Online all the time, anywhere with anything
Call Us: +46 8 50003170

SharePoint security

Weak link

No chain is stronger than the weakest link!

There are many good features for security in SharePoint, especially if your organisation are using SharePoint Online with Office 365. Every user is part of an Active Directory(AD) out of Microsoft Azure. This is even if your organisation does not have any servers, even if your organisation is just you alone. To control the access to SharePoint you do it with Azure Active Directory. There are 3 ways to work with user administration in Office 365.

  • User administration from the Office 365 portal.
  • User administration from Azure portal, when this is written it is still from the old Azure portal.
  • User administration with Powershell scripts, powerful scripts run to add or change several users of Office 365.

To make it more complex are there groups in Active directory and groups in SharePoint. This can make a lot of confusion, the best way to work with permission in SharePoint is to group users in Active Directory and not in SharePoint. My proposal looks like this

  1. Add users to groups in Azure Active Directory, I urge you even to create a ”SharePoint Admin” AD-group and why not a CEO-group.
  2. Trim security settings by creating modified copies of permission levels. Never change the default permission levels.
  3. Create SharePoint groups and assign appropiate permission level to the group.
  4. Add Azure AD groups as members of the SharePoint group. This saves you a lot of time when staff changes position or leave the company.

Why is it so important to keep control of security in SharePoint? The most important point is the biggest advantage for SharePoint, SharePoint search shows the information that the user has access to. If the user has been given more permission than the user should have the seqarch results may reveal secret information. If the user is a happy employee wit security awareness it is OK. However if the user is unhappy with the job and have not been informed or care about the security policy, this can be dengerous to your organisation.

There are other issues with securirty in Office 365 and SharePoint. The biggest issue I see is external sharing, this is unfortunately often neglected on purpose or due to imcompetence. The SharePoint administrator should block all extrenal sharing by default for all site collection. If users want to share information externally in SharePoint Online, they should be urged to file a request. In the form the user shall be informed of the risks, and of the extended logging that the adminstrators will add. In the best of situations the approval should come from both the owner fo the site(business owner of the stored information) and from the security compliance administrator(do your organisation have one?). External sharing can be made with requirment of sign-in to Office 365. The external user will be added to your Azure Active directory as an external user. It is possible to make extrenal sharing possible by just providing a link, this will make the information available to  all on the internet!

To assist your users to comply with security Microsoft has for some versions of Office 365 added rights management. For those who do not have it a good addon is Enterprise Mobility Suite(EMS) as this will give you rights management. EMS is a product that adds features to Azure AD for controlling access, now even for mobile devices. The feature is Azure Rights management and if activated can control SharePoint stored information. In SharePoint it is labelled Information Rights Management(IRM) , the biggest benefit is to activate IRM on docment libraries with secret information. When a user is to share a document from a library with IRM activated, they will be either informed this is not advicable or they will be blocked from sharing. The user can even be blocked from emailing the document to someone outside of the organisation. Including the user themself to the users private email address.

IRM can control and prevent anyone who wants to access the document(even if the user is not part of your organisation) from doing this

  • Copy information by using the clipboard like the ”Snipping tool” and Print screen.
  • Print the document.
  • Forward to another recipient.
  • Open the document without validating by signing in to AD for a set period of time(standard 30 days).
  • Time limit the access to the document.
  • Track usage of the document, even for external users.

This even follows the document during its lifetime, even if the document is copied to an USB-drive. By adding the validation for a set period of time is good if the USB-drive is lost or stolen.

Organisations in Europe should really start to look at IRM in order to comply with the new Global Data Privacy Regulation (GDPR) from EU. The  clock is ticking as the work has to be finished by 25th of May 2018. We at Netintegrate have many good partners we work tight together with to assist you in complying with GDPR. Our partners are cerified security consultants, lawyers and legal advisors. Our exprtise of Office 365 and SharePoint security is a benefit for you in your task to comply with GDPR. We can even spice the benefit with our strongest feature the ability to train anyone. Our customers say we can explain tecnology in plain language.