Confidentiality in IT systems

[Novoiceleft]

I work with a small group of Consultants who want to try harder at sharing documents all in one place - rather than simply creating them as individuals and randomly emailing them to each other (and losing them etc).

I have suggested this can be achieved in Sharepoint, and I do have quite a lot of experience in configuring and building Sharepoint sites.

One of the members is fairly obsessed with confidentiality and wants to lock down some of the documents ("for GDPR reasons"). I have explained how they can self-manage access to folders and documents in Sharepoint. But what they can't do is remove access for ME - because I am system admin.

This does not seem to satisfy him. I have explained to him that in any enterprise system, someone (usually in IT) always has access to everything as system administrator. He says this is not true - system admin can manage the system without being able to open confidential documents. Is that right?

I have explained that Sharepoint is for sharing (the clue is in the name) and so it probably isn't the right place to store confidential documents.

Any advice?

Thanks

NoVoice

[martinc]

Is it possible to encrypt files on a per-user basis in Sharepoint? In such a way that the admin user (you) can backup or copy the file but not read it? There is a feature of Windows (and probably Linux) that works like this where you can do this (cipher command). NB this is not Bitlocker.

Maybe Sharepoint is a bit of overkill for this, what you really need is some sort of cloud storage where a group of you can read some encrypted files and optionally have personal areas with individual encryption. I don't like Sharepoint personally.

[Novoiceleft]

Thanks Martin.

They already have the Microsoft 365 suite, including Sharepoint - they are just not using it properly.

Their documents are Word, Excel and Powerpoint - I guess they could password protect those documents that need restricted access.

NoVoice

[UncleEbenezer]

This does not seem to satisfy him. I have explained to him that in any enterprise system, someone (usually in IT) always has access to everything as system administrator. He says this is not true - system admin can manage the system without being able to open confidential documents. Is that right?

What you explained is right. What he replied is also right. You were talking about different things.

Yes, in most systems a sysop can effectively access everything. But only what's there in the system, and if the confidential documents are encrypted then the sysop cannot read them: they remain confidential and all the snooping sysop can ever see is noise. Sharepoint is one of many systems that will do the job you're looking for provided you also use encryption. I don't know sharepoint, but I expect it includes options (maybe defaults) to encrypt automatically for its users. That would of course be for the sysop to manage.

[pje16]

This does not seem to satisfy him. I have explained to him that in any enterprise system, someone (usually in IT) always has access to everything as system administrator. He says this is not true - system admin can manage the system without being able to open confidential documents. Is that right?
NoVoice

he does sound a bit obssessed
Ask him what happens if the person who password protects a file gets hit by a bus, or as is more likely leaves the organisation
(don't tell him there are password cracker programs)

[Infrasonic]

How about setting up a dedicated Dropbox / a n other cloud service account with fussy bloke as the admin for editor/viewer status and file/folder access rights? If there's any cock ups you've got a relatively firewalled set up then.

It's possible to use cloud/cloud automation like MS power automate so you could archive periodically back onto the main 365 domain for backup purposes once you are reasonably sure of the document hygiene.

I used to use Dropbox like that when dealing with third party businesses and shared documents that needed multi access editing - there was no way I was letting them loose on my domain business accounts and risking ransomware issues.

[Aminatidi]

Might be simpler just to get them using OneDrive and mange their own sharing.

365 has pretty good auditing built in if they really think you want to rear their stuff.

[UncleEbenezer]

Ask him what happens if the person who password protects a file gets hit by a bus, or as is more likely leaves the organisation
(don't tell him there are password cracker programs)

The question was with reference to sharing documents. They would be encrypted to be unlockable by the private keys of any of the team members authorised to see a document.

That's all pretty standard.

And if a password cracker can break your system, you're doing it badly wrong. Passwords are a different thing, and should have been obsoleted thirty years ago.

[pje16]

I use Gsuite
(free with 1TB per user for a charitable company - less than 4 users)

[Infrasonic]

Other ideas.

