SharePoint 3.3 Is Now Available

It’s an exciting week here at TITUS as we release TITUS Security Suite for SharePoint 3.3, which includes both TITUS Metadata Security and Document Policy Manager. While there are many improvements and new features with this release, such as enhanced audit reporting and the ability to use hidden columns to create more flexible policies, for me the standout feature is secure mobile access to documents and list items.

Because mobile devices are easily lost, stolen or hacked, many SharePoint administrators don’t want to let their workers download highly sensitive information to their mobile. For instance, while it might be perfectly acceptable to access a financial report from the desktop, it might be too much of a risk to let that same user download, view, and edit that document on their tablet.

TITUS Metadata Security for SharePoint (MDS) allows organizations to configure their policies so that permissions are automatically applied and controlled on individual documents and list items.  MDS is able to do this by inspecting the item’s classification (sensitivity) and the user’s claims to process access rules that determine which users with specific attributes can access high business impact information. The result is simplified security administration. With TITUS MDS, documents and items don’t need to be segregated and administrators don’t have to constantly create new intersecting groups to manage changing access rights; TITUS regulates what is available.

With this release of TITUS Metadata Security 3.3, we have extended the dynamic security capabilities to include another criteria – the device type. By adding the device type to the access authorization policy, TITUS can block (and filter from the folder view) any sensitive items being accessed from a mobile device that the user can otherwise access from their desktop.

It should be noted that MDS is not just blocking sensitive documents or items from the users’ view. Even if the user has a direct link to a document that has been restricted from mobile access, the link will not work and access will be denied.

So, if you need to make sure your workers have mobile access to documents in SharePoint – but not too much – be sure to give the latest version of TITUS Security Suite for SharePoint a try.

Can Classification Help Secure SharePoint Data on Your Mobile Device?

Mobile data access and sharing is a great idea but one that comes with a lot of risk. The chance of unauthorized access, data loss, and data exposure are all increased when information stored in SharePoint is accessed from a mobile device. In the recent Aberdeen Analyst Insight, SharePoint Collaboration: Secure and Mobile, Derek Brink sheds some light on how organizations can ensure their SharePoint data is made more secure for mobile users.

Workers are demanding access to their work files from mobile devices, yet mobile devices are more susceptible to data breaches. Beside the fact that the devices themselves (and the data they contain) can be easily lost, the apps themselves are more difficult to secure. While malware targeting mobile devices is not as frequent as desktop OS, we can safely assume mobile devices will become the target or means to significant data theft in the near future.

Aberdeen found that organizations using SharePoint were among the most likely to use complementary, third party security tools to enhance those native to SharePoint, but that they were also among the worst at defining accountability for authorizing data access. Since access is the first step toward data security, it is essential that the matter of authorization be brought under control. Aberdeen found that nearly all organizations (97%) using SharePoint had a “policy” of leaving individual users responsible for determining access privileges for the unstructured data they create. Aberdeen suggests that classification be used to help with this problem.

Why?

Users will find identifying the sensitivity of a document and its value to the organization easier than managing its access in SharePoint. When a user classifies a document or file, TITUS adds metadata which can be leveraged to automatically apply security and access controls in SharePoint, ensuring content access policy is accurately maintained. Classification can also help with another key Aberdeen recommendation: user security training. Asking users to classify the information they access or create will keep data security top of mind. With TITUS’ simple to use interface, violation warnings, remediation suggestions and quick access to help, security policy training is constant.

With mobile access complicating the security picture, it is more important than ever to make it easy for users to get the fundamentals of information security right. By classifying data in SharePoint, users will no longer have to concern themselves with managing access rights. Rather, TITUS Classification metadata will inform SharePoint if the data matches the user profile in order to allow or deny access.

For more information on securing your organizations information in SharePoint, download the report today.

SharePoint Security Starts at Deployment

As the repository of a great deal of an organization’s sensitive data, it is imperative to ensure that your SharePoint web applications are set up properly from the moment of deployment. All the precautions taken to ensure appropriate user access to libraries and lists can be completely undone if security best practices at the administration level are neglected.

Security in Microsoft SharePoint starts at the time of deployment. Setting up the proper user accounts ensures the proper separation of responsibilities and activity auditing. Therefore, it is important to set up multiple user accounts with limited privileges. These accounts exist for specific administrative functions and nothing more. At minimum, there should be three different user accounts created to manage setup, SQL management, and for SharePoint farm administration.

