TITUS Senior Product Manager and SharePoint Server MVP Antonio Maio
recently shared some of his insights on SharePoint security. He provided
tips, pointed to current challenges and explained how SharePoint will
be affected as computing becomes more mobile and social.
Question: What are some aspects of SharePoint security that you think are critical but may be overlooked?
Maio: People often come to talk to us about
enforcing security at a fine-grained level or detailed level. This
relates to the level of security on each individual document or each
individual data item within SharePoint, as opposed to broadly applying
security to large sites or libraries. We see many customers take a very
broad approach to security where a particular site is considered the
‘secret site’ where sensitive information sits, while less sensitive
information goes elsewhere. But more and more we are seeing a trend
where people want to have sensitive information sitting beside
non-sensitive, and have the security evaluated on each individual item.
Another aspect of security that is often overlooked is the idea of
automating security, or having security policies automatically applied
to content. This becomes especially important with large amounts of
content. We have some customers that have millions of documents sitting
in SharePoint – it’s impossible to manage security on a fine-grained
level with that much content and without some kind of security policy
automation.
Q: What’s the benefit of fine-grained security? Is it helpful for compliance?
Maio: The goal for our customers is mainly
compliance, to ensure that people are only accessing information that
they have permission to access; to make sure there are no information
leaks, whether they’re inadvertent or malicious. The value in automating
security policies is that you can then be sure that it applies to all
of your SharePoint content no matter where it resides. For many
organizations, a SharePoint deployment often starts off small and then
grows quite rapidly. You end up with many libraries and many sites.
People may not remember they have a library sitting off somewhere that
may have sensitive information sitting within it.
Q: Are there any common anxieties customers have about SharePoint security? How do you address these concerns?
Maio: People and organizations often have
established information sharing policies. They already have some sort of
corporate information sharing policy: information must be classified
by users in some specific ways, and as a result it is only to be shared
with specific groups, and so on. How they map that into SharePoint is
often a challenge for them because the policies are frequently written
in plain English and then translated into SharePoint controls. Having
those controls automatically applied can be a big challenge for them.
When we look at how customers have deployed SharePoint and how their
users interact with it, we offer a very flexible model for them to
translate those information sharing policies into security controls
within SharePoint. TITUS products allow organizations to create policies
or rules with very simple or complex conditions within the management
interface of our products. Customers are guided through configuring
their information sharing policies whether it has to do with
classification or metadata or the user or some combination of those
properties – we allow them to easily model their corporate information
sharing policies into security controls in SharePoint within the TITUS
SharePoint Security Suite.
Q: As computing evolves, with mobility and social
networks becoming more important, how do you see the security of
SharePoint impacted?
Maio: In a world where people are not necessarily
always accessing information from their office computers, where people
are accessing work information or trying to get work done from their own
PC or tablets or smartphones, security takes on a new challenge. You
can’t just secure the perimeter anymore; you can’t just have firewalls
centrally managed. You need to apply policies to every single piece of
information you are sharing. The information object becomes the new
perimeter.
Q: How can a security solution make sure people are logging into SharePoint securely?
Maio: SharePoint provides a few great options for
enforcing a secure login, what we often call authentication. These
options include the traditional Windows integrated login, forms based
login (so logging in through a custom web page) and a new concept called
claims based authentication which securely retrieves detailed and
trusted attributes about the user that’s logging in. When we look at
identity and authentication, you also talk about the concept of
federation. Federation has to do with not just letting internal people
in an organization access SharePoint, but also letting external partners
or customers log into your SharePoint site using their own identity –
through their Facebook or Google account, for example.
Q: Is this safe to do through a website like Facebook? It doesn’t seem very secure at times.
Maio: Absolutely, due to the open and secure
protocols used to enable federation. However, as we talked about
earlier, you still need to ensure that you are only making the
appropriate information available (in an automated way) to users that
login to SharePoint using their Facebook account. As an example, if
you have a website where people have to create an account to download a
white paper, most people are going to put in invalid information, or
garbage data, just to get the white paper. But if you allow them to log
in with a Facebook account, it’s more likely you’re going to have a real
email address to communicate with them afterward. This is why
federation becomes appealing for large organizations that have large
consumer clients. Then, if you know they came in using their Facebook
account, you can prevent them from accessing sensitive data, and only
allow them to access information that is open to the public.