How secure is your data in SharePoint On-Premise vs Online?

Over the past two decades, Microsoft has made SharePoint one of the most powerful enterprise content management and team collaboration platform available in the market loaded with massive functionality and state of the art security. Data protection and security plays a key role in deciding which variant of SharePoint to go with especially for organizations with critical compliance and governance regulations.

This brings up the question, how secure is your data in SharePoint On-Premises and Online? This article will help you in analyzing the security and data protection features available in SharePoint On-Premise and Online in terms of authentication types, disaster recovery etc.

AxioWorks SQList allows you to export SharePoint lists & libraries as normalised SQL Server tables, and build powerful reports on SharePoint data using SSRS, Crystal Reports, Power BI, on an other reporting tool.

Authentication Types

SharePoint On-Premise

SharePoint On-Premises provides support for all the major authentications types

Claim-Based Authentication

It is the default authentication mode which uses Claim based identity technologies and infrastructure for authenticating user identity. Instead of User credentials, a security token is used for authenticating which contains user information through a set of claims. It is built on Windows identity foundation (WIF) and works within windows environment and doesn’t integrate with third-party authentication providers.
In order to use this, SharePoint converts all the user accounts into claim identities which generates a claims token. The claims token includes all the information pertaining to user and can be augmented as well in order to add additional claims

Forms-based authentication

Forms-based authentication (FBA) allows the customer to implement their own authentication mechanism which enables them to authenticate non-Active directory (external users) and expose their intranet portal to outside world. It provides custom identity management in SharePoint by implementing a membership provider, which defines interfaces for identifying and authenticating individual users, and a role manager, which defines interfaces for grouping individual users into logical groups or roles. The provisioning of FBA requires a web application with a site collection in SharePoint farm and a membership database for storing user information.

SAML token-based authentication.

It is a type of claims based authentication called SAML claims mode in which SharePoint accepts SAML tokens from a trusted external Security Token Provider (STS). It is commonly used with Single Sign-On (SSO). A user who tries to access a secured webpage is redirected to the external login page of the STS provider, the STS is responsible for authenticating the user and producing the SAML token, SharePoint accepts and processes the SAML token and creates a claims based security token. If you use Active Directory Federation Services (AD FS) 2.0, you have a SAML token-based authentication environment.

Windows Classic Mode Authentication

This is an AD based authentication in which windows credentials are used. This authentication mode was deprecated in 2013 and is no longer supported in SharePoint 2013, 2016 and 2019.

SharePoint online

Single Sign-On with Active Directory

SharePoint Online enables organizations to use their existing authentication setup eg. Active Directory as a mode of authentication for Office 365. By default, SharePoint Online uses Azure AD for authentication and each tenant has their own Azure AD. There are two variants available.

Synchronized identities

This provides synchronizing the accounts in Azure AD and your on-premises AD. Users has given an option to sync passwords as well or use different passwords for both AD. This is an easy and no frills attached setup which doesn’t require any additional settings at Customer’s end.

Federated identities

This allows users to authenticate against the organization On Premises Active directory and requires hosted identity provider to setup. When user tries to login to SharePoint Online, then they are redirected to the login page of your identity provider eg. ADFS which takes care of authentication. Successful authentication then takes user to the SharePoint Online. This is usually a preferred option since it provides seamless integration of SharePoint Online and Internal Active directory however, it does require setting up identity provider in your internal AD.

Multi-factor Authentication

Considered as the most secured authentication mode, SharePoint Online allows setting up Azure Multifactor authentication which requires an additional security item for login along with user credentials. This security item is usually a code generated via text or phone call or some other security device. Login requires both user credentials along with the code generated by the security device.

Disaster Recovery Strategy

It is a way to recover your SharePoint farm from a disaster which makes your farm unusable and defining key parameters of how much time it takes to recover to minimize down time and to what point in time can it be recovered to minimize loss of data. Both SharePoint On-Premises and Online provides various data recovery options in order to the meet the clients Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

SharePoint On-Premises

Standby data center recovery options

This option requires a redundant secondary SharePoint farm at a separate data centers which is used in case of a disaster in the primary data center. There are three types of Standby based on time required for farm availability.

