Everyone will recognize the news stories, confidential information ending up on the streets. Not by a hacker, but simply by the clumsiness of an employee. Losing a USB-stick for example, seems like a trivial thing.
A study under 400 companies showed that on average 12,000 customer/employee records are lost. A 2.5 million dollar issue! The news items are hilarious at times, but what about the security of files in your Microsoft SharePoint 2013 environment?
Of course it’s great that you can share selected documents with external stakeholders, but I don’t think it’s the intention that internal files are viewed by these external stakeholders. Let’s say you work at a construction company: you wouldn’t want subcontractors seeing each other’s bids!
In this blog I want to tell more about some of the possibilities Microsoft SharePoint 2013 offers, the risks that this entails and how you can use this in a responsible way to prevent you from facing situations like those mentioned above.
Opportunities for sharing in Microsoft SharePoint 2013
Sharing information with an individual or a group of users (e.g. all suppliers) in SharePoint 2013 is possible at the following levels:
- the entire project file (a site or a site collection);
- a document library;
- a folder within a document library;
- a document within a folder and / or document library.
Nothing new so far, because these options were already there in the previous versions of SharePoint. What is new in SharePoint 2013, is the appearance of the “Share” button.Where the end user in previous versions had to be some kind SharePoint consultant to change permissions to any of the parts mentioned above, in SharePoint 2013 this is made a lot easier.
Facebook as an example
Instead of controlling permissions through various settings menus, now each site (collection), document library, folder or document includes a “Share” button.As for the user experience, the Microsoft SharePoint team looked closely at social media powerhouse Facebook. The end user can select a document and give access to an individual or a group of users, using the “Share” button. Here you can choose to give read-only or editing permissions. All this is in line with the experience that Microsoft already offers for individuals using SkyDrive.
You need to be a Site Owner
“Sounds pretty good”, you might say. And you’re right, it’s great!Although, there is something that has to be reckoned with: the permissions that a user needs to make sharing possible.Microsoft says: “You need to be a Site Owner or have full control permissions to share”.You must own the site or have full control permissions on the document library to be able to share.The question is whether it is sensible to give end users these permissions.
Because the “Share” button really is everywhere within Microsoft SharePoint 2013, risks of errors being made are huge.Imagine someone accidentally sharing an entire site or a document library with a third party, rather than just a document.That’s something else than one file emailed to a wrong recipient. Wild west scenarios are looming..
Permissions, permissions, permissions!
My point is it’s extremely important to think carefully about the permission structures within your SharePoint (2013) environment.Who can see which document or, perhaps more importantly, who should absolutely not see certain documents. Do I want to give my end users the ability to instantly share documents or am I going to attach an approval flow in which the project manager gives his approval, before the document is actually shared? These are very important security aspects to consider.
Besides the opportunities that standard SharePoint 2013 offers , Lacun offers a product that based on properties of a document, determines what users have permissions to that document. This will, for example, determine that drawings may be shared, but financial documents may not. This way, the “Share” functionality in SharePoint 2013 is used responsibly and safe.