SharePoint security and compliance

SharePoint is rapidly becoming one of the market's most widely deployed enterprise content management (ECM) systems. But despite this rapid adoption, gaps in SharePoint remain, particularly when it comes to data compliance and the management of private or otherwise sensitive content.

"Organisations are hesitant to store confidential data into SharePoint due to the complexity of assigning content to people and lack of controls in place to prevent the leakage of information," says Sean Glansbeek, Managing Director of Seven Days Technologies:

Many companies have a hard time choosing whether to use folders or metadata for security and classification in SharePoint. Folders make it easy to apply permissions, however they are not secure and can make it difficult when trying to find documents. If documents need to be classified under multiple categories, users are forced to duplicate documents in other folders.

SharePoint's basic configuration defaults do not necessarily apply the type of governance model that many organisations may have envisioned at the time of deployment. For example, access controls in SharePoint are typically enforced through folder and library hierarchies. In any number of scenarios, misplaced or mistakenly copied files can result in inappropriate access permissions being applied to a document. As a result, there is a constant need to review where documents are placed within SharePoint, to ensure they are stored in appropriate locations with respect to access permissions.

A common observation of SharePoint users and administrators is that collaboration sites quickly grow to a point at which they are out of control. Decentralisation of team sites can result in wide variations in security polices and information handling practices. Without a comprehensive, high level model for data governance, it can be difficult to put in place a coordinated set of automated or procedural controls," says Glansbeek.

Some commonly questions asked:

* Are folders the best way to secure documents?
* Are folders the best way to classify documents?
* When will folder navigation breakdown?
* Will using folders cause problems with document duplication?
* Can I use out of the box metadata to set permissions?
* How easy is it to access information on mobile devices?
* SharePoint mandatory metadata is not enforced, so how can we ensure users will classify their documents?

An effective data security model should address the following elements:

* Security policies and audit;
* Technical security controls;
* Administrator and user procedures and activities

A lack of definition and enforcement in any of these areas can put the enterprise at risk of releasing information to unauthorised parties. Even worse, it may not be possible to prove accountability or that the organisation was employing responsible practices when an incident does occur.

"While SharePoint's out-of-the-box folder level security and permissions are a good start, they do not provide the document level control that third party solutions can offer," says Glansbeek.

Imagine if one could achieve the following security model:

* Ensure the right people access the right information using metadata and claims
* Safely store sensitive data alongside non-sensitive data
* Control mobile access to sensitive documents in a secure container on mobile smartphones and tablets with the ability to remote wipe the SharePoint information only
* Automate SharePoint security, including permissions management, access control, and document policies
* Change access without changing permissions
* Detect, document and prevent privacy breaches and exposure of confidential data in the SharePoint social environment
* Automatically scan content and sites to detect the presence of PoPi, PII, PCI, HIPPA and intellectual property
* Scan and analyse content for brand conformance issues such as logo consistency, legal name usage and copyrights
* Protect your organisation's reputation by monitoring social computing entities for inappropriate content and obscene language
* Leverage HR acceptable use policies to mitigate risk, protect the organization from potentially harmful exposure, educate employees and improve online behaviour
* Simplify SharePoint governance and reduce administration costs

Some features offered by third party security solutions include:

Document Policies - automatically adding visual labels to Microsoft Office and Adobe PDF documents, including headers, footers and watermarks to indicate document sensitivity. For greater security, also automatically convert Microsoft Office documents to Adobe PDF format, and promote user accountability by marking downloaded PDF files with the current username and timestamp.

Permissions - Based upon the business rules associated with classification, access to a document or content item within SharePoint can be restricted to a specific individual or group, even if a wider audience has access to the site or library where the item physically resides. With file level permissions, administrators can reduce the number of sites that get created (site proliferation) just to cope with another set of collaborative users.

Encrypt - Data loss prevention is a critical issue for many organizations. In addition to securing a document based on its classification (metadata) content can be encrypted immediately. This means only properly credentialed users will be able to read the content - whether inside or outside of SharePoint - even if they have SharePoint administrator privileges.

Track - Track the entire life cycle of office documents. This means that a policy manager or security officer can see if and when a document has been read, e-mailed, or printed and by whom. A document's entire "chain of custody" is recorded and easily available in the event of a breach or a regulatory audit.

Prevent - To further extend the tracking process you can also define rules to warn users on or prevent the distribution of sensitive information or confidential documents. Users can also be prevented from printing and saving Microsoft Office documents outside of SharePoint.

Workflow - Can trigger workflows to quarantine, move, request approval from policy officers/managers or request explanations from users. Complete business rules can be developed so that you can remediate compliance issues and/or task the proper individual(s) in the organisation to review and potentially classify, re-classify or encrypt the content. Workflow can also be used to prevent the publication of confidential documents. With workflow, organisations can also block documents from being added, published or moved in SharePoint.

SharePoint compliance:

Audit - Organisations can scan information at rest within their SharePoint sites against hundreds of existing and easily configurable policy checkpoints to assess the level of sensitive information present and identify compliance issues. In addition, scans to data in motion against these or custom corporate policies as documents are added, updated or moved in and out of your SharePoint environment.

Report - Executives and policy managers have visibility into SharePoint's compliance status. Via standard reports, compliance and privacy officers get real-time insight into the compliance status of the SharePoint environment, can identify teams or departments where issues are recurring, and measure progress against compliance objectives over time. The reporting function also provides a detailed analysis of red flag issues allowing users to quickly identify and remediate issues.

"Third-party SharePoint security and compliance solutions help organisations with a solid data governance and security model as well as the ability to securely distribute information out of SharePoint to mobile devices." concludes Glansbeek.