TITUS Senior Product Manager and SharePoint Server MVP Antonio Maio recently shared some of his insights on SharePoint security. He provided tips, pointed to current challenges and explained how SharePoint will be affected as computing becomes more mobile and social.
Question: What are some aspects of SharePoint security that you think are critical but may be overlooked?
Maio: People often come to talk to us about enforcing security at a fine-grained level or detailed level. This relates to the level of security on each individual document or each individual data item within SharePoint, as opposed to broadly applying security to large sites or libraries. We see many customers take a very broad approach to security where a particular site is considered the ‘secret site’ where sensitive information sits, while less sensitive information goes elsewhere. But more and more we are seeing a trend where people want to have sensitive information sitting beside non-sensitive, and have the security evaluated on each individual item.
Another aspect of security that is often overlooked is the idea of automating security, or having security policies automatically applied to content. This becomes especially important with large amounts of content. We have some customers that have millions of documents sitting in SharePoint – it’s impossible to manage security on a fine-grained level with that much content and without some kind of security policy automation.
Q: What’s the benefit of fine-grained security? Is it helpful for compliance?
Maio: The goal for our customers is mainly compliance, to ensure that people are only accessing information that they have permission to access; to make sure there are no information leaks, whether they’re inadvertent or malicious. The value in automating security policies is that you can then be sure that it applies to all of your SharePoint content no matter where it resides. For many organizations, a SharePoint deployment often starts off small and then grows quite rapidly. You end up with many libraries and many sites. People may not remember they have a library sitting off somewhere that may have sensitive information sitting within it.
Q: Are there any common anxieties customers have about SharePoint security? How do you address these concerns?
Maio: People and organizations often have established information sharing policies. They already have some sort of corporate information sharing policy: information must be classified by users in some specific ways, and as a result it is only to be shared with specific groups, and so on. How they map that into SharePoint is often a challenge for them because the policies are frequently written in plain English and then translated into SharePoint controls. Having those controls automatically applied can be a big challenge for them.
When we look at how customers have deployed SharePoint and how their users interact with it, we offer a very flexible model for them to translate those information sharing policies into security controls within SharePoint. TITUS products allow organizations to create policies or rules with very simple or complex conditions within the management interface of our products. Customers are guided through configuring their information sharing policies whether it has to do with classification or metadata or the user or some combination of those properties – we allow them to easily model their corporate information sharing policies into security controls in SharePoint within the TITUS SharePoint Security Suite.
Q: As computing evolves, with mobility and social networks becoming more important, how do you see the security of SharePoint impacted?
Maio: In a world where people are not necessarily always accessing information from their office computers, where people are accessing work information or trying to get work done from their own PC or tablets or smartphones, security takes on a new challenge. You can’t just secure the perimeter anymore; you can’t just have firewalls centrally managed. You need to apply policies to every single piece of information you are sharing. The information object becomes the new perimeter.
Q: How can a security solution make sure people are logging into SharePoint securely?
Maio: SharePoint provides a few great options for enforcing a secure login, what we often call authentication. These options include the traditional Windows integrated login, forms based login (so logging in through a custom web page) and a new concept called claims based authentication which securely retrieves detailed and trusted attributes about the user that’s logging in. When we look at identity and authentication, you also talk about the concept of federation. Federation has to do with not just letting internal people in an organization access SharePoint, but also letting external partners or customers log into your SharePoint site using their own identity – through their Facebook or Google account, for example.
Q: Is this safe to do through a website like Facebook? It doesn’t seem very secure at times.
Maio: Absolutely, due to the open and secure protocols used to enable federation. However, as we talked about earlier, you still need to ensure that you are only making the appropriate information available (in an automated way) to users that login to SharePoint using their Facebook account. As an example, if you have a website where people have to create an account to download a white paper, most people are going to put in invalid information, or garbage data, just to get the white paper. But if you allow them to log in with a Facebook account, it’s more likely you’re going to have a real email address to communicate with them afterward. This is why federation becomes appealing for large organizations that have large consumer clients. Then, if you know they came in using their Facebook account, you can prevent them from accessing sensitive data, and only allow them to access information that is open to the public.