By Dana Simberkoff
Organizations worldwide are constantly looking for new and innovative ways to organize and manage enterprise-wide content and knowledge to facilitate collaboration and reduce costs.
The immediate draw to SharePoint is clear – organizations have the flexibility to incorporate cloud computing into SharePoint environments and empower their decentralized workforce to be productive from anywhere, thereby reducing total cost of ownership and consolidating IT infrastructure.
Securing SharePoint is Critical
As a result of this, SharePoint deployments have grown rapidly and become a treasure-trove of potentially sensitive and unprotected information within many enterprise organizations. This trend makes these environments a potential target for attack and cyber threat.
With the increase of cyber security risks and information breaches, it is imperative that compliance, governance, and cyber assurance solutions for your SharePoint infrastructure are strongly established and sustained.
In order to have a more secure SharePoint environment, there are specific steps that organizations can take.
Understand Your As-Is SharePoint Environment
First, understand your “as is” environment.
Laws and regulations are based on data protection and security principles that are not typically organization specific.
Unfortunately, when it comes to implementing or complying with those laws, too often internal policy is created based on an interpretation of that law, without a real-life understanding of how business users within the organization are utilizing the IT systems – such as SharePoint – holding the information that may be at risk.
As an example, many organizations create policies with strict directives (e.g., no highly sensitive data is allowed in SharePoint), but they have built that policy without understanding if their SharePoint business users are storing that sensitive data in SharePoint, or why they are actually doing so.
Thus, to have a true understanding of your vulnerabilities, it is important to develop a plan after you have performed an organizational site assessment and set your organization’s goals. Only then do you set compliance requirements and standards.
Create and Implement a Realistic Plan
Once you’ve taken the time to understand your current use of SharePoint – and also worked with a multi-stakeholder group that includes compliance officers, business users, and IT staff – then it’s time to implement your plan.
It’s incredibly important to ensure that the plan you implement is one that you can enforce, measure, and monitor. Equally important is training for employees that addresses areas of non-compliance.
Get Help with Managing and Protecting Information
One of the best ways to understand and appropriately manage and protect the information and content that is flowing through a SharePoint environment is the use of scanning and classification solutions.
This kind of automation is a very important piece of managing compliance and security within a SharePoint environment, regardless of its size.
One of the great benefits of SharePoint is that business users can do anything they need to without going through the IT department.
However, from a security and compliance perspective, this can become problematic.
Thus, automation can be applied to improve consistent, measurable, and enforceable information assurance standards in the SharePoint environment. This will help to reduce the opportunities of a breach through proactive and regular scanning of all sensitive and/or classified data.
From a content perspective, metadata should be used for discovery, classification, and security best practices. In this way, sensitive content can be identified, tagged, and appropriately classified with either embedded metatags and/or SharePoint managed metadata.
The advantage of using both types of metadata is that embedded tags (and their classifications) live within the documents themselves, even when those documents leave SharePoint.
Further automation can be used to scan and report on SharePoint content to identify and subsequently delete, tag, or quarantine sensitive, harmful, or non-compliant content. In real time, user-generated content can be regulated to prevent creation or uploading of non-compliant or harmful content.
Measure So You Can Manage
Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments – in other words, measure so you can manage.
Conduct ongoing testing, monitoring, and assessment to ensure that you have complied with your new guidelines and standards.
This will allow you to react and revise your policies and procedures as necessary through evaluation and automated verification of compliance with your policies, guidelines, and standards.
A programmatic approach to improving security and confidence in SharePoint as a system for managing sensitive data will not only have a positive impact on regulatory compliance and the protection of sensitive information, but on SharePoint adoption as well.
Dana Louise Simberkoff is the Vice President of Risk Management and Compliance at AvePoint. She is responsible for executive level consulting, research and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts and solutions for risk management and compliance, as well as maintaining relationships with executive management and compliance officers.