Manage Learn to apply best practices and optimize your operations.

SharePoint security, governance need attention in most deployments

CIOs need to keep security and governance in mind as Microsoft Office SharePoint moves beyond the workgroup level.

SharePoint deployments are highly distributed in nature, but the power of Microsoft Office SharePoint Server 2007 is the ability to create a central, corporate-wide collaboration environment. But until IT controls it centrally with SharePoint security policies and governance, the organization will not realize the full benefits of the suite's functionality.

SharePoint's popularity is driven by its ease of use and the ability for a business user or workgroups to set up a collaboration environment without the aid of IT. For the same reasons, setting Microsoft SharePoint security policies can prove difficult.

"Governance is almost counterintuitive to the way SharePoint populates an organization," said Carl Frappaolo, co-founder and principal of Boston-based Information Architected Inc. "Judging by how much of a security concern SharePoint is for upper management and IT, governance by default is a concern."

In a yet-to-be-released survey of 400 companies conducted by Information Architected, the majority already have Microsoft Office SharePoint Server (MOSS) 2007 installed. Within this group, 57% cited SharePoint security as their top concern. About 17% also said they had SharePoint scalability and functionality-related concerns, Frappaolo said.

Few of the respondents were using MOSS 2007 for outward-facing, or external websites. Frappaolo said he believes this is because SharePoint does not provide built-in security beyond the borders of the collaboration and content management suite itself or beyond basic file-level security within the suite's applications.

To further protect SharePoint content using such mechanisms as single sign-on, digital rights management, authentication and read- and write-only lockdown, a company may have to rely on IT for integration with third-party tools, or further integration with other Microsoft tools.

MOSS 2007 has built-in tools and interfaces to configure authentication and access rights and integrates with Active Directory out of the box. Access rights policies are set for documents that stay within SharePoint. Outside those boundaries, Microsoft Information Rights Management in MOSS can be configured to put a wrapper around the content to ensure that access rights follow a given document. Microsoft also recommends using its Forefront Security product for SharePoint to protect against malware. The Forefront add-on costs $7.20 per user, per year, Microsoft said.

Others believe that it's not that SharePoint security features are inadequate, but that those using and installing the suite are not taking the time to learn about and correctly configure the MOSS security features, said Peter O'Kelly, a Boston-based independent industry analyst.

The sticking point [with SharePoint] is that folks are struggling with governance around it and some can't figure out how to get their arms around all
the tools.

John Bissa
partner and Web development team leaderPlante & Moran PLLC

Companies are also wary of using SharePoint to share sensitive information. Their concerns: that information may fall into the wrong hands, or become subject to e-discovery disclosure or compliance regulations. As a result, organizations need to start requiring individuals to put in a request for a new SharePoint site, specify what information would reside on the site and why the site is needed. Authentication and rights management polices should be in place before a new site is launched.

Englewood Hospital Medical Center in Englewood, N.J., is developing a governance strategy to control who can create a new SharePoint site, who can submit information to the site and who should be in charge of editing and publishing the content.

"We're putting a lot of our HTML sites into SharePoint to control the content and requests for new [collaboration] sites," said Gary Wilhelm, business and financial systems manager at the medical center. "So right now we're using the role-setting capabilities in SharePoint to figure out who should have a role as a contributor versus a publisher or even a watchdog over a site or sites."

In IT professional John Bissa's experience, companies are still trying to figure out how to use the full breadth of the tool set, never mind getting a grasp on how to control it.

"There's nothing out there as comprehensive as SharePoint," said Bissa, a partner and Web development team leader at Plante & Moran PLLC. "The sticking point is that folks are struggling with governance around it and some can't figure out how to get their arms around all the tools."

Let us know what you think about the story; email: Christina Torode, Senior News Writer

Dig Deeper on Small-business infrastructure and operations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.