"Compliance officers come up to me at trade shows and say 'SharePoint is the bane of my existence because of the sharing,'" said Eric Darbe, product marketing director at HiSoftware. HiSoftware secures SharePoint data at the metadata level, ensuring the right people see the right information.
We caught Darbe on the road recently at--where else-- a healthcare compliance trade show and talked SharePoint, social, and security.
Help Change SharePoint's Reputation
With security people, Darbe said, "SharePoint has a reputation for being insecure. As SharePoint people, we should try to broaden the conversation."
"There's a use case I use with compliance officers," he said, to help them see that SharePoint can be an asset for protecting data.
"In January, someone in the UK left a hard-copy dossier of the plans for policing the London Olympics on a train. It was brought immediately to the newspaper for safekeeping. The point that people should realize is that the reason that hard-copy dossier was on a train was that someone was bringing it home to review it or bringing it to a meeting. Collaboration was the purpose.
"If it had been digital, and in SharePoint with protections, it could have been secured, not printed out and left on a train. Even if someone wanted to review it on a train via a tablet, that could have been wiped.
"We commonly tell people that the SharePoint team needs to be talking to the compliance and security teams, because unless everyone is working together, they're working against each other," Darbe said. "You need to know what kind of internal policies you have, if you're the SharePoint admin, because you need to have some kind of infrastructure in place."
But, he added, a standard approach can get in the way. "The SharePoint admin could go and say 'Everyone on the marketing team should only see the marketing documents,' but then what about the marketing team that needs to see what development is doing with new products?"
"Policies aren't necessarily driven by regulations and they don't follow the typical org chart boundary lines. If you really want to have a collaborative
environment, you need to break down the siloes. But that introduces the risk," Darbe said.
SharePoint End-User Security Challenges
Even if your compliance officer is open-minded about SharePoint, end users offer a whole new slew of challenges around SharePoint, security, and social computing. Darbe shared some situations that SharePoint admins see:
Users over-share, not realizing that a MySite is like Facebook. "Maybe I work for a business associate of a large hospital, and I'm analyzing payment history or codes, and the information doesn't have to be personally identifiable, but it might be. I say, 'I'm working on this analysis' and put a spreadsheet on a My Site. A SharePoint admin has to deal with the fact that so many users are used to sharing things online. But they don't fully understand who is going to see that information."
SharePoint shows documents associated with individual users. "If the user is working with a document of a sensitive nature, I can see that, if it's not secured in a social feed, and I can find it internally."
Users under-share, undermining SharePoint adoption. He also cited the opposite of the over-sharing users, people who hesitate to put anything up on SharePoint. "You can see where SharePoint adoption gets undermined from the top down; think about members of a board of directors getting ready to release financials--if they're not absolutely positive SharePoint can protect that info, then they're not going to put it there. You limit the collaboration aspects of SharePoint by not securing it."
Users unintentionally misuse "bucket" style of security. Along that line of nervous users, comes another challenge, especially with the typical security implementation of "buckets": Users who are afraid of putting things in the wrong SharePoint bucket. So they create new buckets, which leads to proliferation.
What HiSoftware offers, he said, is a way to secure an individual item, based on metadata. "What that means is, instead of having a marketing bucket where we put all marketing stuff, we can have more nuanced approaches to security by changing the metadata value."
"HiSoftware's history is with a scanning engine--it can find compliance in any content. It can scan for risk. Based on pattern matching and regular expressions, we can apply metadata automatically."
SharePoint Security Starts with Collaboration. Of Course.
Darbe says SharePoint admins can contribute to the successful securing and adoption of their SharePoint implementations by doing the following:
Stop playing defense. "The London Olympics story illustrates it: People need to say to compliance people that SharePoint can help allay fears and address problems. Have an informal conversation with your compliance officer, go to lunch; those are the places where you can have a conversation without everyone being defensive. Build that common alliance."
Form a governance board. "Make sure people from all across the organization are involved, not just IT and security, but also business users--find out what they're using SharePoint for now, and how you might map SharePoint to other technoloies and address concerns."
And don't give up. "To me, the more you can make SharePoint the place everyone goes to in an organization, the better it helps security. And the more that people use SharePoint, the more they're confident in SharePoint and its security, and that they can access information as they like, the more successful we will be."