SharePoint security, governance need attention in most deployments

SharePoint's popularity is driven by its ease of use and the ability for a business user or workgroups to set up a collaboration environment without the aid of IT. For the same reasons, setting Microsoft SharePoint security policies can prove difficult.

"Governance is almost counterintuitive to the way SharePoint populates an organization," said Carl Frappaolo, co-founder and principal of Boston-based Information Architected Inc. "Judging by how much of a security concern SharePoint is for upper management and IT, governance by default is a concern."

In a yet-to-be-released survey of 400 companies conducted by Information Architected, the majority already have Microsoft Office SharePoint Server (MOSS) 2007 installed. Within this group, 57% cited SharePoint security as their top concern. About 17% also said they had SharePoint scalability and functionality-related concerns, Frappaolo said.

Few of the respondents were using MOSS 2007 for outward-facing, or external websites. Frappaolo said he believes this is because SharePoint does not provide built-in security beyond the borders of the collaboration and content management suite itself or beyond basic file-level security within the suite's applications.

To further protect SharePoint content using such mechanisms as single sign-on, digital rights management, authentication and read- and write-only lockdown, a company may have to rely on IT for integration with third-party tools, or further integration with other Microsoft tools.

MO...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Infrastructure Strategies An IT governance model needs risk and communications components 10 must-have steps for an effective SMB information security program Cloud computing defies one definition, so here are a few of the latest Data center outsourcing contract do's and don'ts SaaS, cloud computing lead to cuts in application hosting pricing First SOA implementations should focus on business value Targeted IT communications key to ITIL implementation success Virtualization project success factors from CIOs From LinkedIn to SharePoint, CIOs see Web 2.0 benefits Up-front capacity planning makes for better virtualization Web 2.0 technology for the midmarket 2009 IT Geek Halloween costume ideas Virtualization management strategies ezine for CIOs Business software guides for the midmarket: CRM, ERP, Web 2.0 and more How to create and measure success of a SharePoint governance program Social networking, real-time data feeds -- where does that leave IT? Enterprise content management a player in disaster recovery program How has the role of the CIO changed? IRobot's CIO weighs in Preparing for the upturn, CIO sees IT budget increase for staff How collaboration tools bring cost savings, business alignment How to choose the right open source solution for your business Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

SS 2007 has built-in tools and interfaces to configure authentication and access rights and integrates with Active Directory out of the box. Access rights policies are set for documents that stay within SharePoint. Outside those boundaries, Microsoft Information Rights Management in MOSS can be configured to put a wrapper around the content to ensure that access rights follow a given document. Microsoft also recommends using its Forefront Security product for SharePoint to protect against malware. The Forefront add-on costs $7.20 per user, per year, Microsoft said.

Others believe that it's not that SharePoint security features are inadequate, but that those using and installing the suite are not taking the time to learn about and correctly configure the MOSS security features, said Peter O'Kelly, a Boston-based independent industry analyst.

Companies are also wary of using SharePoint to share sensitive information. Their concerns: that information may fall into the wrong hands, or become subject to e-discovery disclosure or compliance regulations. As a result, organizations need to start requiring individuals to put in a request for a new SharePoint site, specify what information would reside on the site and why the site is needed. Authentication and rights management polices should be in place before a new site is launched.

Englewood Hospital Medical Center in Englewood, N.J., is developing a governance strategy to control who can create a new SharePoint site, who can submit information to the site and who should be in charge of editing and publishing the content.

"We're putting a lot of our HTML sites into SharePoint to control the content and requests for new [collaboration] sites," said Gary Wilhelm, business and financial systems manager at the medical center. "So right now we're using the role-setting capabilities in SharePoint to figure out who should have a role as a contributor versus a publisher or even a watchdog over a site or sites."

In IT professional John Bissa's experience, companies are still trying to figure out how to use the full breadth of the tool set, never mind getting a grasp on how to control it.

"There's nothing out there as comprehensive as SharePoint," said Bissa, a partner and Web development team leader at Plante & Moran PLLC. "The sticking point is that folks are struggling with governance around it and some can't figure out how to get their arms around all the tools."

Let us know what you think about the story; email: Christina Torode, Senior News Writer