1. The Setup User Account

The setup user account is used only for running the SharePoint setup wizard, the product configuration wizard and for installing any patches, service packs, cumulative updates or hot fixes. Any time you plan to run the setup and configuration wizards or plan to install updates, this is the account that should be used.

The Setup User Account should not have any special administrative privileges on the SQL Server system as long as the SQL Server is on a separate system or VM from the SharePoint servers. When running the SharePoint setup and configuration wizards, these processes will use the Setup User Account credentials to create databases and SQL logins for other SharePoint accounts. However, despite the lack of administrative privileges to the SQL Server system (as recommended above), before starting to setup SharePoint, you must assign the Setup User Account to the securityadmin and dbcreator roles in SQL Server.

2. SQL Server Service Account

This account should be set up before you begin the installation process as the SharePoint setup wizard will request this account during setup. This account is used specifically by SharePoint when it tries to access data from SQL server. This account will be given all appropriate rights to SQL Server during the SQL Server setup process. Best practices dictate that this account needs to be a user account in the Active Directory domain and it should be secured according to your IT security policies.

3. SharePoint Farm Account

This is the farm administrator’s account and is all powerful within SharePoint. Providing access to the SharePoint central administration console, it is this account that is used to run and manage the entire farm. For example, during the setup and configuration process, several critical SharePoint services (including the timer service) will be configured to use the Farm Account as the identity under which they run.

One final note: do not use personal accounts when deploying SharePoint. The Setup User Account becomes owner of the SharePoint farm. The Farm Account becomes dbowner of the SharePoint Config database. There are many places where the account, and its email address, get integrated into the farm. Use of a personal account will make you the farm’s owner and could compromise security if you have privileges on other systems. In addition, personal accounts change if your role changes, so it is important that a personal user account is not left owning the SharePoint farm.

If you would like more information about managing security in SharePoint, download our new Introduction to Security in SharePoint 2013 white paper today.

AIIM Industry Watch Report Released – SharePoint 2013: Clouding the Issues

A new report released by AIIM outlines the significant impact that SharePoint has had in the both collaboration and the content management space. New features within SharePoint 2013 fuel the debate about SharePoint’s ability to be the enterprise’s primary collaboration tool, repository, and archive without requiring customizations or third-party add-on products. In SharePoint 2013 – Clouding the Issues, the new capabilities and potential pitfalls for cloud SharePoint deployments are examined against the backdrop of overall SharePoint adoption and project success.

Among the key findings in the report:

• The biggest on-going issues are user adoption, extending the business scope, and governance. Achieving uniformity of classification and metadata is also a big issue.
•  Despite improvements in the standard feature set, 67% still see third-party products as important. There is still strong interest in third-party add-in products, particularly system monitoring, BPM, storage management, metadata management, and records management.
•  23% still have big issues with governance and user-security in SharePoint (rising to 30% of large organizations). 35% feel that considerable improvements have now been made.

TITUS Security Suite for SharePoint enhances native SharePoint security and ensures that security policies are applied consistently and automatically across all sensitive content in SharePoint. The solutions ensure the right people access the right information, and promote end user awareness and accountability for sensitive information.

Why do Enterprises or Governments Secure Their Information?

Welcome to the first in a series of posts that will review fundamental security features in Microsoft SharePoint 2013. In this first post I will examine the reasons behind information protection as it impacts the security strategy, its adoption, and ultimately the success of your SharePoint security policies and practices.

When I speak about SharePoint security I often start off with a discussion about why organizations secure their information. What reasons drive people to implement security measures to control and govern information? I have found that, for a business owner or C-level executive it may be obvious, but for the average employee it may not be.

To be clear, this article is not intended to deal with an individual’s personal information; it specifically talks to how enterprises or governments deal with sensitive internal business information.

What drives people to secure information?

We’ve all heard statistics about how the information we’re creating and storing is growing at an exponential rate. Many of us now regularly measure database sizes in Petabytes – and the growth is not slowing. In a 2013 eWEEK article, Gartner analysts predicted that enterprise data will grow by 800 percent over the next five years, and that 80 percent or more of that new data will be unstructured. Unstructured data consists of documents, videos, spreadsheets and other content workers create. It is also the most difficult to protect as it can take many forms and is difficult for security system to accurately protect.

