SharePoint Search Security – A Game of Hide and Seek

Chris McNulty

by Chris McNulty on 12/22/2014

Share this:

Article Details

Date Revised:

Applies to:
Encrypted SharePoint search, encryption, Information Rights Management, IRM, McNulty, Search, security, SharePoint

“No matter where you go... there you are!” – The Adventures of Buckaroo Banzai Across the 8th Dimension, 1984

For years, SharePoint was a great refuge for organizations that still believed in “security by obscurity.” Remember that? The idea that making something hard to locate was just as good as actual content security? Given the ungoverned sprawl of many company’s information architectures, combined with SharePoint’s burgeoning capacity to replace legacy big data repositories for unstructured content, it could become, sometimes, a great wasteland to hide sensitive files. There’s one little thing to mention – it doesn’t work.

With SharePoint 2013 and Office 365, search has become ubiquitous. Search is directly incorporated into navigation, social communication and knowledge management. With tools like the Content Search Web Part (CSWP), the system runs searches automatically for users – invisibly. Search always respects item-level permissions, but if privileges are too widely distributed, lots of obscure content will rise to the top of search enhanced pages. The page shown in the figure below is assembled via SharePoint Search…

SharePoint search enhanced pages will reveal obscure content

Search is much more attractive in SharePoint 2013 and Office 365 with automatic previews, refinements and ad faceted searches leaving many users to “navigate” by search alone. It's easy to understate how important it is to be able to search for files, folders and websites in a work environment. You might take it for granted, but there's probably a long list of resources you use on a daily basis that you access through search.

Imagine if that functionality was taken away – can you remember where those files are stored, or even what they're called? Instead of being productive, you're suddenly playing a game of hide and seek. Search is one of the reasons SharePoint remains at the pinnacle of enterprise content management rollouts, with double digit platform growth and billions of dollars in annual licensing. However, if you're using SharePoint to store sensitive data – say, financial information or your business's intellectual property – then the chances are you've probably needed to bolt on a third-party solution to plug the gaps in Microsoft's out-of-the-box security features. This is because for the most part, they're inadequate – SharePoint was developed so employees could share documents and work together, not to act as a vault for confidential resources.

So you’ve invested in getting the right content into SharePoint. But keeping it there is harder. An off-the-shelf installation doesn't have any encryption or rights limitations. There's nothing to stop insiders from spreading data because it's a piece of cake for employees to drag and drop files and folders from SharePoint to their desktops or email. So let's say you're using a third-party encryption package to patch those vulnerabilities. In normal circumstances, unfortunately, you're likely to hit a snag. Encryption helps hide data from prying eyes, but it can do the job too well and obscure information from intended readers too.

Most third-party solutions encrypt files while they're at rest in SharePoint, so they effectively put your site's search function out of commission – you're back playing hide and seek. Full text search can’t decrypt those scrambled documents, so they stay outside the scope of most queries. Since users can’t find those documents simply, when they do finally locate them they’re more likely to stash copies on their desktops, in email, or in the cloud. At least content management on SharePoint happens in one platform. When content moves to a profusion of disparate systems, there’s no effective management at all. It looks like all the content remains on SharePoint, but it’s “zombie” content. The real and latest version of a file is often kept in Outlook or elsewhere.

On the other hand, approaches like Microsoft's Information Rights Management (IRM) solution apply encryption when files are downloaded from SharePoint, which has the opposite effect. Searching becomes a free for all, giving employees carte blanche access to your site's encrypted files and folders. Plus IRM typically runs on a library-by-library basis – which can mean open files are often encrypted while sensitive content may remain “open” because it can be copied to an unencrypted library. How can we avoid a game of hide and seek by securing sensitive data without taking search away from users? The Answer – Encrypted SharePoint Search Organizations should look to encrypted SharePoint search to overcome the issues mentioned.

There are three main areas to look for in a solution. First, a solution should allow SharePoint to read and index encrypted documents as easily as unsecured ones, facilitated by Microsoft's iFilter technology, and decrypt files exclusively for SharePoint to index. Next, organizations need to make sure that information doesn't turn up in search results unless the end user is authenticated to see it. If a user has the key, she sees the files and gains access to all the enhanced search functions of the 2013-era platform. If another user doesn’t have the key, his search results are stripped of the data he wouldn't normally be able to access.

The third capability for an ideal solution would be to ensure the process is totally transparent to the user. Encryption is easy – but letting users DECRYPT a file on the fly can be hard. It’s also essential that your enterprise maintains full control of its encryption keys instead of sharing them with third parties. Together these capabilities beat using IRM as a gateway because resources are encrypted while at rest in SharePoint. These resources are hidden to all but those with clearance. Simultaneously, though, authenticated users don't have to play a game of hide and seek to find files – they have search at their disposal.

Topic: Search

Sign in with

Or register