encompasses securing the actual outside of the building. This can be pretty much anything, like badges, surveillance through cameras, parking lot walking guards, motion detectors, alarms, etc.

In physical security is also the concept of physical securing both the network, and personal computing architecture. Personal computer controls are simply devices that exist in order to protect the actual computer from improper access. This can be a lock that exists on a laptop, or the removal of unused drives. Network physical security means that your SharePoint servers have the necessary security precautions such that only the authorized personnel are enabled access to relevant devices. This can also involve securing the physical transmissions medium, such as the cabling architecture, since it is feasible for one to implement a tap into the physical line to enable a cross talk, or sniff into various conversations that may occur.


The OSI Model and SharePoint

The OSI Model and SharePoint

The OSI model is the standard when it comes to routing, switching, and broad-spectrum application services, along with supporting conventional networked services. It spans the entire network computing infrastructure to provide a standard by which network and application engineers, as well as SharePoint architects can communicate pertinent information back and forth between each other leveraging a common standard. Although selected layers may prove to abstract for a SharePoint architect to be particularly concerned about, they nonetheless provide a positive insight into the network and application architecture that fabricate the backbone of how SharePoint operates and functions at a multiplicity of levels.

Layer 1 The Physical Layer

The first layer of the OSI model is the physical layer. Relative to SharePoint, the physical layer deals with the actual data rates and physical connectors while erect the inclusive collaboration environment. At the physical layer, there is the defining of how the actual bits that SharePoint creates (at a very high level, translated to a very low level) is converted into voltage and transmitted across a physical medium. This is a very granular level that SharePoint architects rarely see, since it will determine the transmission medium including whether it is a thinnet, thicknet, or Unshielded Twisted Pair (UTP) that SharePoint will employ. The overall concept, at a high level, is how SharePoint will function at the physical link in a networked environment.

There are several network devices that define the physical layer, such as:

  • Hubs
  • Repeaters
  • Multiplexers
  • Network Interface Cards

Along with these physical devices, there are several protocols that operate at this level, such as:

  • ATM
  • BRI
  • X.23
  • PRI
  • E1
  • E3
  • 10BaseT
  • 100BaseT
  • 10Base2
  • 10Base5
  • OC-3
  • OC-12
  • DS1
  • DS3

Layer 2 The DataLink Layer

The DataLink layer contracts predominantly with topology and frame handling. In this, there are certain other things defined such as the physical network addressing, line discipline, notification of network errors, delivery of frames in ordered pairs, and network data flow control. SharePoint architects will have relatively no interaction with the DataLink layer, since it is either handled by network engineers or through automation provided by network devices.

The DataLink layer will bestow the workings of certain resolution protocols such as the Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) which interrelate with the two sub-layers that the DataLink supplies, the Media Access Control layer (MAC) and the Logical Link Control (LLC) layer. MAC interacts with the Physical layer in that it provides physical addresses for resolution to transpire. The MAC address are 12 hexadecimal digits, the first 6 that defined by the IEEE, and the latter six defined by the vendor, all burned into Read Only Memory (ROM) of the arbitrary machine. The LLC talks up in the OSI model by instantiating a uniform interface that procures independent LAN media access to procure flow control and sequencing services.

The network devices that exist at the DataLink Layer of the OSI model are:

  • Bridges
  • Switches

The protocols that exist at the DataLink layer are:

  • SLIP
  • PPP
  • RARP
  • IARP
  • SNAP
  • BAP
  • CHAP
  • LCP
  • LZS
  • MLP
  • Frame Relay
  • HDLC
  • BPDU
  • LAPD
  • ISL
  • MAC
  • Ethernet
  • Token Ring
  • L2F
  • L2TP
  • ISDN

Layer 3 Network Layer

The Network Layer of the OSI model defines the injected information of the sent packets and frames so that they can be properly routed throughout the network to the correct destination sets. For SharePoint architects this is typically where content routers can be inserted. As well, securing routers is imperative to collaboration environments since compromising the router can eventually lead to concessions with the aggregate collaboration environment.

The Network Layer is fundamentally accountable for next-hop resolution and addressing, which build the principals of routing and switching. As broad network problems arise they are also resolved at this level, such as when there is network congestion (if multiple packet injections institutes a traffic bottleneck) that occurs that is affecting normal operations. After the segment are received from the Transport Level of the OSI model, it is pieced into Maximum Transmission Units (MTUs), which will consecutively classify the thresholds for the sized packets that are allowed to cross an arbitrary network medium. After the packet is sent, it is moreover reassembled at this level.

