How to Talk to Your Security Team About SharePoint
It doesn’t always feel like SharePoint admins and security teams are working toward the same objectives. Folks managing SharePoint are responsible for building a collaborative environment that improves productivity. The security team is charged with lowering risk and preventing breaches.
Now that companies are storing vast quantities of sensitive data, like PII and IP, inside of SharePoint, both perspectives are essential to the health of your organization. Rather than sit at odds over how best to secure SharePoint, the two groups – SharePoint management and information security – need to come together to avoid confusion and conflict.
This guide for successful conversations helps you get SharePoint and security teams on the same page. Once you are aligned, you’ll be better able to assess SharePoint security solutions and determine how to select the right ones to achieve all of your goals.
Step 1: Make sure everyone understands the content at risk
The security team may be painfully aware of threats and compliance requirements facing the organization. But, they are probably not aware of how much sensitive content is sitting in SharePoint or how users are accessing and sharing that data. Audit your content and share the details with the security team to illustrate the magnitude of risk you’re managing.
Step 2: Define a SharePoint information governance plan
Your security team may have a regular cadence for internal security audits of IT systems. Make sure SharePoint is included in those audits so you can be prepared for any external scrutiny. Equally important: design an information governance strategy that balances end user requirements, processes around application management, and the lifecycle of sensitive content stored inside SharePoint.
End of year planning is a great time to review the information security strategy so that you can start fresh in 2017. Together with the security team, document the types of content that must be protected. Set roles and responsibilities for auditing, interpreting results and building long-term strategy.
Step 3: Take a hard look at your current security solutions
Demonstrate team any techniques you use to protect SharePoint content today. If your SharePoint deployment makes it difficult to maintain permissions, enforce policies, or manage multiple sites, make sure your security team understands those challenges so both groups can find optimal solutions.
On the flip side, your security team may assume that a legacy Data Loss Prevention (DLP) solution they already use throughout the enterprise can address SharePoint security. Together, test the enterprise DLP solution for accuracy, but also, consider the impact of DLP scanning on SharePoint farms on end user experience. (Remember, your users will find work arounds to any collaboration platform if the UX is poor or if the security controls are too excessive). See if adding enterprise DLP on top of SharePoint slows your network or causes document uploads or sharing actions to time out, causing users to seek other options for collaboration.
Step 4: Choose the best security solution to support your plan
If you decide to supplement SharePoint’s out-of-the-box security tools, create a joint list of requirements with your security team. Make sure you ask the following questions of any vendor you evaluate:
- Does it support compliance requirements for your industry by identifying and protecting particular types of content?
- How high is the false-positive rate? Is it too strict or too permissive?
- Will it stress the network and negatively impact SharePoint performance?
- Does it take into account the context of how content is used when flagging insecure behavior – not just permissions or content types?
- How complex is the roll out?
- Does it allow you to customize requirements and risk rankings to match your internal security policies?
- Does it make it easy for users to adhere to compliant content behavior in real time?
- Can it execute downstream prevention actions automatically?
Step 5: Test, test, test
No plan, solution or implementation is perfect. Even the best ones have flaws. Testing is the simplest and most cost effective, results-oriented way of finding flaws before auditing or external teams do. Once your plans are set, build ways to test the security solution that you’ve set up. Chart where problems are and share those results with the security team.
The bottom line
There’s no better way to ensure that you’re part of the security conversation than reducing the security team’s workload. Come to the table with the information the security team needs to make informed decisions and be a strong partner throughout the decision-making process.
Looking to learn more about how to decrease your SharePoint or Office 365 security? Last week I hosted a webinar on this topic with Catapult (Microsoft’s Partner of the Year). Watch Designing an Effective Information Governance Strategy Against a Growing Risk Landscape to learn how to design an effective information governance strategy.
Andrew Huynh is a Managing Consultant and a Local Practice Lead (Dallas) at Catapult Systems specializing in SharePoint technologies with focuses on migration, governance, information architecture and user adoption. Andrew is also the community leader for the Metalogix Community of Practice (CoP) where consultants come together to learn, share and ask questions regarding Metalogix suite of solutions.