As SharePoint grows in complexity and breadth of business critical data, the need to maintain and monitor proper user security becomes ever more critical. As we’ve heard this week, those concerns are universal, and not strictly confined to the United States.
UK media outlet The Register reported the results of a November 2011 survey of local SharePoint administrators and professionals. Almost a third of all respondents reported having looked at privileged contents, such as other employee’s personal information and salary details. Among these admins, 45% have copied files out of SharePoint to USB drives or similar devices for home use, and 55% - 55%! – have copied files for people who weren’t authorized to see it.
For more details on the survey, please see http://www.theregister.co.uk/2012/01/23/sharepoint_leaky_security/
In statistics, we speak of Type I (false positives) and Type II (missed negatives) errors. In Type I errors, our system doesn’t work properly. For Type II errors, everything works properly, and mistakes still happen. The same concepts apply to SharePoint security. Is SharePoint inherently securable? Absolutely. But the survey shows the same two classes of security failures. On one hand, we have admins who have been properly permissioned doing things with their rights that are outside the intent of those authorizations. That’s a failure of oversight.
On the other hand, base system security IS working – that’s how users discovered they didn’t have access to data they wanted to see. This is a behavior that can be regulated through a combination of techniques – auditing, processes, and/or security restrictions on copying files to removable media.
Remember that “the system” includes not just technology but also individual people. A combination of system controls and process enhancements can close off many of these holes. Since we’re discussing roles and processes, that’s really a governance issue. Earlier this month, I published a white paper on SharePoint governance . At Quest, we see five core aspects, or pillars, as critical to SharePoint governance. Our five pillars of SharePoint governance:
Next month, I’ll be publishing more material on the first pillar – Security. Please join me on February 15, 2012 for our next webinar on security governance for SharePoint, also featuring our partners at Summit 7 Systems. Hope to see you there!
Five Pillars of SharePoint Governance – Security Webcast
North America – https://www.quest.com/events/ | 15th February, 2012 @ 11:30 a.m. ET| 8:30 a.m. PT
UK, Ireland, Germany, Switzerland, Austria, Norway, Sweden, Denmark - https://www.quest.com/events/ | 16th February, 2012 @ 12.30 p.m. BST |1.30 p.m. CEST| 7.30a.m. ET |