As well, the Network Level also has several duties related to the subnet, including how information packets are routed from the source to the destination, using an arbitrary set of routing logic that is up to the network architect to decide on, and the related node metrics.

The devices that operate at the network layer are:

  • Routers

The protocols that can execute at the network layer are:

  • IP
  • DHCP
  • OSPF
  • IPX
  • ICMP
  • RIP
  • ISIS
  • ZIP
  • DDP
  • X.25

Layer 4 The Transport Layer

The transport layer provides the essential transport services for end-to-end data movement, along with establishing the entail connections that are needed for the data transport to occur by establishing a logical link between the two. In essence, the transport layer is responsible for all activities related to the massaging of data between two endpoints by assimilating data from the Session Layer and breaking it into lesser units and passing it to the network layer, and then assuring that the data is routed correctly. SharePoint architects tend to have very little interaction with this layer since it is mostly automated by the appropriate network devices and for adjustments requires an understanding of the Cisco IOS. The transport layer provides another layer of abstraction in order to accommodate for changes to the physical network.

The Transport layer is most known for its function related to TCP. The transport layer will subdivide user-buffer datagrams, into network-buffer datagrams, and implement that necessary transport protocols for the data transmission to occur. As stated before, TCP exists at this level, as well as User Datagram Protocol (UDP). Between these two protocols, the largest difference is the concept of speed and reliability. UDP simply makes a handshake with low overhead transmission services and is essentially stateless with no error checking. The TCP protocol however keeps a running tally of the packets being delivered and the order that the packets are sent with granular error checking, sent via sockets. This in essence, means that TCP is a stateful protocol.

Protocols that are used at the transport level are:

  • TCP
  • UDP
  • SPX
  • ATP

Layer 5 The Session Layer

The session layer is mostly responsible for establishing and maintaining the inclusive connection between two network enabled hosts, providing the facilities for preserving the connection during the transport of the data as well as controlling the drop of the connection if it is needed. For SharePoint architects the session layer typically interacts with how relevant SharePoint frames and dropped and managed at the network level. This is not implying anything regarding session stating or viewstates, since this are application specific settings.

The Session Layer does three main actions related to sessions:

  1. Establishes the Session
  2. Maintains the Session
  3. Drops the Session

Involved with the session process are the recognition and identification of the parties involved in the packet inter-exchange so that participation of the session parties can be maintained. To promote the quality of the session (QoS) there is a synchronization check that occurs by injecting checkpoints into the transmitted data streams in order to detect whether a session fails so that the last checkpoint can be reloaded into the session stream for transmission, this provides a rudimentary form of fault-tolerance.

In a networked computing environment, the session layer enables two client machines to establish a germane session to implement conventional data transport as well as time-sharing and file transport between client machines. As opposed to the Transport Layer of the OSI model that can still provide ordinary data transport the session’s layer can also implement dialogue control in order to procure bi-directional traffic control and keep a tally of the clients that are involved in a traffic push.

The protocols that are used in the session layer are:

  • DNS
  • RPC
  • SQL
  • NFS
  • SSL
  • TLS
  • SSH
  • ASP

Layer 6 The Presentation Layer

Layer 6 of the OSI model, the Presentation Layer, is the primary means of representing data in a standard structure that can be translated into sensible data once it is received at the destination. The presentation layer is genuinely where the SharePoint architect will begin to interact with the OSI model since it is where relevant SharePoint frames are converted into the service that build the presentation layer of the application.

During this frame resolution process, there is a translation procedure that occurs between the format that is provided by the network and the format that is parsed by the application. This provides a uniform method of conversion, whereby all data passed through the OSI model can be translated into a common format through the use of protocol conversion, character conversion, data encryption services, graphic commands, and data compression.

Layer 7 The Application Layer

The Application Layer provides the support needed to provide support to services that will generate the user interface from relevant application services. The application layer should not be confused with the tangible user interface, but is instead the application interface that will in turn impart support to the user interface. This is where the ASP.NET framework will reside since it is the service that services the SharePoint framework, but does not actually generate the user interface.

The Application Layer will provide the network access flow, overall flow control, and general error recovery after the transmitted data has reached this level.

The protocols that are used in the Application layer are

  • HTTP
  • NNTP
  • DNS
  • SMTP
  • DNS
  • FTP
  • TFTP
  • SNMP
  • MIME
  • NFS
  • Finger
  • Telnet
  • NCP
  • SET
  • SMB