Sharepoint Security Best Practices
Nowadays, security incidents and data breaches are being reported almost on a weekly or monthly basis. This has become a key reason why organizations are taking data security seriously and are holding themselves accountable as the owners of data / information. Consequently, progressive organizations are now holding all their staff accountable and not just IT staff for data protection.
With platforms like Microsoft SharePoint which enable users to share and control organizational data, the chances of a deliberate or inadvertent breach of information increase exponentially. Yet as users organize their files and folders and important documents – essentially their intellectual property in SharePoint – they want it to be secure. Obviously, in scenarios like these with this or similar platforms, even the most stringent security policies and protocols would not suffice to control a breach.
The Challenge is how to properly secure the site and share content with other users, internal and external organizations so that users only get to see what has been shared with them. Keeping in mind SharePoint security, there are a number of best practices that help mitigate the most prevalent risks.
1. Single administrator per site
For websites, sub-sites or web portals created with SharePoint, it is highly recommended that there should be only one administrator at a time. It is also recommended to add the administrator’s details to the landing page of a site, enabling users to easily contact the person for help and advice. This would limit the number of people with full access to the website and minimize possible targets in the event of data leaks.
2. No item-level permissions
While it may seem that a higher and more secure level of data integrity can be maintained in SharePoint by carefully optimizing access to data and its sharing. You may also have the flexibility to set security configurations at the document, folder, and site or library level. But the experts recommend otherwise.
Even though organizations can set permissions on almost any level with SharePoint, it is not possible to control or oversee single item level permissions. Since assigning a lot of single file permissions may lead to problems related to control over data and information, therefore assigning such item-level permissions is not recommended at all.
3. Control people’s permissions in Groups
SharePoint provides its admins the facility to assign different permissions on multiple levels, i.e. permissions in groups. However, it is neither advised to give full or unlimited access to everyone nor recommended to assign permission rights to singular users. You may need to change multiple user permissions at a time. This is considered a highly recommended approach since it is very easy for administrators to change each person’s permissions in groups.
Through SharePoint, you can assign the following types of permissions to users:
Read – viewing and downloading documents;
Edit – creating and deleting permissions;
View only – viewing access to documents, items and pages
Contribute – creating, deleting, viewing and changing list items or single documents;
Approve – partial administrator rights, editing / approving list items, documents or pages;
Design – creating document libraries and lists, as well as making design related changes to the sites(s);
Limited access – access to a specific item or document;
Full control – access to anything and everything within the system;
Keeping in mind that permissions with administrator rights are subject to higher chances for data breach, so they should be given out only after serious consideration and verification.
4. “Share” permission is a huge risk
SharePoint’s “Share” permission gives you the option to share any single item with anyone within SharePoint. But creating a new item level permission or sharing items or documents externally can highly increase the vulnerability of company data to a variety of security issues. It is very common for organizations and their IT security staff to overlook sharing permissions set on various levels within SharePoint or other content collaboration platforms. This can become a high security risk and therefore should be undertaken with a lot of attention.
5. Specified Access to SharePoint site
You can also make your data, information and content secure by specifying network location, IP address(s) or default link permission to access SharePoint. Staff or users of your organization can access a SharePoint site only if they are accessing the site through the specified network or IP or default link with assigned permission.
6. Take advantage of Microsoft’s built-in security features
There are a number of built-in features in Microsoft when it comes to security, some of which are enabled by default and the rest need to be configured. The two most important features when it comes to security are data encryption and virus detection. You can also configure the required settings in Microsoft Teams.
7. Adjust your External Sharing Settings
One of the key things you can do to make your content more secure is adjust your external sharing settings. You can simply disable external sharing at site level within the SharePoint Admin Center.
8. Ensuring personal devices of your staff are locked or have safety protocols
There are some non-technical aspects about SharePoint security. Most of the organizations make sure to secure desktops and laptops of their staff but often forget that their mobile devices are even more at risk without proper protection. With an increasing number of these users bringing their personal devices to work and accessing company’s business systems, it is highly recommended to implement some protection on their personal devices including password protection, multi-factor authentication, etc.
9. Segregation of Duties
Often overlooked by most SharePoint Administrators is a possibility of a security breach if a disgruntled administrator with a lot of permissions decides to wreak havoc. This is why it is important to segregate the duties of employees to ensure that no single person has full and complete access.
10. Enable Relevant Policies
One of the many steps that can be taken to enhance SharePoint’s security is enabling Data Retention and Data Loss Prevention Policies within the compliance center.
11. Staff Training
Training your staff to use SharePoint while complying with all security policies is an approach that all professional organizations should adopt.
Any Microsoft SharePoint server may contain a huge amount of data and information, some percentage of which will be definitely critical, sensitive or confidential. Carelessly configured permissions can put this information at risk.
Irrespective of the size and nature of business, it is critical for all organizations to adopt SharePoint security best practices. Securing data and information in SharePoint requires discipline and commitment from all stakeholders including organizations, IT administrators, and users.
Since SharePoint is a highly flexible platform and its security model is built on the same lines, it is very easy to define security permissions, like read, write or edit, at any level – from as broad as the whole site collection to as low as a single item or document.
However, while it may seem very easy to assign these permissions directly to users, it can bring upon some daunting challenges. Hence, it is recommended to use Groups while assigning permissions, which is a secure and stable security model. Through this approach, permissions are applied to a group and not individuals. When any adjustment in permissions is required, it can be easily done on the group level. Users can be easily removed or added to a group, without the need for any specific permissions.