SharePoint Security in 2011

Some might say that SharePoint security isn’t a concern. Others would counter that that’s because there hasn’t been a big security breach splashed across the news—yet.

But to ScriptLogic’s Carolyn McHale and Nick Buonpastore, security in SharePoint is a big issue. The sheer number of owners and admins managing SharePoint sites increases the likelihood of an eventual breach, they say. Add in the fact that many organizations don’t know the extent of the content they have stored in SharePoint, nor who has access to it.  “The concept of auditing and assessment is a little better in SharePoint 2010 but isn’t quite there yet,” says McHale, who is director of product development.

As for user reporting and logging—“ You can see what they do after fact but not what they have access to,” she says. Buonpastore, a product manager, agrees. “Being able to have visibility into permissions, being able to see where someone might have granted themselves too many rights” is important. The two discussed SharePoint security challenges recently and offered these simple (and not-so-simple) tips:

1. Know what you’ve got to know what to secure.

Do an initial assessment and inventory of SharePoint assets.

2. Don’t go overboard with assigning privileges.

Over-privileged users might end up with elevated Windows permissions. Sometimes too the permissions models are different—some controlled by Active Directory, others controlled by one’s access to SQL Server. Additionally, the provisioning model for permissions is different from NTFS—inheritance is turned either on or off. You might end up granting permissions to users on a document level but you might not see that.

3. Make sure you’re not creating a bunch of local groups.

Use AD groups, and make sure you have access controls in place. Also make sure your provisioning is correct, that former employees aren’t still given access to SharePoint.  

The two note that ScriptLogic has changed from selling a standalone SharePoint security solution to incorporating it across the Windows environment. “For our typical customer base admins are managing other platforms too,” says Buonpastore. “SharePoint is a piece of the overall picture—they see the value of having a consistent solution to manage security in general.”

Two facts about SharePoint make the SharePoint security arena worth watching in 2011: the increasing use of SharePoint as a mission-critical application and the way that SharePoint has woven itself into the very fabric of the Windows world, touching many areas it was previously isolated from.  Not to mention the challenge of managing security in a hybrid environment consisting of on-premises SharePoint and hosted SharePoint. So three things warrant watching SharePoint closely. Yes, 2011 should be an interesting year from the standpoint of SharePoint security.