In my discussions with clients on how to securely implement SharePoint, I’ve seen two major reoccurring issues:
1. Many of the operations and security professionals I talk with about how to securely deploy solutions like SharePoint are very good at protecting discrete things – servers, desktops, hubs, switches, routers, ports and protocols. Even when we talk about protecting file shares, folders and directories we are thinking of the containers that hold information versus protecting the information itself. Information is a fluid thing, it changes forms, it flows in people and processes and in a lifecycle that spans all of these discrete containers. We know how to protect containers that hold information but I believe there is a change in mindset needed when thinking about how to protect the information itself.
How do we bring an information-centric (and not device centric) way of thinking to information security? How do we get people thinking in terms of information architecture?
2. Our instinctive response to protect information is to use a security approach of “default deny” when securing SharePoint — “share nothing by default and only explicitly share what’s needed”. This mindset works well for a firewall (default-deny, allow only what is explicitly whitelisted) but I’m not so sure it works well for collaboration. What about the inverse? — “share everything we can and only deny what we explicitly can’t share” (for example, because of a legal or regulatory requirement).
Doesn’t the value of information and collaboration increase the more we open up? We instinctively want to “deny all” when a more balanced approach is needed. Who decides what should be shared? From a compliance point of view – yes, IT needs to help the business identify and prevent the sharing of information that should not be shared. Beyond this, in most cases, IT and information security really don’t know what should be shared, to whom, under what circumstances and why.
How can we enable the business users closest to the processes, closest to the partners and customers and closest to the business to open up their information as they need? Can we “let go” and enable spontaneous collaboration without jeopardizing information security?
Are you facing similar challenges in your organizations? I’m interested in your feedback.