SharePoint - the compliance nightmare???

Microsoft has a winner with it's collaboration tool SharePoint Server. It's ease of use and integration into a Windows based architecture have led people to adopt it in droves. As it's matured, it's become more effective and easier to use - meaning adoption is on an upswing. Did you realize that SharePoint is (and has been) Microsoft fastest growing server product? I would have thought Exchange or even SQL, but not SharePoint. But as you look around, you see it everywhere. It's pervasive and entrenched. I've seen it grow organically (and logarithmically).


One thing people tend to forget about SharePoint is that its key use case is a document store. For those under the thumb of regulatory compliance, it's usually an area that's easily forgotten. You might have what should be protected documents stored across multiple sites in SharePoint and not even know it. Even if your an organization with process in place, often times SharePoint makes it easy to subvert your best intentions. Set up a site and grant access to a few people - then the requests for access come rolling in. It's so easy to click that "Request Access" button - and just as easy for the owner to click "Grant Access".


It's also easy to create sites (for those with the correct right - which can be confusing. Something I will cover later). There's personal sites, sub sites, Document Stores, Lists and more... And that's just with in a single farm (you can have multiple farms too!). Add to this the fact that there are a multitude of SharePoint add-ins or widgets that might be involved in the convoluted structure and it's easy to be overwhelmed with ways to access content.


Now what's more, the account/rights structure is something that isn't using native permissions (Access Control Lists or ACLs, for the technically minded). The rights and tasks associated with accounts can get really confusing. If you want a taste of what you need to pay attention to, see this Microsoft TechNet article on Account Permission in SharePoint:


So let's climb back up to a 10,000 foot level. Easy to deploy and expand. Non-native rights and account structures. Varied places to store documents and information that may not be intuitive: If you're a compliance orient shop - this could be a recipe for disaster. Microsoft does provide some auditing capabilities - so as long as they are in place early, and you're reviewing the events, you're probably OK (if you have access - something SharePoint Administrators should have - but generally no one else). That's why we felt adding events from SharePoint into ChangeAuditor would be beneficial to anyone using Microsoft SharePoint and under regulatory compliance (or, indeed, internal process guidelines for document storage and sharing!). ChangeAuditor let you send alerts on actions that you wish to warned about (access changes, site creation or deletion, etc). You can even run reports to see all document access in a particular site or document store. It's no panacea, but it should help you feel a little more in control, and a lot less like you're living a nightmare!.



About the Author