We had a crowd of several hundred people for my presentation on SharePoint security at the recent Gartner Information Security Summit. It’s pretty much as I suspected – just like virtualization projects where security tends to be an afterthought (if considered at all), SharePoint deployments are pretty much following the same course.
When I polled the audience with this question: “Was information security involved in the planning and implementation of SharePoint?”, about 14% said “Yes, from the beginning” and the remaining 86% were evenly split between “Yes, after deployments had started” and “No”.
This is reflected in my conversations with clients that are looking for guidance on where to get started with SharePoint security. I pulled all of this together in this research note on SharePoint security on which the presentation was based. In fact, I couldn’t get all of the material in the research note into the presentation in the hour allotted.
Securing SharePoint is a balance. We don’t want to control too tightly and discourage the grass roots collaboration that is taking place, but we can’t ignore the fact that sensitive data is being shared (in many cases externally) without any security controls. Even if we are called in after deployments have started, at a minimum we need to make sure SharePoint isn’t serving as a conduit for malware and to identify sensitive data being shared so we can understand when and why the users require this and what controls might be necessary.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.