Comment: Securing SharePoint's Content Blind Spots

Kurt Mueffelmann examines how to avoid possible content blind spots in Microsoft's SharePoint
Kurt Mueffelmann examines how to avoid possible content blind spots in Microsoft's SharePoint

Driver's education teaches us to protect our blind spot, to always check and double check it. As recent insurance commercials have comically pointed out, you never know what dangers hide back there. Despite learning early in our driving career to watch, we still have trouble remembering to check out blind spots.

The same holds true when it comes to content blind spots that plague many enterprises; and just like in our cars, content blind spots can result in serious loss.

One of Microsoft SharePoint’s particularly troubling organizational blind spots is content governance, specifically how content is organized and secured. As the Association for Information and Image Management (AIIM) noted in a study last year, only 20% of respondents have confidence in SharePoint to store sensitive information. And they have every right to be skeptical of content security inside SharePoint: 27% of the organizations surveyed by AIIM store valuable content in SharePoint without clear governance policies, and 60% have not brought SharePoint in line with their existing compliance policies.

Sensitive information – such as protected healthcare information (PHI), personally identifiable information (PII), corporate confidential data, and trade secrets – live within SharePoint. Without protecting your blind spot by classifying and securing information inside SharePoint, you’re setting yourself up for a crash.

Checking Over Your Shoulder

If you never look over your shoulder, then you have no way of knowing whether your blind spot is clear. If you’ve never taken a close look at your SharePoint data, then you can’t possibly know the risks. And even if you’ve realized that unstructured data is putting your organization at risk, you may be a lone voice among many. The key is to highlight the risk in a way that everyone can understand.

Step one is to assess the content so you have a strong understanding of the problem. The fact is that data trumps opinion every time, and an assessment provides the information you need to make your case to the rest of your organization.

Many technology vendors that automate information security, compliance and monitoring offer assessment services or trials so you can better understand the breadth of the problem and figure out how a solution might work within your environment. An assessment will help document your organization’s unique needs and ensure that the technology solution addresses your biggest concerns.

Turn On Your Blinker

Before changing lanes, or fully implementing a technology solution, you need to decide where you’re going and how best to get there. Unlike driving a car, you’re hardly the only one steering your organization.

To get there, it's best to set up a governance board comprising people from several different departments. If your CIO wants to establish certain policies, it won’t do any good without the advice and support of the SharePoint administrator. Creating a defensible, written information security plan empowers organizations to address blind spots inside SharePoint and minimize fallout from breaches if they should happen.

Measuring the Hazards

Just how close is that logging truck to you? Is that SUV going to change lanes without looking? Weighing and measuring each hazard on the road protects you from the dangers of blind spots.

Classifying and securing SharePoint content does the same. In concert with a full assessment, developing a complete classification of content and documents can secure systems. Once classifying the information, you can use that to limit distribution, thereby ensuring the security of each piece of information rather than relying on folder-level security. In this scenario, each document that has a credit card number or the name of the secret project only gets into trusted hands.

Companies can choose to go beyond classification to also encrypt documents, ensuring that if they make it outside of SharePoint, the information it contains will remain secure. In light of recent breaches involving user-error and computer theft, document-level encryption could have prevented these costly and reputation-marring mistakes.

Look in Your Mirrors Again

After changing lanes safely, you’re hardly in the clear. The road is full of hazards, and content security is no different. The policies and technologies put in place to protect SharePoint content are a critical part of navigating the hazard, but they are not enough. Ongoing auditing and monitoring are vital to the success of your implementation and provide a strong backbone of support for regulators and auditors.

If not controlled properly, SharePoint can create a major weak point that can have significant consequences for your organization. By following the aforementioned steps, you will be able to put strategies in place to help steer clear of the obstacles along the road.


Kurt A. Mueffelmann is president and chief executive officer of HiSoftware Inc., a provider of content-aware compliance and security solutions for the monitoring and enforcement of risk management and privacy guidelines across digital environments.

What’s hot on Infosecurity Magazine?