By Robert B. Yonaitis, CIPP/IT, VP of Software Engineering and Standards at AvePoint
Everywhere you turn today you hear about various instances of data loss and data breaches, all of which lead to a general sense of data insecurity. These issues range from loss to theft, or even taking of personal information or corporate trade secrets. There’s even frustration being felt when every part of access management seems perfect, but a breach still occurs.
Traditional thinking and SharePoint itself focuses very much on the role of identity and access management solutions in securing your SharePoint environment. However, access controls don’t prevent a fully authenticated user from placing sensitive content in a place where it’s inappropriately exposed. So for true security of data, a layered approach to data security that bases security on the sensitivity of the information (content) itself, or one that’s “content-aware”, is required versus just looking at access controls.
Below is a list of some best practices that will ensure true security of your SharePoint data:
- Content needs to be monitored in both real time and on a schedule, using rule based automated processes in such a way as to provide systematic protection of information.
- Classify content using metadata related to the document where authors can add the metadata but the system has controls which allow the system to override the user’s classification if it’s in question. This will empower business users to do the right thing while preventing them from doing the wrong thing (i.e. user assisted tagging/”Trust and Verify”).
- Evaluate risk according to your organization’s logic to provide multiple perspectives on potential risk within content and risk related to the delivery and transport of data.
- Perform ongoing audits for compliance, and run regularly scheduled scans of SharePoint sites.
- Measure progress over time to demonstrate priority and success of compliance initiatives, and modify as necessary.
- Work with stakeholders and content authors to prioritize areas for improvement and address issues and concerns.
- Link compliance improvements to any migration programs (i.e. scan data on your file shares before it’s migrated to SharePoint).
- All new initiatives should require compliance – get compliant and stay compliant.
- Educate your staff as to what information is sensitive, and what steps they need to take to protect it.
- Use proper notifications on sites as related to privacy and security for internal and external data.
The good news is that there are a variety of open resources to help get you started. A good source for a number of resources is the International Association of Privacy Professionals (IAPP) (https://www.privacyassociation.org/). IAPP’s web resources will go a long way toward introducing you to privacy and information security. It’s imperative that you educate yourself so that you understand the fundamentals of information security and so you can ask the right questions of your IT Department.
For both privacy and information security, it’s also extremely important to be clear as to policies and procedures to which your organization must and will adhere. Your SharePoint properties should list your privacy policies as well as any other notices relevant to data usage or information security, and these notices should be displayed prominently. In addition, the transportation of information should be secure from individuals without the proper access rights to view the content in transit.
From data security to information security and transport, just a few simple steps will identify problem areas. By implementing monitoring, you can be assured that you will stay safe. This is a concern for all content wherever it resides, but the good news is this concern can be easily addressed by planning properly and finding the right technology solution to support plans put in place.
Robert Yonaitis, CIPP/IT, is Vice President of Software Engineering and Standards at AvePoint, where he works primarily with the company’s compliance products, while providing input and guidance on standards, interoperability, design and feature sets across the full AvePoint product family.