Gartner Blog Network

Does Securing Information Require a Different Mindset?

by Neil MacDonald  |  March 12, 2009  |  2 Comments

In my discussions with clients on how to securely implement SharePoint, I’ve seen two major reoccurring issues:

1. Many of the operations and security professionals I talk with about how to securely deploy solutions like SharePoint are very good at protecting discrete things – servers, desktops, hubs, switches, routers, ports and protocols. Even when we talk about protecting file shares, folders and directories we are thinking of the containers that hold information versus protecting the information itself. Information is a fluid thing, it changes forms, it flows in people and processes and in a lifecycle that spans all of these discrete containers. We know how to protect containers that hold information but I believe there is a change in mindset needed when thinking about how to protect the information itself.

How do we bring an information-centric (and not device centric) way of thinking to information security? How do we get people thinking in terms of information architecture?

2. Our instinctive response to protect information is to use a security approach of “default deny” when securing SharePoint — “share nothing by default and only explicitly share what’s needed”. This mindset works well for a firewall (default-deny, allow only what is explicitly whitelisted) but I’m not so sure it works well for collaboration. What about the inverse? — “share everything we can and only deny what we explicitly can’t share” (for example, because of a legal or regulatory requirement).

Doesn’t the value of information and collaboration increase the more we open up? We instinctively want to “deny all” when a more balanced approach is needed. Who decides what should be shared? From a compliance point of view – yes, IT needs to help the business identify and prevent the sharing of information that should not be shared. Beyond this, in most cases, IT and information security really don’t know what should be shared, to whom, under what circumstances and why.

How can we enable the business users closest to the processes, closest to the partners and customers and closest to the business to open up their information as they need? Can we “let go” and enable spontaneous collaboration without jeopardizing information security?

Are you facing similar challenges in your organizations? I’m interested in your feedback.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: security-of-applications-and-data  sharepoint-security  

Tags: information-security  sharepoint-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Does Securing Information Require a Different Mindset?

  1. The ‘default-deny’ approach may make businesses feel better about SharePoint security but I agree that it really hinders business efficiency. Finding the middle ground is what’s needed in order to balance the needs for stronger security with business efficiency and value. One of the keys to the free flow of information within an organization is maintaining awareness of what information is being posted to SharePoint sites. Equally important is an understanding of which users have access to that information and whether that is acceptable for their business function and in accordance with policy. There are similar requirements to really understand who has administration capability on specific SharePoint sites and what they are doing with it. Automating that awareness process gives security pros visibility into whether any SharePoint sites are not in compliance with security policies or best practices and allows them to pass that information on to the SharePoint site reviewer. Security staff can responsibly “let go” and enable business lines to open up information only when technology is in place to provide access assurance.

    Kurt Johnson, VP of corporate development, Courion

  2. Neil MacDonald says:


    A whole ecosystem of tool vendors (including Courion) has appeared around SharePoint to do exactly the types of reporting you are describing.

    To a security professional, it looks like a paradox — securely opening up and enabling the business users to define when, how and who they need to collaborate with. I believe it can be done with high level guardrails and policy compliance. We don’t need to get in the middle, we just need to set the boundaries.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.