Hot Standby

This is the fastest recovery option available which requires seconds or at most minutes to make the farm available. A failover SharePoint farm is pre-setup in a secondary data center and both data centers continue to run simultaneously and stays up to date but only one serves requests at any time. All the customizations are deployed to both farms and asynchronous mirroring is used for synchronizing SharePoint content databases in both farms. This allows standby farm to be switched on as a production farm as soon as the primary farm goes down.

Warm standby

The strategy is slower than hot standby strategy since it requires minutes or hours to provide availability. This strategy requires setting up a duplicate farm in a separate datacenter and is kept up to date by restoring backups of primary farm frequently. This options allows customers to use virtualization by using Hyper-V to setup a cost effective disaster recovery solution or use Azure Site recovery for hosted disaster recovery and save on infrastructure.

Cold Standby

It is the slowest is recovery strategy which takes from hours to days to provide availability for usage. In this strategy, a new farm has to be setup from scratch in a separate datacenter and then restoring backups either manually or using an automated backup and restore solution like Data Protection Manager. The time depends on your rental contract and the complexity of your farm i.e. a single server farm will be restored a lot faster than a farm with multiple WFE’s and Application Servers.

Azure Site Recovery (ASR)

The standby data recovery options works well but it requires some manual intervention or standby farm setup however if your organization wants an automated disaster recovery strategy and eliminate the cost of additional standby infrastructure then azure site recovery provides is the best way to go. The way ASR works is it creates snapshots of your SharePoint farm environment which can either be a virtual setup or physical servers. Snapshots are created as virtual machines which are available via failure on demand so, when your production environment goes down then they spun up and instantly makes your farm available. In order for it work, all the components of your farm including Active directory and DNS must be protected by ASR as well. This will allow you to recover not just SharePoint but your entire Application stack just by one click.

SharePoint Online

The disaster recovery strategy lies with Microsoft as they perform regular backups of customer data. Microsoft promises 99.9% availability of SharePoint Online and all of its services. However this only tells us about the speed of services availability and usability but what about the data loss which might happen in case of a disaster.

Data Protection from Human Error

Ultimately, the most common cause of data loss lies with the handling of data by humans who are prone to making mistakes by deleting something unintentionally. Sure, restoring a backup can always get back your data but this is by far the most expensive option and there are easier options available in both On-Premises and online for data protection in case of human error.

SharePoint On-Premises

There are options available for safe guarding your data from human errors at several granular level. Document deletion can be protected by using SharePoint versioning and SharePoint recycle bin which allows you to restore your file/item. SharePoint permissions can also be setup to item level to avoid deletion as well. There is also a new feature available in SharePoint 2016 called data loss prevention (DLP) policy which allows you defined policies and identify, monitor, and automatically protect sensitive information across your site collections. This is a great tool to solidify your SharePoint governance and there are several templates with predefined policies available for you to setup.

SharePoint Online

SharePoint Online also provides primary ways of data protection like document versioning to keep older versions of document safe and recycle bins at different levels to safeguard against document or item deletion. First level is User recycle bin where deleted item lasts for 93 days and afterwards moved to site collection recycle bin. However, if someone deleted an entire site collections, then Microsoft will come to the rescue and will help you to restore the site with content. To further safeguard against data loss, there are several cloud to cloud 3rd party tools available which can help you to keep your data safe at an additional cost by synching your SharePoint Online content at a backup location allowing you restore from site collection all the way to item level granularity.

Final Verdict

So, which version provides better data protection SharePoint On-Premises or Online? Well Microsoft understands the ever growing demand of better data protection of their customers and therefore with each new version of SharePoint has improved the data protection architecture. SharePoint On-Premises gives customers a complete control over their farm to setup an authentication mode that integrates well in their existing infrastructure and serves their security needs and at the same time various disaster recovery options with the best being ASR. New features like DLP policies makes data loss protection effortless and automated. With SharePoint Online, Microsoft provides multi-factor authentication mode which is considered as the safest option for security, disaster recovery is the responsibility of Microsoft with a promise of 99.9% uptime and various options are available for data loss protection including 3rd party cloud migration tools.