Microsoft SharePoint – Governance Schmuvernance
Posted by Kurt Johnson - VP Strategy on Wed, Feb 11, 2009
The source of all information great and accurate (and I'm talking about Wikipedia of course) defines governance as relating "to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility". This sounds reasonable to me. Today's realities of increasing privacy concerns, compliance management, and regulatory pressure have brought visibility to the importance of sound policies and processes to minimize risk and protect organizations. IT governance consists of cross-organization teams, with a heavy emphasis on line-of-business involvement, to more effectively ensure that IT policies are not only being followed, but are the responsibility of the individual users and business managers to define and enforce. It's not solely an IT function.
Sounds great, doesn't it? As part of this IT, and even IT security, have emerged from the bowels of their cavernous quarters to have a seat at the table working with the organization to identify risk and build effective ways to manage it. In many areas IT security has effectively shattered the image of being a business impediment to one of a business enabler.
Then along comes something like Microsoft SharePoint to ruin everything. Are we even a little surprised that we're reading that Microsoft SharePoint is hard to secure? (Microsoft SharePoint: A Weak Link In Enterprise Security?) A recent Ponemon Institute survey stated that only 60% of respondents have deployed security tools specifically for SharePoint. Courion's own survey on SharePoint compliance showed that 25% of respondents stated that they believed their SharePoint security was either weak or they were unaware of what was being done about it.
It's always easy to takes shots at Microsoft and point the finger at the tool. But blame here belongs focused at the organization using the product. Microsoft designed a solution to provide enhanced collaboration capability to make it easy to share information across different organizations or even outside the organization. SharePoint was designed to install easily, be painless to administer, and simple to post documents and data for wide audiences to see and share. Guess what? The product works. But, like a loaded gun, which in the right hands can be an effective tool but in the wrong hands can lead to unfathomable destruction, so too can SharePoint or any collaboration tool.
Historically we've seen IT security and management as afterthoughts to application deployments. Back in my META Group days we referred to this as the pig being thrown over the wall. An application goes live and then IT management is left to figure out how to ensure it doesn't bring the infrastructure to its knees and that the information is secure. As I mentioned before, IT governance started to change much of this. But, in many cases, SharePoint is so easy to deploy IT doesn't even know about it. Thus security is not planned for up front.
So what is IT security to do? My friend Mike Rothman suggests in his Daily Incite post, pray. Not bad advice. How does IT gain control while not impeding the business value of collaboration? The solution is what we at Courion refer to as an Access Assurance strategy.
Access Assurance refers to ensuring the right people, have the right access, to the right resources, and are doing the right things. It involves the definition of access policy; enforcement of that policy via automation; detection when that access varies from policy; remediation to bring access back within policy; and validation that the policy is appropriate. Where better can this apply than to SharePoint? This focus on a lifecycle for SharePoint compliance management offers significant value for organizations.
So, how does one go about building SharePoint compliance and access assurance? It starts by finding out what's out there. This discovery must include an assessment of the various risk associated with the sites. It doesn't make much sense to put a ton of policy around the company softball site; however that engineering planning one might need a little more oversight. This risk may include identification of sites that have sensitive data on them. DLP tools like those from RSA and Symantec are helpful in discovering such information. Risk can also be assess by seeing how many have multiple site owners, how many grant access via explicit access vs. groups, how many does the "everyone" group have access to, etc. Identify which users have access to the different sites, what job function they belong to, and what types of rights they have (e.g. contribute, read only, full administration, etc.). There should then be a formal process to verify that this is appropriate and have the business managers attest to the fact that the access is appropriate. When it's not, remediate by removing or modifying that access. This is what Courion's Solutions for Microsoft SharePoint focus on; creating an Access Assurance lifecycle for SharePoint.
Once this clean-up has occurred, we can then implement a process of governance for sensitive sites. Ongoing reviews of who has what type of access is critical. Formal processes for approving access to such sites should trump the "let the site owner add anyone they'd like" approach. The SharePoint policies must be well understood, well communicated, and implemented in a way that ensures business efficiency while maintaining policy. We like to refer to this as transparent compliance. Embedding the policy into the business process allows the organization to enjoy the benefits of increased business efficiency with higher security, and thus reduced risk.
Isn't that what we're all striving for anyway?