Security is a hot topic nowadays – think about Snowden and the NSA, or recent security breaches at companies like Sony and Dropbox. Companies are now all too aware that protecting their data, even if it is stored in On-Premises systems, is a priority for all staff not just the traditional admin role.
Go back a few years, before the Intranet and the Cloud were so dominant, and security was indeed the sole responsibility of IT administrators. Back then the situation was rather more straightforward. Systems didn’t really give end users much control or autonomy, there was hardly anyone using personal devices at work.
These days, the situation is very different. Tools like SharePoint and Office 365 allow users to create their own sites and content repositories, almost everyone carries a tablet or smartphone at work. Even more delicate, tools like Dropbox make it easy for end-users to poke holes in an organization’s well-thought-out security policies without too much effort.
1. Use Groups to manage users
SharePoint is a very flexible, extensible platform and so is the security model built around it. You can define a security permission, like read or write, at a range of levels – from site collection, to site, to the lowest component of a single item or document. It is very easy to assign these permissions directly to users, but this can make life very hard in the future.
SharePoint security best practice states that you should use Groups as much as you can when assigning permissions. Using Groups creates a more maintainable security model, meaning permissions are applied to the Group as a whole, not individual people. When the time comes to adjust permissions, you just need to adjust the Group not individual people.
You can also easily remove or add users to the Group, without having to worry about specific permissions levels.
Take your understanding further: Learn SharePoint Online best practices, tips & common issues to avoid
2. Don’t use document or item level permissions
At the lowest level of security in SharePoint, you can define permissions on a single document or item. Don’t! Setting permissions in this way opens up all kinds of issues in the future. In SharePoint there is no way you can easily get an overview of those single item level permissions, so future maintenance is next to impossible.
Also, SharePoint security works best by using inheritance, item level permissions breaks this.
3. Use the new “Share” permission with care
SharePoint Online in Office 365 introduced a new toy for your end users: the Share function. Now every item in a SharePoint list can easily be shared externally with anyone in world. Sharing an item creates a new item level permission like those mentioned above. Sharing items or documents externally can open up a company to all sorts of governance and security issues.
I could not emphasize enough on how you need to use this new feature with extreme caution.
4. Have a single admin for each Site Collection
Creating sites and subsites in SharePoint 2013 is very simple and straightforward. Yet with this power comes great responsibility, so assign a single person to act as a central admin of any given Site Collection.
It is also a good idea to add the administrator’s details to the landing page of a site, so end users can easily contact that person to get help and advice. The “Site users” web part is a great way of enabling this, and can be used to visualize the administrator(s) in both SharePoint and Lync.
5. Ask your users to lock their phone or tablet
This one is not strictly a SharePoint security setting, but as users increasingly access and interact with business systems on the move it is very important – be sure to enable some sort of lock or pass code on your phone or tablet device. With more and more users bringing their own devices to work, it becomes crucial for your business liability.
Most users lock their desktop or laptop at work, but doing it on a personal device is less common. Yet many smart devices are packed full of apps, which in turn contain a wealth of corporate data and settings. SharePoint really encourages mobile use cases. Sensitive Apps includes SharePoint Newsfeed (containing potentially sensitive info), OneDrive for Business (containing a wealth of documents) and email clients.
Leaving a mobile device unlocked opens a backdoor to your company’s vital information – so ask your users to keep them locked!
Implementing SharePoint security practices is crucial
Now more than ever users need to be educated with SharePoint security best practice. From the smallest SharePoint site, to the largest Office 365 tenant, implementing good security policies and practices is paramount.
If you follow these 5 simple tips, you’ll find your SharePoint and Office 365 security in better shape than it is today:
- Always use the Group functionality to manage your user permissions
- Never use specific permissions at a document or a list item level
- Beware of the new ‘Share’ feature in SharePoint Online in Office 365
- Ensure that each subsites have a single administrator
- Ask your employees to secure their personal mobile devices
As you can see, those 5 tips aren’t that hard to put in place. Security in SharePoint requires discipline and commitment both from you and your end users.
Maybe you guys have another tip for our readers: what would be your most important security tip?