SharePoint is a great collaboration platform but companies must balance the need to share data with increasing data security, compliance, and privacy concerns. These are some of the common SharePoint concerns we see when working with customers:
Permission management is decentralized
Every company typically uses a combination of either administrators managing permissions to sites or delegation of permission management to site owners. Each site has its own set of permissions to manage (and audit) which becomes even more complex as inheritance is broken.
This requires that users understand SharePoint permission management and it requires that users understand various corporate data sharing policies. They need to know what data is stored in their site and who that data can be shared with.
Permission management is manual
Setting permissions on a site, library, or document in SharePoint is typically a manual process. A user needs to determine who should have access to documents and verify that only authorized users are granted access.
Active Directory groups can be used for some automation but this can also introduce a concern where users can be added to a group which gives them access to data they should not have access to.
Permission management is only role based
Users will typically be granted access to a site based on their job function or their role. This requires that job functions (or any other method of creating a subset of users) are mapped to groups in Active Directory. This then requires that group memberships are maintained, especially when a user’s job function changes or a new user is added.
Externalized Authorization and Attribute Based Access Control
These common concerns can be addressed by using a combination of externalized authorization and attribute based access control.
Externalized authorization allows for authorization decisions to be made in one central location by leveraging policies. Policies can be defined to control access to SharePoint data based on farm, web application, site, library, or even based on column values. This gives added flexibility where policies only need to be defined once for all SharePoint data. Another benefit is that the way permissions are managed in SharePoint today do not need to be changed to take advantage of these policies. A policy will augment SharePoint security so that users can still manage permissions to their data while high level policies will ensure that corporate policies are enforced and data is only shared with appropriate audiences.
Attribute based access control allows these policies to leverage user attributes when making policy decisions. Instead of managing groups in Active Directory, policies can be created based on Active Directory user attributes. When a user attribute changes, access to data in SharePoint changes dynamically based on policies. User attributes from other systems outside of Active Directory can also be leveraged.
As an example, a corporate security policy may state that only users located at offices in the United States can access documents in SharePoint with a classification of top secret. To accomplish this in SharePoint today would be a very manual process. You would have to create an Active Directory group for United States users, and then locate each document and ensure that only this group of users has access with a requirement that this level of security is maintained when any permissions are changed.
With externalized authorization and attribute based access control, this would be as simple as defining a policy that states only users with a country attribute of United States can access documents in SharePoint classified as top secret.
In our next post, we will continue this discussion by reviewing how NextLabs Entitlement Manager for SharePoint can address these issues.