We often hear how organizations are centralizing the storage of information in order to promote better collaboration—a business need SharePoint excels at solving—but for many this raises new security concerns. We also know that every organization has some meaningful amount of information that is considered sensitive and we are bombarded with messages from governments, NGOs, consumers, vendors and the media that this sensitive information must be secured, controlled, and properly governed. However, many individuals who own or have responsibility for this information usually treat its security as an afterthought.

Why is that?

With all the statistics and talk about the amount of information we’re generating, the increased security risk of pooling all this information in a central repository, and the serious damage a data leak can cause, why is its security not top of mind?

Based on my 15 years of experience in the security industry working with many large organizations around the world and with many individuals who own content (or are responsible for content), I have developed a theory.

People only feel compelled to secure information when they:

1) have a personal connection to it

2) when they truly understand the risk which exposure of that information poses, and

3) when the impact of such an exposure affects them directly.

In my experience working with data users, when they do secure information it is rarely because it’s the right thing to do. While there are exceptions, in general people choose to treat data securely because it protects them rather than doing it for the good of the organization. This isn’t a pessimistic view. I believe it’s just natural human behavior… at least it is today. Culture may be slowly changing on this front due to the high level of media exposure about data leaks lately, so who knows how people will feel or think of securing information in the next few years. But right now, I firmly believe that users are not thinking about the good of the organization if they treat data securely.

Yet, successful security requires that the end user is motivated (preferably for non-selfish reasons). To that end, we need to examine why organizations are securing data and how to make sure the people of that organization understand why it is to their benefit to ensure security measures are followed.

Let me summarize the cases in which I have seen people (outside the security industry) really driven to secure their information. I’ve categorized each as a set of risks and summed up the specific motivations in a high-level driver.

1. Reducing Your Liability
For many industries, the exposure of sensitive corporate information can have very negative impacts to business. The risks include:

• Compliance violations that result in extremely heavy fines (depending on the industry)
• Sanctions and legally imposed restrictions on business
• Loss of business reputation (bad PR can lead to lost stock value, lost customers, lost market share, etc.)

A business owner or a C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. Since they look at the business as a whole and are tasked with ensuring its success, senior managers are better positioned to understand the risks. They are also more invested in the consequences of a breach as it will be them that must face the fines, lawsuits, and earnings reports. Senior managers may also be worried about their personal reputation as well as that of the business should a serious data breach occur.

The same risks and motivations exist for government department managers. Senior public service managers can easily face the same consequences, including: facing a board of inquiry, budget cuts, loss of reputation, and loss of employment.

Security measures often fail because the average employee may not be concerned about these risks to the business or department. Depending on the employee, they very likely don’t even know what information is sensitive or understand how a breach can affect the organization.

2. Protecting Your Investments
This particular category of risks typically applies to enterprises, much more so than governments. The risks include:

• Loss or theft of intellectual property (know how, designs, plans, budgets, vision documents, etc.)
• Exposure of customer lists
• Exposure of acquisition/merger information or budgetary/accounting data
• Compromising of internal (or external) business systems – which could have a trickle-down effect of loss of customers

Once again, a business owner or C-level executive will likely be very concerned about such risks and be driven to secure sensitive information in order to protect the business. This type of data loss can greatly affect the business’ performance. Since business performance is often tied to compensation or bonus packages, senior managers are highly motivated to protect data. In particular, a CIO or CISO will typically be measured critically (or terminated) when these types of exposures occur.

For a typical employee, however, most do not receive bonuses based on company performance and those that do would receive a much lower percentage than an executive. As well, they often do not understand which information is sensitive and how the loss of that information will affect the business. Unless you provide both a clear way to identify which information is sensitive and can effectively motivate employees to secure the data they manage, their ability (and desire) to help protect against data loss will be limited.

3. Public Safety or Mission Success
This category typically applies to government agencies like national defense departments, internal security agencies (such as U.S. Homeland Security), as well as other government departments. The risks include:

• Exposure or theft of classified mission data (which can compromise military missions and endanger personnel)
• Exposure of homeland security information (which can endanger the general public)
• Compromising of critical government services and security systems

In these cases, the personnel that deal with the data involved are typically well trained in how to handle this type of sensitive information. As well, often people go into these areas of work because they have a desire to be part of the public service, or they wish to work in the military or a service that protects the public safety. As such, this particular category may be an exception to the theory I put forward earlier.

