In-Depth
Best Practices for Data Governance in SharePoint Environments
As awareness of SharePoint access control complexity grows, organizations are are focusing on security and compliance for their SharePoint deployments. We offer best practices to address these concerns.
by Johnnie Konstantas
With more than 100 million SharePoint licenses issued to date, chances are good that organizations are using or planning a SharePoint rollout by now. Perhaps equally pervasive are challenges with visibility and data access control of SharePoint environments. As awareness of SharePoint access control complexity grows, many organizations are turning their focus to security and compliance for their SharePoint deployments, seeking best practices and precautions that can be applied during implementation to avoid problems in the first place.
Discussions around design and migrations to Enterprise Content Management (ECM) systems such as SharePoint need to incorporate data use monitoring and least-privilege access enforcement as part of a SharePoint security policy. Ongoing efforts to manage SharePoint data security need to include user training and coordinating with security and compliance personnel to ensure all drivers are considered.
This article focuses on the access control management challenges with SharePoint and identify best practices to solve them.
Background
SharePoint is an ECM system from Microsoft that allows businesses, organizations, and individuals to easily connect and collaborate on document creation and projects through portals. SharePoint is part of a large and fast growing market for content management that Forrester put at USD4B for 2008.
According to Microsoft, sales of SharePoint surpassed the US$ 1 billion mark in 2008 and currently there are over 100 million licensed copies. In fact, Bill Gates has been quoted as saying that SharePoint is the “fastest growing server product [Microsoft has] ever had.”
The brisk adoption of SharePoint isn’t exactly surprising given that it addresses some serious challenges with document sharing and is integrated with the popular Microsoft Office platform. Unstructured data (i.e., documents, spreadsheets, presentations, and image and multi-media files) is the fastest growing among organizations and is imperative to business flow.
Given how groups work today across organizations and geographies, it is extremely inefficient to share this unstructured information via e-mail. It is also extremely challenging to keep track of file versions. SharePoint allows for the quick and easy creation of central document repositories that can be accessed from anywhere.
Security Challenges Emerge
The rapid adoption of SharePoint has outpaced the ability of organizations to control growth and enforce consistent policies for security and access control. The ease with which SharePoint sites can be created means that SharePoint use is decentralized and often outside the purview of IT departments, security personnel, and even dedicated SharePoint administrators. Some of the specific challenges are:
Organic and chaotic deployment of SharePoint sites: Pervasive departmental use of SharePoint means that all types of data is making its way to SharePoint repositories. This can range in sensitivity and importance and may easily include human resources or sensitive product information. Thus, the problem for organizations becomes not only identifying sensitive data but locating all SharePoint sites, existing and emerging.
Ad hoc permissions administration: Without a central authoritative source such as a file share administrator, IT operations director, or compliance office setting access to data, the job is left to the data owners or those responsible for implementing the SharePoint site. This means that the controls may be set in conflict with enterprise level access policies and may not include key business intelligence about why the access should be limited (i.e., content might be regulated or copyright protected).
The levels and types of permissions available with SharePoint are also quite complex (much more so than their NTFS counterparts) and the additional granularity and inheritance complexity creates more access levels and higher probability for erroneous or overly permissive access.
Limited, cryptic, non-scalable auditing: Key to maintaining good access control over data is continuous monitoring of how data is being used. This is one of the challenges with a SharePoint environment. SharePoint audit detail is geared toward helping site administrators manage content, not for refining access policy. Consequently, there is no way for SharePoint administrators to easily establish which users took what action on data. The native auditing capabilities are also limited in terms of scalability. “Normalizing” the data or creating a unified and accurate view of data use and access across sites and locations is challenging and time-intensive. Exacerbating the problem is the format of the native audit record which requires some backend database programming to decipher.
Best Practices for Governing Data in SharePoint Environments
With SharePoint use poised for meteoric growth, organizations need to take action to protect data and promote disciplined and monitored use so that risk to SharePoint data from loss of theft is mitigated. The following are key tips for SharePoint data protection:
Best Practice #1: Educate end users: Use established, company-wide communications vehicles to bring users up to speed on the benefits and security risks of SharePoint. Encourage your end users to contact you with needs for SharePoint deployment or to identify where use has been established. Let them know that registering their SharePoint site with a central administrator will give them access to reporting and business intelligence that will make their data safer.
Best Practice #2: Get ahead of new deployments: If an organization is planning SharePoint rollouts, build in time to your project schedule to clean up the existing unstructured data repositories (i.e., Windows file systems, NAS) and user directories. Inactive user accounts, overly permissive access controls, and stale data shouldn’t make their way into new SharePoint sites. This kind of cleanup will save an organization time during the migration and also in the ongoing management of the data.
Best Practice #3: Keep track of data use: Whether it is for help-desk call resolution or to help refine access policies, organizations need to have records to data access handy. Because SharePoint sites and access records can be distributed, the access log needs to aggregate all of the information and reconcile any conflicting records. Ultimately, a detailed record of data use can help cut the time that it takes to identify data owners, purge old data and isolate specific types of activity for forensics and access policy refinement.
Best Practice #4: Get the right tools: The rapid proliferation of SharePoint has created an enormous opportunity for tools that support its deployment and fill in functionality gaps. That means that when it comes to protecting and monitoring SharePoint data use, organizations don’t have to do it alone. What is most important is recognizing that in SharePoint, Microsoft has created a powerful collaboration tool, but they have either by design or inadvertently left security up to the vendor community and organizations themselves. The good news is that solutions do exist to provide the visibility and auditing organizations need to tame SharePoint access control and protect valuable business data.
Johnnie Konstantas has more than 16 years of experience in the network-security and telecommunications fields. As vice president of marketing for Varonis, Ms. Konstantas champions data governance for the company’s worldwide markets. Prior to Varonis, she held various senior roles in marketing, product management and engineering with start-up companies. You can reach the author at jkonstantas@varonis.com.