ISO Software Systeme - SharePoint Encryption

SharePoint lets users manage their documents centrally, conveniently and without media breaks. The challenge here is to protect critical information from being accessed by unauthorized staff. Administrators, for example, have full access authorization within respective lists and libraries – even though there are certain types of critical data and documents that this group of users should not have access to: documents relating to personnel, blueprints, documentation – the list is long.

• easy to use
• highly secure thanks to distributed secrets and test logics
  
• fully integrated into the Microsoft environment
• access from administrator accounts is barred

The Challenge – SharePoint Encryption

Share ContentLock uses the lock-and-key principle to store a cryptographically secure key in the Active Directory – this key is needed later for testing and encrypting. To prevent abuse, the key is managed separately from the programs to be opened. Only selected employees can handle the keys using an independent tool. The original key, however, cannot be displayed using this management tool. The stored attribute entitles individual users to only encrypt and decrypt the documents.

Sharepoint Encryption and Decryption

When uploading a file to SharePoint, the so-called event receiver can be used to assigned the attribute "encrypted" or "unencrypted". If the file is encrypted, a lock is created that matches the key mentioned above.
Before determining whether a user is allowed to open a particular file stored in SharePoint, the corresponding document is checked out from the file; Share ContentLock then inspects the Active Directory of that user for a corresponding attribute (key). If the event receiver and the attribute match (lock-and-key principle), the user can open the document.

• encrypted documents are additionally protected by AD security measures
• printing and saving encrypted documents is prohibited
• emails and documents can be encrypted at file level – this benefits emails because encryption algorithm does not have to be shared with eligible persons in advance
• familiar "look & feel" for end users
• in case of missing permission the encrypted file is shown

Thanks to the integration in the Microsoft Active Directory, Share ContentLock can store a corresponding qualifier in the user-specific properties to specify whether a user is allowed to open this document. In this way, information and critical documents can be still be stored efficiently and centrally and are protected against unauthorized access.