www.torsionis.com

Evaluating SharePoint’s Security Model

Evaluating how well SharePoint's security model performs against a real-world business scenario.

2|

4 core requirements for a new hypothetical security model for SharePoint:

1. Accommodate business change2. Accurate3. Quick and Simple4. Robust and Reliable

Evaluating SharePoint’s Security Model

Let's use these requirements as a lens to examine how SharePoint's current security model stands up to a real-world business scenario.

3|

Evaluating SharePoint’s Security Model

The Scenario

4|

Evaluating SharePoint’s Security Model

A highly confidential idea for new product is to be brought to market

1 SharePoint site used by 7 engineers involved. The information shared helped validate the idea. CEO, CFO and their PAs also given access.

Once the project got green light, team scaled up quickly. Three project streams were established, with a common program across them:

5|

To minimize confidentiality risk, imperative that people only have access to precisely the information they need

The plan: isolate each stream, to keep information circles small. The original SharePoint site was designated for use by the program, and a sub-site (non-inherited permissions) created for each of the three streams.

Over the 9 months since, boundaries blurred a little. Legal weighed in on product decisions. Product Development needed commercial visibility. Outsiders needed to contribute or review certain details.

The project team grew and shrank over time. The Product Development stream is dividing in two. Everyone is under time pressure. The project has at least a year to go.

Evaluating SharePoint’s Security Model

6|

How Will SharePoint's Security Model Hold Up?

Evaluating SharePoint’s Security Model

7|

Already lots of changes: people joining/ leaving, temporary access across stream boundaries, temporary access outside the project, a stream dividing in two

Hundreds of manual permissions changes over the course of the project. Everywhere permissions inheritance was broken, number of changes increases

All these changes not automatic

Evaluating SharePoint’s Security Model

1. Accommodating Constant Change

8|

Administrators must be aware of every single change to update every necessary permissions configuration

A single business change = dozens of permissions changes.

High chances of mistakes/omissions

2. Accurate

Evaluating SharePoint’s Security Model

9|

3. Quick and Simple

Every business changes = many permissions changes. Identifying each change neither quick, nor simple.

SharePoint allows business users to grant permissions. But what about revoking access when no longer appropriate? Business users will often forget.

Evaluating SharePoint’s Security Model

10|

4. Robust and Reliable

A business user share new sensitive document with their project stream.

How likely is it that site permissions aren’t aligned with the business circumstances? How can they know who will have access to the document once it is uploaded, and how can they

evaluate the accuracy of that?

If people don't trust system security, they may choose to share information some other way.

Evaluating SharePoint’s Security Model

Read the full version on: www.torsionis.com/blog

Keeping permissions accurate for thousands of documents and dozens of users, in the face of constant business change - is a large and complex task, highly vulnerable to error.

A serious breach = one mistake, one change overlooked, one accidental inaccuracy.

In a recent survey, 71% of business users thought they had access to more information than they probably should.

The Bottom Line

So how did SharePoint's security model hold up?