SharePoint Security Wake Up Call: Time for an Audit

Please first read this article on the recent NSA leaks then read on.  “NSA Chief leaks data on sharing tech, it’s SharePoint”

With the recent news of SharePoint involvement in the NSA and Snowden investigation, I hope everyone involved in SharePoint is tuning in… Consultants, vendors, SharePoint Admins, Engineers, Devs, and especially Business Folks are tuning in.  The investments in SharePoint Security are no joke!  It takes a concerted effort on all sides to take this seriously.  Don’t blame SharePoint, the problem is… Everyone blames SharePoint, but the responsibility is shared! With No Governance, there’s serious concerns for security leaks!!!

While I plan to give you some tips on best practices around managing security.  This is a heads up.  Review your SharePoint governance plans and dig into these questions.  Good time for an Audit…

1. Who owns SharePoint security?  If it’s shared make it clear who has what responsibilities.

2. Who is responsible for managing permissions? Who cleans it up when someone moves roles or teams? If you rely on site admins, do they have the reports they need to know who has rights recursively?  Granular permissions can be a beast to manage.

3. What is your Data Retention Policy?  Site or Data lifecycle policies?

4. Are databases encrypted? Should they be?

5. Do your admins have rights to the data via Policy?  Should they? What are you using to Audit your permissions on a recurring basis?

7. Do you treat all SharePoint data equally?  Should you? What do your policies as it relates to enterprise public data vs. highly confidential data?

8. What are you using for site clean up?

9. Just because it’s over SSL doesn’t mean it’s secure. What does your auth stream look like from end to end?  How are accounts being managed and cleaned up?

10. Is SharePoint out of the box security and auditing good enough?  Should you consider building extra governance around your sites and data for policies or a third party tool?