In my discussions with clients on how to securely implement SharePoint, I’ve seen two major reoccurring issues:
1. Many of the operations and security professionals I talk with about how to securely deploy solutions like SharePoint are very good at protecting discrete things – servers, desktops, hubs, switches, routers, ports and protocols. Even when we talk about protecting file shares, folders and directories we are thinking of the containers that hold information versus protecting the information itself. Information is a fluid thing, it changes forms, it flows in people and processes and in a lifecycle that spans all of these discrete containers. We know how to protect containers that hold information but I believe there is a change in mindset needed when thinking about how to protect the information itself.
How do we bring an information-centric (and not device centric) way of thinking to information security? How do we get people thinking in terms of information architecture?
2. Our instinctive response to protect information is to use a security approach of “default deny” when securing SharePoint — “share nothing by default and only explicitly share what’s needed”. This mindset works well for a firewall (default-deny, allow only what is explicitly whitelisted) but I’m not so sure it works well for collaboration. What about the inverse? — “share everything we can and only deny what we explicitly can’t share” (for example, because of a legal or regulatory requirement).
Doesn’t the value of information and collaboration increase the more we open up? We instinctively want to “deny all” when a more balanced approach is needed. Who decides what should be shared? From a compliance point of view – yes, IT needs to help the business identify and prevent the sharing of information that should not be shared. Beyond this, in most cases, IT and information security really don’t know what should be shared, to whom, under what circumstances and why.
How can we enable the business users closest to the processes, closest to the partners and customers and closest to the business to open up their information as they need? Can we “let go” and enable spontaneous collaboration without jeopardizing information security?
Are you facing similar challenges in your organizations? I’m interested in your feedback.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.