While there have been some high profile leaks of classified government information in the last few years, in general the people that work and deal with this type of information do tend to protect it. People dedicated to public safety understand the very negative and dangerous impacts that can happen with the exposure of data and believe that protecting this information is the right thing to do.

4. Health Information
In recent years, a new importance is being put on the secure management of personal health information and it is an area of interest I have been researching. While this does involve an individual’s information, I am concerned about how hospitals, insurers and government agencies store and manage this information. And, unlike companies that have to protect only personal or financial information, the motivation to protect data exceeds just bad press, fines or lawsuits when there is a leak.
For example, in the state of Florida a personal health identity can be illegally purchased for approximately $56,000. For a non-insured individual, purchasing such an identity will allow them to illegally get access to the victim’s health care, causing the original owner of that insurance plan to have their premiums used without their knowledge. While this can be categorized as a kind of financial theft, more seriously the person illegally using the health identity can cause data within the health record to be modified. For example, if the impostor is blood type is type A, then that data could be applied to the original health record. If the genuine insured needs an emergency blood transfusion but is type B-negative, their health has been put at risk.

In this case, government agencies and health care organizations that manage personal health information must ensure that proper security measures are put in place in order to prevent these types of risks or exposures from happening. In these cases, typically both the administrators and the employees working in the health care industry do care about these types of risks, and are starting to get a sense for the very dangerous impacts that can occur. Traditionally, however, the health care industry has been slow to adopt technology solutions that can help secure data. Thanks to new legislation, the slow adoption of technology that has been accelerating somewhat in recent years.

Overall
To summarize, in many businesses and organizations the average person tends to feel a true need to secure information when they have a personal connection to it, or when they truly understand the consequences of exposure, or when the impact of such an exposure can affect them directly. The ideal situation in any organization would be if each and every individual does in fact care about securely handling sensitive information. This is really what we should be striving for, and many of organizations are starting to tackle this head on.

To date, I have found that the best way to create a security mindset is to overtly involve all employees in the organization’s security strategy. This is started with education so that they understand which information is sensitive and how they should handle it. They also need to be aware of the very real and very negative impacts of information exposure, both to the business and to them personally as employees or individuals. In addition, openly discussing security policy and asking for best practice feedback from employees will help foster feelings of ownership and responsibility. Once employees have been educated and have been provided some involvement in the security process, organizations need to overtly foster accountability. This can be in the form of check-out procedures for highly sensitive documents, or by stamping the employee’s name on all documents they access so that if it is handled carelessly it can easily be tracked back to them.
Despite all the tremendous effort and work that has gone into developing some very excellent security technologies, alone they are unable to manage the task of keeping data completely secure. Employees’ willingness and ability to enforce secure governance procedures is vital to defend against both inadvertent and malicious exposure of sensitive information.

Automating Security in SharePoint

In case you missed it, Alan Pelz-Sharpe (Research Director, Content Management and Collaboration at 451 Research) and our own Antonio Maio (Senior Product Manager, TITUS) hosted a great webcast titled: Key Strategies to Effectively Govern and Secure Sensitive Data in SharePoint 2013. There were a lot of great tips in the webcast, but there is one item that captured most of the participant’s attention: automating security and policies. Since managing security in SharePoint is a manual process, it is very difficult to consistently enforce the ever-changing security and policy requirements across all content. Our participants had a lot of great questions about how TITUS can help to enable automation.

 

Before we get into the participants’ specific questions, let me quickly review what Titus SharePoint Security can do to help automate SharePoint Security enforcement. Fully integrated with SharePoint, administrators can set fine-grained policies that use metadata to authorize or deny a user’s access privileges to specific information. In addition, TITUS’s solutions can help to raise user awareness and accountability when handling the information by applying classification headers, footers and watermarks. These markings also promote accountability by applying the user’s name and a time stamp to downloaded and exported materials.

Our main website contains a great deal more information about the TITUS SharePoint Security solutions, but a review of the webinar questions can provide a different perspective than what is typically found in our marketing materials.

Q: Can TITUS apply policies to existing content?
A: Yes, TITUS applies the policies to all existing or imported content.

Q: How does TITUS administer policies across my SharePoint system?
A: TITUS can set up policies at the site collection level and all information contained within that site collection will follow these default policy and security settings. However, where needed, administrators can also set rules for specific sub-sites, libraries and lists. These specific rules will trump the site rules, ensuring the necessary security is always enforced.

