From its humble beginnings as a repository for Office documents to its current role as a hulking enterprise-wide information portal, Microsoft’s SharePoint Server suite has always been about content.
SharePoint’s vast feature set now includes enterprise content management, search, social networking, blogs and wikis, collaboration and business process management. But all parts of the machine depend on content, from training videos to financial reports to confidential legal documents.
However, it is a machine that can potentially wreak havoc if SharePoint is not implemented and monitored effectively by IT.
Storing content in SharePoint is only part of the challenge; securing it is an area where many organizations run into trouble when clear corporate policies regarding SharePoint access and user permissions are not in place.
The risks of keeping SharePoint content safe are not limited to malicious attacks or disgruntled employees leaking confidential information, says Larry Concannon, VP of product marketing at HiSoftware, a Web content and social media compliance software firm.
“The most common privacy breaches are inadvertent,” says Concannon, “often resulting from carelessness or lack of awareness by an employee.”
The best content security strategy for SharePoint is one that lets employees freely contribute content and collaborate, but enforces policies within departments to keep sensitive documents from ending up in the wrong hands, internally as well as outside the company.
HiSoftware recommends five of the most common ground rules for protecting content in SharePoint.
Make it clear what content is permissible
Enterprises should create clear, documented policies as part of their SharePoint implementations, says Concannon, including rules about what types of content is permissible.
Related story – Websense offers ‘middle-of-the-road’ security
While each organization will have its own definition of permissible content, the most secure SharePoint implementations are governed by policies that take into account who is allowed to review or publish content, and what content itself is appropriate for storage within SharePoint.
Educate employees
Another key to a secure SharePoint implementation is educating users about the privacy and confidentiality rules set up by IT that protect both the employee and the company.
“On one level this means simple user training,” says Concannon. “But it could also mean creating a “terms of service” screen that comes up as users are creating their own My Site, for example.”
Use classification to guide behavior
One configuration available in SharePoint that protects content is a classification screen that pops up every time a document is added. These classification screens are based on categories set up by IT to enforce what should and should not be in the system.
“Classification screens will let you know if a document doesn’t fall into one of the designated categories,” says Concannon. “If it doesn’t, don’t publish it.”
Don’t forget to enforce the policies
Once the business rules are in place for SharePoint, says Concannon, IT managers must enforce them and let users know when violations occur. One approach is to provide users with a way to tag content they consider to be “inappropriate.”
Automated software is also available from HiSoftware and other vendors to check SharePoint content before it is published to avert the posting of non-compliant content. Features like automated content scans can be used to validate specific regulations in SharePoint that are designed to prevent privacy breaches and confidentiality leaks.
Social tools: find the right balance
One area in SharePoint that needs to be watched closely is social networking, says Concannon. Social features like blogs, wikis, communities, My Site profile pages and forums have been featured more prominently in SharePoint 2010. While these popular tools can improve communication and productivity, they are potential compliance landmines.
Related story- Cash in on Microsoft SharePoint’s social tools
Educate employees
Another key to a secure SharePoint implementation is educating users about the privacy and confidentiality rules set up by IT that protect both the employee and the company.
“On one level this means simple user training,” says Concannon. “But it could also mean creating a “terms of service” screen that comes up as users are creating their own My Site, for example.”
Use classification to guide behavior
One configuration available in SharePoint that protects content is a classification screen that pops up every time a document is added. These classification screens are based on categories set up by IT to enforce what should and should not be in the system.
“Classification screens will let you know if a document doesn’t fall into one of the designated categories,” says Concannon. “If it doesn’t, don’t publish it.”
Don’t forget to enforce the policies
Once the business rules are in place for SharePoint, says Concannon, IT managers must enforce them and let users know when violations occur. One approach is to provide users with a way to tag content they consider to be “inappropriate.”
Automated software is also available from HiSoftware and other vendors to check SharePoint content before it is published to avert the posting of non-compliant content. Features like automated content scans can be used to validate specific regulations in SharePoint that are designed to prevent privacy breaches and confidentiality leaks.
Social tools: find the right balance
One area in SharePoint that needs to be watched closely is social networking, says Concannon. Social features like blogs, wikis, communities, My Site profile pages and forums have been featured more prominently in SharePoint 2010. While these popular tools can improve communication and productivity, they are potential compliance landmines.
Related story- Cash in on Microsoft SharePoint’s social tools
To safeguard this new wave of Web 2.0 content as well as plain old documents, HiSoftware recommends a balanced approach where collaboration and information sharing is encouraged, but security regulations are enforced within departments to prevent, say, a legal document about a potential merger from being viewed by the wrong person.
Shane O’Neill covers Microsoft, Windows, Operating Systems, Productivity Apps and Online Services for CIO.com. Follow Shane on Twitter @smoneill. Follow everything from CIO.com on Twitter @CIOonline. Email Shane at [email protected].
