This article is the fifth in a series where I introduce concepts and considerations for securing Microsoft SharePoint 2013. These articles serve as an introduction to those new to SharePoint or to those with SharePoint up and running who are looking at built-in features and third-party solutions to secure their sensitive information.
In this post, I look at a third party product that helps protect against malware and non-compliant content in SharePoint. Specifically we’ll look at Trend Micro™ PortalProtect™ for SharePoint.
SharePoint
Content Sources and the Risks They Pose
Microsoft SharePoint has greatly increased our ability to
collaborate and share content, both within our organization and outside of the
business. As a result, we see content
from many sources being stored in SharePoint and shared with wider and more
diverse audiences, for example:
·
Content coming from within our organization,
from internal information workers who are creating content
·
Content coming from the web, when internal
employees download content and store it for future reference
·
Content coming from partners, when SharePoint is
used as an extranet to facilitate inter-organization collaboration
·
Content coming from end customers, such as
comments, blog feedback or news feed items when SharePoint is used as a public
web site
SharePoint makes it extremely easy for individuals to create
and collect information, which in turn drives people to spend more time
searching, organizing and managing information.
As well, it makes it very easy to create new web portals (public facing
web sites, extranets, team sites, etc.) in which people can easily share that
information with a wide audience. These
great benefits also mean that we lose some control over where content is coming
from. As a result, this creates risks
for the organization that must be managed, especially when the organization
stores sensitive information in SharePoint.
In particular, when content comes from varied sources there are risks that this content can contain information that does not comply with regulations that are important to the business. As well, there are risks that incoming content can contain malware – viruses, trojans or worms that can either steal sensitive information like credentials or intellectual property, or that can corrupt information.
Microsoft SharePoint 2013 out of the box does not provide features that are designed to protect against such risks. As well, Microsoft has stopped shipping “Forefront for SharePoint” which had provided some measure of protection in past versions. As a result, we must look to third party solutions to ensure that sensitive information in SharePoint both complies with regulatory standards and is free of malware. Earlier this year I had the opportunity to participate in the beta testing program for such a solution - Trend Micro™ PortalProtect™ for SharePoint. I spent some time testing the product and will provide some insight into its features and benefits in this article.
Trend Micro PortalProtect for SharePoint – Benefits
PortalProtect version 2.1 provides some great new benefits over previous versions including support for SharePoint 2013 (both standard and enterprise server, as well as Foundation) and 5 new data loss prevention policy templates for compliance with industry standard regulations. Other benefits include:
In particular, when content comes from varied sources there are risks that this content can contain information that does not comply with regulations that are important to the business. As well, there are risks that incoming content can contain malware – viruses, trojans or worms that can either steal sensitive information like credentials or intellectual property, or that can corrupt information.
Microsoft SharePoint 2013 out of the box does not provide features that are designed to protect against such risks. As well, Microsoft has stopped shipping “Forefront for SharePoint” which had provided some measure of protection in past versions. As a result, we must look to third party solutions to ensure that sensitive information in SharePoint both complies with regulatory standards and is free of malware. Earlier this year I had the opportunity to participate in the beta testing program for such a solution - Trend Micro™ PortalProtect™ for SharePoint. I spent some time testing the product and will provide some insight into its features and benefits in this article.
Trend Micro PortalProtect for SharePoint – Benefits
PortalProtect version 2.1 provides some great new benefits over previous versions including support for SharePoint 2013 (both standard and enterprise server, as well as Foundation) and 5 new data loss prevention policy templates for compliance with industry standard regulations. Other benefits include:
· According to the Trend Micro web site PortalProtect delivers 206% better performance over
Microsoft Forefront. These are some impressive numbers and there is a
commissioned independent report which details the test results – it can be
found here: http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_portalprotect-performance-report_analyst-principled-tech.pdf.
Everyone should of course verify these results in your own SharePoint environment.
·
PortalProtect keeps malicious URLs out of
SharePoint
·
PortalProtect content filtering protects web
pages (blogs, wikis, discussions) as well as list items and documents
·
PortalProtect integrates security policies with
Active Directory (AD), SharePoint Users/Groups, and SharePoint sites
Deploying
Portal Protect
Deploying PortalProtect to my SharePoint farm was extremely easy. It includes an easy to use setup wizard and installs as a full-trust farm solution. As such you do need farm administrator access to install the solution. In total, the installation took about 15 minutes and didn’t run into any issues in a simple farm configuration (1 WFE and a separate SQL Server database VM).
You will be asked for a license key during the install. If you do not have a valid key at the time of deployment it will install in trial mode and allow a trial to be run for 1 month.
