In a chat this week with Eric Darbe of HiSoftware, he described what he called “the yin and yang” of SharePoint: Organizations want to see wide internal adoption, but there’s a hesitation to give this kind of wide access because of security concerns.
“Security can seem contrary to collaboration,” he said. “It’s the confidence gap that we as a community need to address.”
SharePoint, he said, gets a bit of a bad rap when it comes to security. “We were at a security conference, and someone came up to me and said, ‘SharePoint? That’s the bane of the privacy officer’s existence.’ That’s reality turned on its head, and we need to work to change this perception, by adding technology and telling the story.”
Darbe cited a recent AIIM study called “Using SharePoint for ECM: How Well is it Meeting Expectations?” in which 80% of the respondents said they aren’t comfortable putting sensitive information into SharePoint. “Maybe it’s more of an approach,” he said. “There’s not the level of nuance from a permissions standpoint you’d like to have.”
Darbe went on to say that SharePoint follows the Windows Security Model, which enables you to secure what he described as “buckets,” but that can result in securing too much information and hampering cross-departmental collaboration. “Securing by library or site butts up against the ‘Enterprise 2.0’ vision of SharePoint in terms of collaboration,” he said.
What’s missing, Darbe said, are file-level security and content awareness, which allow organizations to have a deep understanding of what’s in the individual items in SharePoint. The key, though, is to get people to classify their information “absolutely correctly,” he said. And, unless classification is part of your culture, it will break down due to human factors such as rushing to get done, or not truly seeing the importance of exact classification.
And the big point relevant to security, Darbe added, is that you have to have governance. “Organizations need to create a governance board and talk about governance, even beyond the SharePoint team,” he said. “Where’s the risk, and how do we manage it as a group? Otherwise, you’re just creating another silo. They have to move beyond SharePoint governance to information governance.”
Here’s an excellent blog post on the topic of SharePoint security, from a number of different roles.