Q: Aren’t there native document mark-up options within SharePoint?
A: Partially, but only in SharePoint 2010. SharePoint 2010 did provide some limited ability to add labels to the top of Word, Excel and PowerPoint documents when the document was opened into the native application. So, a user could choose or be prompted to add a label, such as “Confidential” to the top of a document they were editing. However, there are several limitations, including the lack of support for watermarks, it is limited to just MS Office files and there is no bulk labeling.

In SharePoint 2013, all native SharePoint labelling options have been removed.

In contrast, with TITUS Document Policy Manager for SharePoint, headers, footers and watermarks are applied to Microsoft Office documents and PDF documents automatically according to the polices established by the administrator.

Q: Can TITUS apply security on specific content types?
A: Yes. SharePoint itself does not support setting permissions on content types. More specifically, with native SharePoint capabilities you cannot configure permissions to be set on all instances of a particular content type like an “Expense Report”.  Permissions can only be assigned to securable objects like items and documents (or any content type derivation of those) and to containers like folders, documents sets, libraries, lists, sites and site collections.

TITUS Metadata Security for SharePoint can set permissions on items and documents (and any derivation of those) automatically based on the content type of each item.  For example, when configuring policies in TITUS Metadata Security, you can include conditions like “if ContentType = Expense Report” and have unique permissions assigned only to items of those specific content types.

Q: How long is your trial version and do you provide support during the trial?
A: TITUS’ standard trial is 15-days during which you will receive assistance from a TITUS sales engineer.

March 28 Webinar – SharePoint Governance: The Impacts of Moving to the Cloud

Is your enterprise considering a move to the Cloud? Are you aware of the benefits and risks of moving SharePoint and key workloads to a Cloud environment?

Webinar: Thursday, March 28, 2013 11:00 AM – 12:00 PM EDT

Register today for this webcast to learn the pros and cons of moving to the Cloud: https://www2.gotomeeting.com/register/714036874.

Join Microsoft SharePoint MVPs Christian Buckley, Director of Evangelism, Axceler and myself for a discussion on functional trade-offs of the platform, potential impacts and risks that need to be considered when moving SharePoint to the Cloud. This webinar will cover topics such as:

• SharePoint capabilities in Office365
• Existing investments that organizations have made in customizing SharePoint
• Data sovereignty
• Regulatory compliance

Is SharePoint Online the right decision for you?

Understand the impacts to your business of moving to the cloud in order to determine if your enterprise is ready?

Hoping you can join us. We’re looking forward to the discussion and taking people’s questions.
– Antonio

Enhanced Managed Metadata Support in TITUS Metadata Security 3.2

In its latest release, TITUS Metadata Security for SharePoint Version 3.2 has greatly increased the support for SharePoint Managed Metadata.  In particular, TITUS Metadata Security can work with managed metadata terms in a more meaningful way as part of the conditions that it evaluates when determining if a specific policy needs to be enforced on a document or item.  These conditions which can be part of any policy are referred to as “Conditional Expressions”.

For many versions, TITUS Metadata Security has been able to use any metadata column and any metadata field type as part of its conditional expressions.  When authoring a policy and specifying a conditional expression, an administrator could choose any column that was currently configured for the list or library.  For example, a conditional expression of [Classification] = “Secret” meant that for a particular item in the list or library if the Classification column was set to a value of “Secret” then TITUS Metadata Security would enforce that policy on that item.  And in this case, the “Classification” column could be a managed metadata column type.  However, in previous versions, the comparison between the value of this column and the conditional expression in the policy was simply a text comparison.

In version 3.2, this comparison can still be a simple text comparison, however TITUS Metadata Security has now provided the additional option of performing this comparison between the actual managed metadata “term” specified for an item and the “term” specified in the policy, regardless of the text value specified for that term.  This has several advantages:

• If the text value of a managed metadata term changes, then TITUS Policies do not need to be updated to take into account the new value (for example, if the term “confidential” within a classification term set is renamed to “classified”)
• If multiple language variants are specified for a particular term, for example “confidential” for English and “vertraulich” for German, then TITUS Policies will evaluate correctly regardless of which language the end user has used to specify the metadata term for an item
• If managed metadata terms are reused within a complex metadata hierarchy, TITUS Policies will evaluate correctly for a particular term regardless of where in the metadata hierarchy the term is defined

So, let’s see how we configure this:

