We had a crowd of several hundred people for my presentation on SharePoint security at the recent Gartner Information Security Summit. It’s pretty much as I suspected – just like virtualization projects where security tends to be an afterthought (if considered at all), SharePoint deployments are pretty much following the same course.
When I polled the audience with this question: “Was information security involved in the planning and implementation of SharePoint?”, about 14% said “Yes, from the beginning” and the remaining 86% were evenly split between “Yes, after deployments had started” and “No”.
This is reflected in my conversations with clients that are looking for guidance on where to get started with SharePoint security. I pulled all of this together in this research note on SharePoint security on which the presentation was based. In fact, I couldn’t get all of the material in the research note into the presentation in the hour allotted.
Securing SharePoint is a balance. We don’t want to control too tightly and discourage the grass roots collaboration that is taking place, but we can’t ignore the fact that sensitive data is being shared (in many cases externally) without any security controls. Even if we are called in after deployments have started, at a minimum we need to make sure SharePoint isn’t serving as a conduit for malware and to identify sensitive data being shared so we can understand when and why the users require this and what controls might be necessary.