How It Works
Its main function is to scan and block content and, it can be configured to take various actions when a file is blocked or if a virus is detected. As well, PortalProtect can send notifications of these events to administrators or other recipients when they occur. PortalProtect protects content within SharePoint in a number of ways including:
Deploying PortalProtect to my SharePoint farm was extremely easy. It includes an easy to use setup wizard and installs as a full-trust farm solution. As such you do need farm administrator access to install the solution. In total, the installation took about 15 minutes and didn’t run into any issues in a simple farm configuration (1 WFE and a separate SQL Server database VM).
You will be asked for a license key during the install. If you do not have a valid key at the time of deployment it will install in trial mode and allow a trial to be run for 1 month.
How It Works
Its main function is to scan and block content and, it can be configured to take various actions when a file is blocked or if a virus is detected. As well, PortalProtect can send notifications of these events to administrators or other recipients when they occur. PortalProtect protects content within SharePoint in a number of ways including:
·
Scanning files or web content to determine
whether content violates pre-configured policies. When a policy violation is
detected PortalProtect will apply an action to either quarantine or delete
content depending on how the policy is configured.
·
PortalProtect can scan files for malware and
viruses, according to pre-configured policies.
If a file is found to be infected with malware Portal Protect will apply
an action to either clean, delete, quarantine or ignore content depending on
how the policy is configured.
·
PortalProtect can scan URLs in Web content to
detect malicious URLs, and if found it will take actions such as blocking
access to a URL.
·
PortalProtect can block files based on their
file extension, file name, or actual file type. When it detects a file type
that violates a policy it will take an action such as quarantine or delete.
Note: SharePoint 2010 and
2013 does have a built in feature to block files based on file extension which
can be configured in SharePoint Central Admin under Manage Web
Applications. Although useful in that it
stops specific file types from being uploaded or downloaded from SharePoint, it
is limited to checking file extensions only.
Scanning SharePoint
Content for Regulatory Compliance
When it comes to ensuring that SharePoint content complies with industry regulations, this product is quite impressive! It will scan documents, list items and web content on site pages for policy compliance. It will scan existing content in SharePoint as well as when new content is added to or retrieved from SharePoint. It allows administrators to create new policies, and it includes several important pre-configured policy templates for SharePoint administrators to choose from. As well, it allows policies to be configured with a robust set of conditions, exceptions, policy actions and notification options.
Adding a new policy allows administrators to select the keywords or patterns (regular expressions) that a policy will scan for. These patterns can include social security numbers, credit card numbers, identity card numbers, phone numbers, etc. You can configure the number of occurrences of a pattern in order to trigger a policy violation. PortalProtect provides a synonym checking feature that enables you to extend the reach of your policies. As well, administrators can configure policy exceptions. Policy exceptions work with real-time policy scanning only and they allow specific Active Directory users/groups or SharePoint users/groups to be excluded from policy enforcement.
When it comes to ensuring that SharePoint content complies with industry regulations, this product is quite impressive! It will scan documents, list items and web content on site pages for policy compliance. It will scan existing content in SharePoint as well as when new content is added to or retrieved from SharePoint. It allows administrators to create new policies, and it includes several important pre-configured policy templates for SharePoint administrators to choose from. As well, it allows policies to be configured with a robust set of conditions, exceptions, policy actions and notification options.
Adding a new policy allows administrators to select the keywords or patterns (regular expressions) that a policy will scan for. These patterns can include social security numbers, credit card numbers, identity card numbers, phone numbers, etc. You can configure the number of occurrences of a pattern in order to trigger a policy violation. PortalProtect provides a synonym checking feature that enables you to extend the reach of your policies. As well, administrators can configure policy exceptions. Policy exceptions work with real-time policy scanning only and they allow specific Active Directory users/groups or SharePoint users/groups to be excluded from policy enforcement.
Note: Portal Protect only
provides real-time policy exceptions for SharePoint 2013 Server, SharePoint
2010 Server and Foundation 2013 and 2010.
As well, exceptions do not support AD users and groups across a forest nor
do they support global AD groups.
PortalProtect 2.1 includes 5 new pre-configured policy
templates for the following compliance regulations:
·
GLBA (Gram-Leach-Bliley financial services
modernization act of 1999)
·
HIPAA (Health Insurance Portability and
Accountability Act)
·
PCI-DSS (The Payment Card Industry Data and
Security Standard)
·
SB-1386 (California law regulating the privacy
of personal information)
·
US PII (Personally identifiable information)
These policy templates provide an easy way for organizations
to validate content for compliance with regulations that may be critical to
their business. That said, I would
caution any business against relying 100% on any automated template-driven
solution to ensure compliance. Automated
solutions can produce false-positive results, and regulations do evolve over
time. Compliance with such regulations
often involves careful planning, legal counsel and multiple levels of
protection.
Unfortunately administrators cannot add additional keywords or patterns to these pre-configured templates. Allowing SharePoint administrators to make these types of modifications to policy templates would be a great enhance in a future version of PortalProtect, especially since the nature of sensitive information is unique to each business.
