Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Does Securing Information Require a Different Mindset?

by Neil MacDonald  |  March 12, 2009  |  2 Comments

In my discussions with clients on how to securely implement SharePoint, I’ve seen two major reoccurring issues:

1. Many of the operations and security professionals I talk with about how to securely deploy solutions like SharePoint are very good at protecting discrete things – servers, desktops, hubs, switches, routers, ports and protocols. Even when we talk about protecting file shares, folders and directories we are thinking of the containers that hold information versus protecting the information itself. Information is a fluid thing, it changes forms, it flows in people and processes and in a lifecycle that spans all of these discrete containers. We know how to protect containers that hold information but I believe there is a change in mindset needed when thinking about how to protect the information itself.

How do we bring an information-centric (and not device centric) way of thinking to information security? How do we get people thinking in terms of information architecture?

2. Our instinctive response to protect information is to use a security approach of “default deny” when securing SharePoint — “share nothing by default and only explicitly share what’s needed”. This mindset works well for a firewall (default-deny, allow only what is explicitly whitelisted) but I’m not so sure it works well for collaboration. What about the inverse? — “share everything we can and only deny what we explicitly can’t share” (for example, because of a legal or regulatory requirement).

Doesn’t the value of information and collaboration increase the more we open up? We instinctively want to “deny all” when a more balanced approach is needed. Who decides what should be shared? From a compliance point of view – yes, IT needs to help the business identify and prevent the sharing of information that should not be shared. Beyond this, in most cases, IT and information security really don’t know what should be shared, to whom, under what circumstances and why.

How can we enable the business users closest to the processes, closest to the partners and customers and closest to the business to open up their information as they need? Can we “let go” and enable spontaneous collaboration without jeopardizing information security?

Are you facing similar challenges in your organizations? I’m interested in your feedback.

2 Comments »

Category: Information Security SharePoint Security     Tags: ,

2 responses so far ↓

  • 1 Kurt Johnson, VP of corporate development, Courion   March 16, 2009 at 12:53 pm

    The ‘default-deny’ approach may make businesses feel better about SharePoint security but I agree that it really hinders business efficiency. Finding the middle ground is what’s needed in order to balance the needs for stronger security with business efficiency and value. One of the keys to the free flow of information within an organization is maintaining awareness of what information is being posted to SharePoint sites. Equally important is an understanding of which users have access to that information and whether that is acceptable for their business function and in accordance with policy. There are similar requirements to really understand who has administration capability on specific SharePoint sites and what they are doing with it. Automating that awareness process gives security pros visibility into whether any SharePoint sites are not in compliance with security policies or best practices and allows them to pass that information on to the SharePoint site reviewer. Security staff can responsibly “let go” and enable business lines to open up information only when technology is in place to provide access assurance.

    Kurt Johnson, VP of corporate development, Courion
    blog.courion.com

  • 2 Neil MacDonald   March 16, 2009 at 7:20 pm

    Kurt,

    A whole ecosystem of tool vendors (including Courion) has appeared around SharePoint to do exactly the types of reporting you are describing.

    To a security professional, it looks like a paradox — securely opening up and enabling the business users to define when, how and who they need to collaborate with. I believe it can be done with high level guardrails and policy compliance. We don’t need to get in the middle, we just need to set the boundaries.