By Antonio Maio, Senior Manager & Senior SharePoint Architect, Protiviti
ECM or Enterprise Content Management – that’s how we refer to the systems in our enterprise which store and manage corporate content. We often think of these systems as applications like SharePoint, Documentum or FileNet, but they can also represent network file shares, NAS drives and custom internal web sites or applications. As well, these systems can now exist on premise within data centers that we manage, through a cloud provider like Microsoft Office 365 or Amazon Web Services (AWS) or through a hybrid combination of both. These systems have grown within most organizations to store sensitive corporate data and to represent critical infrastructure that employees rely on to accomplish day to day work.
We often rely on cyber security audits to evaluate the security of our corporate environments. They give us an indication of our security posture and identify areas of improvement. As part of an audit, we’ll often look at things like network security, firewall configuration, communication protocols, intrusion detection and systems which protect us from email phishing, malware and URLs leading to malicious websites. A security audit certainly must include these functions; however, our ECM systems are often overlooked in the security review process. Considering the criticality and often large quantity of data stored in such systems, it’s important to consider why that is and how we can leverage what we know to facilitate inclusion of ECM systems in a cyber security audit.
An ECM is typically made up of multiple enterprise applications working together to efficiently store and provide access to content, surfacing a robust set of capabilities to bring additional business value to the organization. These systems are often overlooked in audits due to the specific domain knowledge required to properly assess and evaluate all of the systems which make up a corporate ECM.
Microsoft SharePoint is a great example – it is a web application with a large set of built in document management features, sitting on top of SQL Server for content storage, surfaced through IIS for web access, with responsive pages for mobile access, deployed to a farm of servers with firewalls, proxies or a combination of both. It can be connected to other systems for authentication, retrieving business data and integration with reporting or business intelligence tools. It integrates with Active Directory for identity management, people search and user profiles, surfacing presence data and user attributes.
Custom solutions can also be developed and deployed to SharePoint to fulfill a specific business needs through a number of robust APIs it makes available. It provides a robust forms and workflow engine, allowing organizations to gain efficiencies through business process automation. It can be configured with an enterprise class search farm to efficiently index content and provide lightning fast search. Search can include content within SharePoint and outside of SharePoint, like file shares. These features may be used to provide the organization with an intranet for collaboration, an extranet to interact with partners, a public facing web site or any combination of these. Finally, enterprises typically don’t have just one such SharePoint environment – you often see development, staging and production environments, along with a separate environment for disaster recovery.
This is really just a small sampling of capabilities provided by SharePoint, but it is representative of general ECM systems and what we look to get out of them. With this in mind, considering all of the systems involved in providing such a robust set of services, a security audit can seem daunting.
An ECM security audit does in fact require some domain specific knowledge of many of these systems, however we find that the security review process often comes down too many of the same questions or areas of investigation that are used in reviewing other systems, such as:
- Can we identify all repositories that store enterprise content?
- Do we know what types of data are sensitive and do we know where it resides? Do we need to scan repositories for data that is sensitive data from a compliance or risk perspective? Essentially, this is data that puts the organization at risk should a data breach occur, either inadvertently or maliciously. This can be data such as PII, PCI, PHI, MNPI (material non-public information), CPNI (customer proprietary network information), etc.
- Are data owners for all repositories defined, in particular those storing sensitive data? Are data owner responsibilities clearly defined and are data owners aware of those responsibilities? Do those responsibilities include approving and denying requests for access?
- Does the organization have record retention policies and schedules? Does the organization have a classification policy? Are information handling and acceptable use policies clearly defined for each type of sensitive data, and are end users educated about these policies on a regular basis? Is it clear to end users when they are working with sensitive data and how to handle it? Are these policies enforced or automated?
- Is the process for requesting access to data clearly defined and are end users aware of the process they must use? Are all access requests logged? Are access reviews performed on a regular basis, in particular for privileged or administrative users?
- Does the organization have an information governance plan and a governance committee? Does the governance plan cover specific practices related to the ECM system?
- Do you have the right team in place to manage the ECM? Does the team have enough people and do they have the right skill sets or certifications? Your ECM administrative team needs the appropriate skills to manage it from strategic and tactical perspectives, from a security perspective and from the point of view of the business users.
- Is an activity monitoring and reporting system in place? Do those systems interact appropriately with the various components making up the ECM environment?
- Are the servers making up the corporate ECM environment security hardened?
These questions typically make up the core aspects of an ECM security audit. The only questions that require specific domain knowledge are the last question, and perhaps the second to last question. All others can apply to all ECM environments regardless of the systems involved or integrated. These questions apply to many different corporate systems providing us with insight into which data is sensitive to the business, where it resides, who is responsible, how access is controlled, how policies are enforced, and finally how the system is secured and monitored.
Due to the criticality of the data stored within ECMs and the fact that typically a majority of employees in the enterprise access and rely on the ECM to accomplish daily work, including the corporate ECM in a cyber security audit is not only recommended but a requirement. As well, we can often leverage what we already know to ask the right questions to determine the security posture of our environment and where improvements may be necessary.