Scanning SharePoint Content for Malware
This latest release of PortalProtect includes the most recent version of Trend Micro’s robust scanning engine. At the root of any antivirus program sits 2 components: a scanning engine and a database of virus signatures. Together, these two components work to identify and clean infected files. Whenever PortalProtect detects a file type that it has been configured to scan it copies the file to a temporary location and opens the copy for virus scanning. If the file is clean, PortalProtect deletes the copy and releases the original for access through typical SharePoint methods. However, if a virus is detected PortalProtect applies a pre-configured action: clean, delete, quarantine, or ignore. Deleted and quarantined files are not delivered to the intended recipient. Files set to be cleaned are opened, and any viruses are removed. Not all viruses however can be cleaned. For example, some viruses corrupt the host file, making it unusable - trojans, worms, and mass mailers do not infect a host file and therefore cannot be cleaned. Whatever the configured action, all detections are written to a virus log and administrators can receive automatic notifications of such incidents.
PortalProtect includes a great feature called IntelliScan™ which helps it to minimize usage of system resources and scan files more efficiently. This feature examines files to assess their true file type (relying not only on file extension) and ensures that it is only scanning files types that are actually susceptible to viruses.
PortalProtect will scan an extensive number of compressed file formats. However it will not scan files that are encrypted or password protected. For these file types administrators can specify which action should be taken: block, quarantine, pass, delete, or rename.
The Trend Micro scanning engine can be configured to perform the following types of scans:
Unfortunately administrators cannot add additional keywords or patterns to these pre-configured templates. Allowing SharePoint administrators to make these types of modifications to policy templates would be a great enhance in a future version of PortalProtect, especially since the nature of sensitive information is unique to each business.
Scanning SharePoint Content for Malware
This latest release of PortalProtect includes the most recent version of Trend Micro’s robust scanning engine. At the root of any antivirus program sits 2 components: a scanning engine and a database of virus signatures. Together, these two components work to identify and clean infected files. Whenever PortalProtect detects a file type that it has been configured to scan it copies the file to a temporary location and opens the copy for virus scanning. If the file is clean, PortalProtect deletes the copy and releases the original for access through typical SharePoint methods. However, if a virus is detected PortalProtect applies a pre-configured action: clean, delete, quarantine, or ignore. Deleted and quarantined files are not delivered to the intended recipient. Files set to be cleaned are opened, and any viruses are removed. Not all viruses however can be cleaned. For example, some viruses corrupt the host file, making it unusable - trojans, worms, and mass mailers do not infect a host file and therefore cannot be cleaned. Whatever the configured action, all detections are written to a virus log and administrators can receive automatic notifications of such incidents.
PortalProtect includes a great feature called IntelliScan™ which helps it to minimize usage of system resources and scan files more efficiently. This feature examines files to assess their true file type (relying not only on file extension) and ensures that it is only scanning files types that are actually susceptible to viruses.
PortalProtect will scan an extensive number of compressed file formats. However it will not scan files that are encrypted or password protected. For these file types administrators can specify which action should be taken: block, quarantine, pass, delete, or rename.
The Trend Micro scanning engine can be configured to perform the following types of scans:
·
Real-time Scan – This feature will scan files when
they are checked in, checked out, saved or opened/downloaded. All incoming or
outgoing files are scanned for viruses or other malicious code.
·
Manual Scan (Scan Now) – This feature provides
an immediate way to scan existing content in SharePoint. It can be used to scan all or a portion of
the content within a site immediately, depending on the configuration.
·
Scheduled Scan – Scans can also be scheduled to
occur at pre-configured times or frequencies.
A scheduled scan can be used to automate routine security tasks, to
improve antivirus management efficiency, and to give you more control over your
antivirus policy.
PortalProtect can process multiple requests simultaneously
and requests can be prioritized.
However, it is recommended that manual scans and scheduled scans are not
performed during peak SharePoint usage periods.
It is also recommended that organizations use a combination of these scanning types to better ensure the security and compliance of content within Microsoft SharePoint environments. A manual scan can help protect existing content already stored in SharePoint. Real-time scanning protects against new threats as new content comes into SharePoint. Finally, scheduled scans can ensure that security and compliance are automated, helping to continually maintain a strong security posture.
Putting It All Together
Overall, this product does exactly what it says it does and it does it well – it helps to protect information in SharePoint by scanning content for compliance issues and it protects SharePoint content from malware.
-Antonio
Disclaimer: In the spirit of full disclosure its important to note that the author of this post was not paid for this article, nor was the article solicited by the third party solution provider. This is an independent product review based solely on my testing experience with the product deployed to my personal SharePoint lab environments. All SharePoint environments are configured and deployed differently and your experiences in using this product may vary.