Set up a 365 subdomain with its own cloud storage provision and make the awkward one an admin (if possible).

Depending on what level of licensing 365 has you might be able to use MS authenticator 2/MFA app. in a more granular way to offer tiered read /edit document access rights.

There's Microsoft documents out there wrt to Sharepoint and Authenticator.

[Novoiceleft]

This is all very interesting. Thank you.

I've already tried the run-over-by-bus argument.

BTW - I am not an IT person, I just have a lot of experience as a Sharepoint user and sysadmin

The users do all have the option of OneDrive - but that is not working culturally because the IT competence levels of the users are low and they get lost in each other's OneDrive structures. Because of their low competence levels, I'm inclined to stick with Microsoft because they have it and they know it.

The fact is that 98% of the groups' documents need to be shared. 2% need some sort of confidentiality.

The way I see it is that:
- the starting point for OneDrive is that all files are automatically not shared (they are personal) and the owner of each document has to do something to share it (which takes time and/or they forget to do it and/or they lose the links)
- the starting point for Sharepoint is that all files are automatically in one place and shared, but you have to do something to achieve restricted access

So I think I will investigate encryption. Failing that, I will just tell the Fussy One that Sharepoint is for sharing and he will have to manage his own access rules on his Confidential documents by emailing them as appropriate.

Thanks

NoVoice

[Infrasonic]

I know it will be like herding cats but I'd broach the subject with them that they should be doing all their messaging, email, document sharing via E2E encryption where possible.

That way they get used to using it daily rather than trying to remember what to do for occasional 'special' use.

The other advantage is that if they ever suffer a hacking breach/ransomware attack then there is much less chance of sensitive information being compromised.
One of the attack vectors for ransomware is for the protagonists to start posting information onto the internet to force a payment for the decryption key.
If the data is already encrypted at rest then that route to extort is closed - although you'd still have their secondary encryption locking the documents.

[pje16]

I know it will be like herding cats .

Not heard that one before ... love it

[servodude]

he will have to manage his own access rules on his Confidential documents by emailing them as appropriate.

Perhaps point out that email isn't really a secure channel, just to encourage them to think about where things ought to live

[UncleEbenezer]

I know it will be like herding cats .

Not heard that one before ... love it

Strewth! Different worlds. Herding cats is entirely normal and an essential skill in my line of business (I suspect Infrasonic's work is close enough to mine to apply there too). What you want in such situations is encryption by default, without troubling the lusers. OK, they then have to specify an access list, but that can have sensible defaults set up by a sysop.

The other advantage is that if they ever suffer a hacking breach/ransomware attack then there is much less chance of sensitive information being compromised. One of the attack vectors for ransomware is for the protagonists to start posting information onto the internet to force a payment for the decryption key. If the data is already encrypted at rest then that route to extort is closed - although you'd still have their secondary encryption locking the documents.

Yes but ... isn't the usual ransomware about getting locked out of your own data (where's that backup, and did it get hacked too)? What you're protecting against is the "we've recorded you watching porn" blackmail nonsense.

[Infrasonic]

...Yes but ... isn't the usual ransomware about getting locked out of your own data (where's that backup, and did it get hacked too)? What you're protecting against is the "we've recorded you watching porn" blackmail nonsense.

No - this is the type where they start posting names and addresses of office personnel or details of financial information / contracts with third party companies that they most certainly don't want in the public domain.

It happened recently with a fairly big company that tried to wait it out until they had a third party decryption solution, before caving in and paying for the decryption key after some sensitive original plain text database data was leaked - apparently there are still major companies out there that don't encrypt everything by default.

There are 'data brokers' on the dark web who trade corporate information day in day out - it's a multi billion dollar industry.
You can find all sorts of price lists if you look hard enough.

[didds]

perhaps the more pertinent question is not so much how to make any implemented system "secure" - but how Mr Security-Obsessed rationalises the current method of people emailing files to each other (based on the OP). How is THAT any more secure?

(encrypted files with the password shared via another medium is presumably the answer - but that then is equally true of any other file sharing system).

didds