The Essentials Series: Securing SharePoint Content

by Dan Sullivan


The growing popularity of Microsoft SharePoint should come as no surprise to IT professionals. We have long struggled to help business users capture, organize, and use content. In the past, we might have used shared network drives within a department to enable document sharing within groups, but the increasing use of multiple platforms, including mobile devices, calls for a more Web-oriented approach to collaboration. Microsoft SharePoint not only offers feature rich, Web-based collaboration services but also makes it easy for most users to set up sites and start sharing with minimal hassle. An application that addresses a pressing need and is easy to use is something of a dream come true for IT. There is, however, a dark side to this scenario.

Setting up a secure SharePoint site and maintaining appropriate access controls to content is not a trivial task. Sometimes the path of least resistance to getting a site up and running is to implement few security controls. Even if only some people in the department need access to some of the content, it might be quicker for an inexperienced SharePoint administrator to grant broad access to everyone in the department. This reality is just one example of practices that can undermine SharePoint site security.

This series on protecting and securing SharePoint content examines how to safeguard your SharePoint experience so that you continue to have the benefits of the collaboration tool while mitigating the risk of a security breach.


Article 1: Common Practices that Undermine SharePoint Content Security

SharePoint is a valuable collaboration tool for many organizations. The shared management model that leverages centralized management of SharePoint infrastructure with a distributed model for site administration has many advantages. There are drawbacks to this approach, however. Miscommunication or poorly defined roles and responsibilities can lead to security vulnerabilities and data leak risks. These potential weaknesses can be addressed with a combination of techniques, including clearly defined responsibilities, data classification schemes, and technical controls to compensate for browser vulnerabilities.

Article 2: Technical Challenges to Securing SharePoint Content

Browsers are a key client technology for accessing and manipulating SharePoint content. Although Microsoft provides SharePoint-specific client applications, such as SharePoint Workspace, the browser is a standard for SharePoint access. The advantages of using a browser with SharePoint include SharePoint hosting services and cross-platform (including Bring Your Own Device—BYOD) support as well as avoiding the need to install a client application. With these advantages, however, come technical challenges. Together, these challenges create conditions that can be exploited to intentionally steal or unintentionally leak confidential data stored in SharePoint repositories.

Article 3: Best Practices for Securing Browsers for SharePoint

Web browsers are essential components for working with SharePoint. Maintaining secure browser sessions can mitigate the risk of both intentional and unintentional data leaks. Best practices for securing browsers for SharePoint include: using secure sessions when accessing SharePoint, preventing users from reaching content unless they those users have a legitimate need, and managing browser sessions centrally. This combination of best practices addresses the core technical challenges outlined throughout this series.