• In order to create policies, you must first navigate to the TITUS Metadata Security Administration screen, which can be accessed from the Site Settings page on a subsite or site collection, or from the Library/List Settings page.  This depends on the rights you have of course.  Click the “TITUS Metadata Security Administration” link on the page.
• The Administration page shows you 2 different tables: Permission Policies and Dynamic Policies
  • In either case, this view displays the currently “Published” policies.  These are the policies that are currently being enforced.  You may not have any policies yet.  Click the “Edit Rules” link under either table.
  • Clicking Edit Rules takes you to a page where you can add, modify or remove policies.  These are the current “Draft” policies – those which are being edited, have been saved, but are not yet published (so not yet enforced).  Click the “Add New Rule” link.
  • Now to specify a new rule, you must first give the rule a name, decide if it will be enabled or not, and then add a security action.  Depending on if you have selected Permission Policies or Dynamic Policies different security actions will be available.
  • When configuring TITUS Metadata Security Policies,  you can select for policies to always apply (this is the default) or to apply only under certain conditions.  These conditions are the conditional expressions mentioned above.  In order to specify a conditional expression, you must click the “Only if the following conditional expression is true” radio button.

• Then a conditional expression is made up of a Resource, an Operator and a Value.

Conditional Expression in TITUS Metadata Security

 

 

• First you must select a Resource to evaluate in your expression.  The options available here are “Metadata” or “Claim”.  The “Claim” option only appears if you have configured your web application for claims based authentication.  Since we’re exploring how to use Managed Metadata Terms, select the “Metadata” option in the Resource dropdown.
• The second dropdown in the Resource column will now populate with the metadata fields that are currently available.  If you are administering from the list or library level, this will display the metadata columns available on this list or library.  If you are administering from the site level, then a limited set of columns are displayed out of the box.  For policies at the site or site collection level, a site collection administrator must first navigate to the “Configure Metadata Columns” page that is available with TITUS Metadata Security (available from the Site Settings page to site collection administrators only) and select which metadata columns can be used as part of TITUS Policies. To work with managed metadata terms, you must select a metadata column from this second dropdown which is a managed metadata column.
• Once selected, you may select any operator available from the Operator dropdown.  The default is equals.
• Once a managed metadata column is selected for the Resource, the Value dropdown provides a number of options, including “Type in Value”, “Claim” and “Managed Metadata”.  The administrator can select “Type in Value” if they wish a simple text comparison to occur when evaluating the condition, or they can select “Managed Metadata” if they want the actual term selected for the policy to be compared to the term selected as part of an item’s metadata.  Select Managed Metadata from the Value dropdown.
• The user interface for specifying a value now changes to allow the administrator to click a Get Term button to select a term from the metadata column’s predefined term set using the SharePoint’s common Managed Metadata Term selection window. You would have specified the term set for a managed metadata column when the column was defined.

Conditional Expression with Managed Metadata in TITUS Metadata Security

 

• Click the Get Term button and the following windows will appear allowing the administrator to select the appropriate term to compare within the policy.

SharePoint Managed Metadata Selection

 

SharePoint Managed Metadata Selection

 

• Once the managed metadata term is selected, click the Add Condition button, and the conditional expression will be updated with this condition. You’ll notice that the ID of the term is saved within the policy, so that comparisons between the metadata term on an item or document against the term specified in a policy can be much more meaningful than a simple text comparison.
• You may then add additional conditions to the policy’s conditional expression, and when done you can click the Update Rule button to add the policy to the current set of saved (Draft) policies.

This enhanced support for managed metadata terms allows TITUS Metadata Security to be used very effectively in environments where managed metadata plays a critical role in organizing and protecting an organization’s sensitive information.

-Antonio

What Are Your Organization’s Top SharePoint Security Challenges?

What Are Your Organization’s Top SharePoint Security Challenges?

Recently, TITUS had the opportunity to ask over 200 SharePoint users about their top SharePoint security concerns. The survey confirmed for us what we had been hearing from our customers over the past number of years – organizations are storing a wide variety of sensitive information in SharePoint, from financial and HR information, to intellectual property, to personally identifiable information (PII).

This raises a number of security challenges for organizations. From our survey, we found that 79% of organizations see permissions management and site ownership as the top SharePoint security challenge. Not surprising considering that while new SharePoint deployments very often attempt to segregate sensitive content, most organizations find that users prefer to store information based on topic, function or project.

You can see more results from our survey, and learn more about how the TITUS approach to SharePoint security helps to address the issues raised, by having a look at our infographic on the topic.

