WHITEPAPER. Compliance with ITAR and Export Controls in Collaboration Systems

Transcription

1 WHITEPAPER Compliance with ITAR and Export

2 Executive Summary IT executives for organizations that are subject to export controls and regulations, including ITAR, EAR, as well as German BAFA regulations, and the UK Export Control Act, are under pressure to meet the restrictions on access that are required of them, while also gaining the efficiencies afforded by collaboration platforms. The obvious challenge, however, is to properly secure SharePoint, file servers, OneDrive, SharePoint Online, and Office365 environments for use cases that involve export controlled data. CipherPoint Software offers products to find, encrypt, control access, and log access to export controlled information in file sharing and collaboration platforms, both on Premises and in Cloud environments. The purpose of this document is to demonstrate how an organization can use CipherPoint products to identify locations that contain export controlled information, secure those locations exactly according to the NIST guidance, and then be able to quickly respond to an incident and report any permitted or denied access to this restricted data. The CipherPoint approach not only reduces the Total Cost of Ownership associated with security solutions but also reduces the costs and time it takes to respond to security incidents. Finding Export Controlled Information An obvious first step in addressing compliance obligations and security requirements is to understand the scope of the issue. For export controlled information in collaboration systems, this means scanning the information repositories to determine exactly where export controlled data exists. Finding export-controlled information in any repository can be a daunting challenge

3 in file repositories such as SharePoint, file servers, and cloud collaboration systems. With systems such as these, even if you have good governance policies, it is easy for employees to place sensitive, export controlled information in locations that are not adequately secured, and where access controls and permissions are not correctly configured. CipherPoint offers a content scanning module in as part of the Eclipse Data Security Suite that can easily scan your collaboration sites and document libraries and lists for export controlled information. Once you have confirmed whether or not information that should be restricted per export restrictions resides in your collaboration systems, you can decide if there is a business need for that information to be in the platform, and then go about the effort of securing the information, and controlling access to it. Securing Export-Controlled Information Collaboration systems such as SharePoint provide native access controls to ensure that only certain users or groups have access to a particular collaboration site or document library. A common approach is to align the SharePoint permissions model with Active Directory group membership which is, in turn, aligned with corporate Role-Based Access Control (RBAC) policies. Once configured, organizations need to carefully audit and manage access to export-controlled data. Permissions management is a common point of failure as permissions can be changed by multiple users and at different levels of granularity (e.g. Site, Library, or Item). Native platform permissions management capabilities in collaboration platforms are generally insufficient to the task of ensuring that this sensitive information cannot be accessed by those with no valid need to know.

4 What s needed is an approach that not only secures the confidentiality of exportcontrolled information but also provides evidence that the necessary security controls are in place. Further, meeting those security objectives while simultaneously enabling operational efficiencies through the adoption of collaboration platforms such as SharePoint is a significant benefit for any organization trying to deploy scarce budget dollars as effectively as possible. The key security controls for exportcontrolled information include: A RBAC policy that clearly defines those who have a business need to access export-controlled data Access controls that are managed and enforceable per the organization s RBAC policy Activity logging to track permitted and denied access requests to export controlled information and to provide non-repudiation Data at rest encryption and encryption key management in accordance with the guidelines in NIST Separation of duties among IT operations and the Information Security or Risk and Compliance departments CipherPoint Solution The CipherPoint solution is specifically architected to maintain the confidentiality of information stored in SharePoint environments and other multi-tenant file sharing and collaboration platforms. Customers can use CipherPoint technology to: Find export-controlled data in SharePoint, file servers, OneDrive, SharePoint Online, and Office365 Transparently encrypt it according to the NIST guidelines Control and audit access to export-controlled data per need to know policies

5 Report and respond to accesses to export-controlled information The approach above allows an organization to not only demonstrate the due diligence required to avoid fines which may be associated with export security breaches or improper disclosures of export-controlled information but also to quickly and cost effectively respond to a potential breach of this information. The CipherPoint Eclipse solution includes a centralized management console, which allows organizations to locate and manage the security and transparent encryption of export restricted data. This architecture provides true separation of duties and enforces need to know policies allowing the SharePoint administrators or third party Cloud providers to manage the platform and the Compliance team to manage security of this information. The Compliance team administers the security controls without requiring elevated access to SharePoint, only the authorized end users are able to access export restricted information, and the CipherPoint system tracks permitted and denied requests to documents and changes made to security controls. CipherPoint technology is transparent to end-users in order to remove any obstacles to adoption of SharePoint, file servers, OneDrive, SharePoint Online, or Office365. Conclusion Government regulators have strict requirements on controlling access to export controlled data. Translating their requirements into policies and controls for you collaboration environment is left up to your organization. The CipherPoint Eclipse family of data security solutions give you the tools you need to identify export controlled information in existing information repositories, secure the data through encryption and access controls, and then audit and report on access to satisfy auditors. The combination of collaboration platforms such as SharePoint, file servers, OneDrive, SharePoint Online, and Office365 and

6 CipherPoint Eclipse allows organizations not only to achieve the business efficiencies associated with collaboration, but also meet ITAR and other export compliance requirements, and avoid security breaches and fines. About CipherPoint Software, Inc. CipherPoint centrally identifies, secures, and audits access to sensitive and regulated unstructured data on-premises and in the cloud. The CipherPoint solution is unique in keeping privileged IT administrators and outside attackers that target IT level access from being able to view sensitive information. CipherPoint products are easy to deploy and manage, and scalable to meet the needs of large organizations. Copyright , all rights reserved. CipherPoint is a registered trademark of CipherPoint Software, Inc. CipherPoint Eclipse,CipherPoint Eclipse for SharePoint, CipherPoint Eclipse for SharePoint Online/Office 365, CipherPoint Eclipse for Healthcare, CipherPoint Eclipse for File Servers, CipherPoint Eclipse Data Security Console and the stylized CipherPoint logo are trademarks of CipherPoint Software, Inc.. SharePoint, SharePoint Online, and Office 365 are trademarks of Microsoft. Doc. ID: CPWP008