Securing your SharePoint environment against threats is crucial. A few years back, I was presenting an IT Pro session at an event in San Francisco, and asked the audience whether anyone was 100% confident in the security and compliance of their on-premises SharePoint environment. There were a few chuckles, but one hand was held up toward the back of the room. I asked the woman who raised her hand to tell us about her environment, and why she was the only one to raise her hand.
She admitted that her confidence was because her small farm was entirely locked down, and only she had the permissions to make any changes. Her solution for managing risk was to remove all other users from the system.
For most organizations, however, that solution — while it may sound appealing — is unpractical. As I went on to tell that audience, when you find a system without any issues, it’s usually due to lack of use. SharePoint has long been touted as a platform that could be shaped and molded into whatever the business needed. Where organizations got into trouble, however, was when they failed to adequately manage changes to the environment. If you are unable to answer basic questions about who can access certain content, whether or not there is sensitive information within your environment, or whether security policies are being violated – your system is at risk.
Rencore Report: Understanding Microsoft Cloud Services and Security
Risk management is about creating and maintaining a system whereby you can identify, assess, and mitigate risks, thereby reducing any losses. Within SharePoint, this can be a fairly complex task, as different teams and business units have different approaches to change, and not all will adhere to the governance standards put in place. Additionally, there is the growing number of devices that can have access to your SharePoint environment.
According to 12-time Microsoft MVP and Product Owner Security at Rencore – Liam Cleary:
“Understanding risk within Office 365 is now mandatory for keeping data safe and controlled. A risk, in reality, is a theoretical thing that may or may not happen, based on an action and the probability. Due to Office 365 being the central data repository for most organizations, knowing the potential risks and mitigations is more important than ever.”
Successful risk prevention in SharePoint takes a proactive approach, including monitoring, measuring, and mitigating risks as they arise.
One of the lessons I learned early in my career when building end user solutions and business portals is that the more simple things are on the front-end, the more complex they become on the back-end. Where this is often exhibited is when end users bring in 3rd party tools or web-based services due to some exciting new capability, but without an understanding of how these things integrate, how they handle sensitive information, or whether or not they will comply with company or industry security and compliance practices.
While we need to improve the user experience (UX) of our applications and provide employees with the features they need to accomplish their work, assessing new tools and services must be done in a managed, well-governed manner that helps admins quickly identify and mitigate their risks.
Here are some areas that you need to monitor:
Identifying Risks in Technology
Identifying risks in technology is critical and includes the tools and services you buy — as well as the solutions you configure and customize on your own. Most organizations generally have a review process for technology, and have in place the appropriate dev, test, and sometimes staging environments, to ensure that everything works as designed before porting a solution over to production.
Unfortunately, this process can be time consuming and costly. Add to that the complexity from the rise of the cloud and the increase in the number of mobile devices, and you can see how the review of technology can become a full-time job. (Thankfully, there are options available to you to help identify the technology risks, such as Rencore’s AnalysisCloud)
Identifying Risks in your Data
Identifying risks in your data is next on the list. The sheer volume and exponential growth of content and data is also a serious risk factor. Data comes in all sizes, formats, and lifecycle stages, many of which may include different levels of tagging and metadata, sensitivity, and classifications.
Identifying Risks in your Business Environment
Identifying risks in your business environment can be incredibly difficult, because your business requirements, customer needs, personnel skill sets, organizational structure, and shifting strategies and priorities can all affect your ability to identify and take action on potential risks. Some organizations attempt to lock down their environments, like the woman in my audience experiences, however the more control you put on a system, the less likely people will use that system.
Identifying Risks in People
Identifying risks in people is the most complex area in risk management. This includes everything from insider threats to external hacking, and can come from employees, customers, partners, as well as shady characters. No matter how well-oiled of a machine you run, and how close you feel you are to your employees, disgruntled staff can be the most costly risk factor should they decide to go rogue.
Having a governance process in place, as I’ve written about previously, as well as a strong change management model, will help you to stay on top of all the changes happening within your SharePoint environment on a daily basis. But don’t get complacent, and let your guard down. As Liam points out,
“All organizations need to manage their Office 365 environment with the assumption that there either has or will be a data or security breach. With this approach, organizations become more proactive and responsive to all confirmed and potential security issues.”
One of the most common questions asked is “How do I get started?” As with all general answers, it really depends on what tools and governance processes you have in place today, and the degree of cultural change that will be required to implement your risk management strategy. However, there are several things that should be part of your overall strategy:
Establish Provisioning Routines
It is critical to standardize how people are added to your environment, and how new SharePoint team sites, Yammer Groups, Microsoft Teams teams (there’s no good way to say that one), and all other workloads are provisioned to ensure that protocols and standards are being met.
This one is HUGE. Introducing applications such as custom code, workflows, forms, and apps to SharePoint creates an optimized business platform for your organization’s needs, but unmonitored applications are one of the primary reasons why migrations fail. They can also open up huge holes within your security, and impact compliance, so it is important to know what is on your system, monitor changes, and put governance procedures in place to ensure that what is being done is in the best interest of the business.
Implement Change Management
This should be a transparent process for your end users, so that they can see the progress of their new product or feature requests, and participate in the discussion. One of my favorite saying is ‘The more you involve people in the process, the more likely people will support that process.” In my experience, where this is the most impactful is when implemented within change management practices.
Enforce Security Standards
Know thy standards! It is hard to manage the security risks when you don’t fully understand the constraints.
Create a Governance Strategy
Create a Governance Strategy, and finally, have a plan. It should including key stakeholders, rules for discussion (otherwise, every meeting may devolve into arguments), and key KPIs and other measurements — so that you can track progress, and extend your transparency to your end users and leadership team.
For additional help, a great place to start is the Security and Compliance Center within Office 365. The site provides great tooling for risk prevention, as well as a single location for all data and security controls that will help in controlling not only access, but the flow of data within and external to the organization.
Rencore’s Risk Assessment tool will help you fix real production security issues and build a risk report based on your data. Learn about quick wins for improving your application security and try our Risk Assessment for free today.