Why do organizations adopt SharePoint? For a whole host of reasons - to build a powerful Intranet tool, a usable document management system or a comprehensive Records repository. While very different, these use cases all share a common theme: they rely on a robust security model in order to operate effectively.
SharePoint security has long been at the cutting edge, offering a range of user and data protection, audit, and governance features. But in order to avoid security issues, certain rules need to be obeyed and features need to be used in the appropriate manner.
In this post, we are going to look at five (potential) SharePoint security issues, and how to avoid them.
1. Too many permissions to handle!
The flexibility provided by the SharePoint security model is really quite impressive. It allows users to be assigned different permission levels and capabilities over a range of sites and content types. Yet this flexibility comes at a price. Admins often find a significant amount of unintended abuse of the permission assignments in SharePoint, where people have inadvertently been given too much power. As a result users accidentally delete, update, corrupt, move, or change content and sites.
As a rule of thumb, Admins should only give the minimum permission required to each user. However, things are not always so black and white, so try these steps when assigning permissions:
Identify the roles required to access SharePoint in the organization
Assign the minimum aggregated permission levels to fulfill these roles
Consolidate the users into groups
Test that users can adequately do their jobs
2. Incorrect configuration of features i.e Document Management
SharePoint is often seen as the kitchen sink of enterprise tools, it does so much so well. The flipside, however, is that it can often be overwhelming when it comes to configuring specific features. Take document management - so many organizations leverage SharePoint for document management as they have to handle thousands of documents every year. SharePoint is capable of handling these numbers securely, provided document management features are configured correctly.
Before you decide to manage your organization's documents in SharePoint, make sure you have configured proper features for Document Management.
Ensure permissions are up to date. Check that only the right people have access to the right files.
Ensure that versioning of documents is enabled. This lets admins and other team members work on the same document simultaneously, and helps prevent inadvertent overwriting of content
Enable indexing on document libraries. Document libraries usually have this feature turned off, and so search does not crawl them, thus making search results ineffective.
Collect enough metadata and create content types correctly. This helps manage your documents more effectively.
3. Compliance rules and governance
For many organizations, data and document compliance play a big role in overall SharePoint security. Failure to comply with these rules and regulations means a company's data can be put at risk. It's no good having roles and access rules set up correctly if users then take data from SharePoint and use it in ways and formats that the company forbids.
SharePoint offers a number of reporting and analytic features that can help to show just how data and documents are being used. Understanding what people are doing is the first step to ensuring what they're doing is OK. Our own tools add an extra layer of detail to this reporting functionality, allowing Admins to drill down into exactly what is going on with content and how compliant (or not) it is at any given time.
4. Check third party software and web parts
This is much less of an issue in the Cloud, where Microsoft tightly controls what addons can and can’t be added to its SharePoint Online and Office 365 platform. But ‘On-Premises’ customers need to be aware of what third party tools they are adding to their environments.
The risk of installing malicious software to a SharePoint farm is, realistically, small, yet poor quality or buggy software can have other security implications. Poor performance can make a system unstable, which in turn can lead it to becoming insecure. Third party tools can themselves rely on other components, services or APIs that are unsafe.
Microsoft introduced the SharePoint App store to, in part, give consumers peace of mind when it came to selecting add-ons for SharePoint. This is a good place to start when it comes to finding high quality applications. It might also be useful to focus on apps that make use of the new ‘SharePoint App Model’. This is Microsoft's preferred way of architecting solutions for SharePoint, and gives certain guarantees over quality and security. A quick Google search is also a good way to see if a company or tool comes with a good reputation or not.
5. Ensure you have the latest patches applied
All enterprise software is subject to patches and updates, and SharePoint (On-Premises) is no different. Microsoft is constantly testing and improving the security of the platform and as a result, they occasionally release patches.
Running a SharePoint platform that isn’t patched properly puts you at risk to issues that have already been identified and fixed. Why take the risk?
Microsoft makes updated information freely available on its website. Updates can easily be deployed automatically, and Knowledge Base articles helpfully explain what is contained in each fix or update.
Prevention is better than cure
SharePoint is a powerful platform for a range of uses, but ineffective security management can throw up all sorts of issues. Taking some of the steps mentioned in this post can help you avoid a whole lot of trouble down the line.
What security measures do you take for your SharePoint?