What are the most pressing SharePoint security challenges in your organization?

Nicole Baker

TITUS Public Relations manager

SharePoint Security Minute with TITUS Product Manager Antonio Maio

TITUS Senior Product Manager and SharePoint Server MVP Antonio Maio recently shared some of his insights on SharePoint security. He provided tips, pointed to current challenges and explained how SharePoint will be affected as computing becomes more mobile and social.

Question: What are some aspects of SharePoint security that you think are critical but may be overlooked?

Maio: People often come to talk to us about enforcing security at a fine-grained level or detailed level. This relates to the level of security on each individual document or each individual data item within SharePoint, as opposed to broadly applying security to large sites or libraries. We see many customers take a very broad approach to security where a particular site is considered the ‘secret site’ where sensitive information sits, while less sensitive information goes elsewhere. But more and more we are seeing a trend where people want to have sensitive information sitting beside non-sensitive, and have the security evaluated on each individual item.

Another aspect of security that is often overlooked is the idea of automating security, or having security policies automatically applied to content. This becomes especially important with large amounts of content. We have some customers that have millions of documents sitting in SharePoint – it’s impossible to manage security on a fine-grained level with that much content and without some kind of security policy automation.

Q: What’s the benefit of fine-grained security? Is it helpful for compliance?

Maio: The goal for our customers is mainly compliance, to ensure that people are only accessing information that they have permission to access; to make sure there are no information leaks, whether they’re inadvertent or malicious. The value in automating security policies is that you can then be sure that it applies to all of your SharePoint content no matter where it resides. For many organizations, a SharePoint deployment often starts off small and then grows quite rapidly. You end up with many libraries and many sites. People may not remember they have a library sitting off somewhere that may have sensitive information sitting within it.

Q: Are there any common anxieties customers have about SharePoint security? How do you address these concerns?

Maio: People and organizations often have established information sharing policies. They already have some sort of corporate information sharing policy:  information must be classified by users in some specific ways, and as a result it is only to be shared with specific groups, and so on. How they map that into SharePoint is often a challenge for them because the policies are frequently written in plain English and then translated into SharePoint controls. Having those controls automatically applied can be a big challenge for them.

When we look at how customers have deployed SharePoint and how their users interact with it, we offer a very flexible model for them to translate those information sharing policies into security controls within SharePoint. TITUS products allow organizations to create policies or rules with very simple or complex conditions within the management interface of our products. Customers are guided through configuring their information sharing policies whether it has to do with classification or metadata or the user or some combination of those properties – we allow them to easily model their corporate information sharing policies into security controls in SharePoint within the TITUS SharePoint Security Suite.

Q: As computing evolves, with mobility and social networks becoming more important, how do you see the security of SharePoint impacted?

Maio: In a world where people are not necessarily always accessing information from their office computers, where people are accessing work information or trying to get work done from their own PC or tablets or smartphones, security takes on a new challenge. You can’t just secure the perimeter anymore; you can’t just have firewalls centrally managed. You need to apply policies to every single piece of information you are sharing.  The information object becomes the new perimeter.

Q: How can a security solution make sure people are logging into SharePoint securely?

Maio: SharePoint provides a few great options for enforcing a secure login, what we often call authentication.  These options include the traditional Windows integrated login, forms based login (so logging in through a custom web page) and a new concept called claims based authentication which securely retrieves detailed and trusted attributes about the user that’s logging in.  When we look at identity and authentication, you also talk about the concept of federation.  Federation has to do with not just letting internal people in an organization access SharePoint, but also letting external partners or customers log into your SharePoint site using their own identity – through their Facebook or Google account, for example.

Q: Is this safe to do through a website like Facebook? It doesn’t seem very secure at times.

Maio: Absolutely, due to the open and secure protocols used to enable federation.  However, as we talked about earlier, you still need to ensure that you are only making the appropriate information available (in an automated way) to users that login to SharePoint using their Facebook account.  As an example,  if you have a website where people have to create an account to download a white paper, most people are going to put in invalid information, or garbage data, just to get the white paper. But if you allow them to log in with a Facebook account, it’s more likely you’re going to have a real email address to communicate with them afterward. This is why federation becomes appealing for large organizations that have large consumer clients.  Then, if you know they came in using their Facebook account, you can prevent them from accessing sensitive data, and only allow them to access information that is open to the public.