IT now lives in a world where security is always a consideration, no matter the data set, application, OS, or platform. The threat of external attacks, ransomware, cyber espionage, and even attacks from insiders threaten every organization, regardless of size or industry. With SharePoint hosting some of your company’s most precious and valuable data, the question posed in the title of this article is well-founded.
While you may be thinking you’ve got permissions under control, I’ll respectfully submit to you that you don’t. And not just the “you let a few permission assignments slip by” kind of don’t, but more the “no… it’s much worse than you fathom” kind of don’t. Here’s why - in a recent Ponemon study, 71% of end users stated they frequently or very frequently have access to information they shouldn’t . Stop and let that sit for a moment – nearly three-fourths of your users can read, copy, overwrite, and delete information you have zero intent of them accessing.
And it’s a bigger problem than you think.
There are a few potential “résumé -generating events” that can happen because of this:
- Insider Data Theft – the misuse of privileges is the second most prevalent attack method found in successful data breach incidents (just behind hacking) . Insider threat actors leverage whatever access is granted to them (including all those extra privileges they have) to exfiltrate valuable data.
- External Threats - approximately two-thirds of data breaches last year were committed by external actors (hackers, malware authors, threat organizations, etc.) 2. These attackers leverage any and all credentials to access applications, systems, and data (including SharePoint). And, remember, most of those credentials are over-privileged.
- Ransomware Attacks – the latest variants of ransomware, such as Cerber, now not only attempt to encrypt as much data, on as many systems as possible (including SharePoint data sync’d to user’s laptops), but also now avoid detection by anti-malware solutions.
I called these “résumé-generating” because, to be candid, they’re kind of your fault.
It’s a tough pill to swallow, but while IT was busy addressing all those weekly requests to grant access, no one was submitting tickets to remove access. So, over time, your once clean set of SharePoint permissions (likely utilizing AD groups), has slowly been creeping towards permissions entropy. So, if a data breach event were to happen, IT may very well have contributed to the problem… by not having dealt with the permissions problem.
Getting a Grip on SharePoint Permissions
Whether your SharePoint environment is made up of just a few sites, or spans countless servers, farms, site collections, etc., there’s a common issue problem – visibility. It’s far more likely that you, literally, have no idea how bad it really is (due to a lack of visibility), than it is you’re fully aware of the problem and are simply ignoring it.
Visibility is necessary to not just get a handle on SharePoint permissions, but to retain an iron grip on it. There are a few aspects to visibility you should consider having a solution in place to address:
- Visibility into the current state of permissions – understanding who has access to what is critical to creating a baseline to work against, whether as part of a clean-up effort, or to refer to as part of daily change management. This includes the permissions assigned within SharePoint, as well as (if you’re assigning permissions to AD groups) the current state of a given group’s membership.
- Visibility into permissions changes – the value of a state-in-time view diminishes with each change to security. Having visibility into changes in at least near-real-time is critical to ensuring permissions stay under control.
- Visibility during migration and consolidation – many enterprise instances of SharePoint go through numerous reorganizations. Without visibility into the old and new sets of permissions assigned (as well as a distinct level of control during the process), you’ll perhaps get all the data moved to where it needs to go, but the mix of old and new privileged may simply make security matters worse.
Think of this article as sort of your own personal SPA (SharePoint Anonymous) meeting – the first step is admitting you have a problem (with permissions, that is). Once you get past that hurdle, the next step is to take seriously the security gap that exists due to mismanagement of permissions, and formulate a plan to audit the current state of permissions (likely using a third-party solution), and work through your environment to bring your security to a state of being on point.
Make Sure You’re SharePoint Permissions Are On Point
Without a solution like DocAuto’s SPorganizer™ that provides a holistic view into one or many SharePoint environments, and one or many SharePoint objects at a time, it's very difficult to make sure you’re giving the right permissions to the right people at the right time. Regardless of the type of organization or the complexity of your SharePoint environment, SPorganizer can help you keep data accessible, safe, and in compliance, while dramatically reducing the time it takes to manage SharePoint.
Interested in learning more? Schedule a demo of SPorganizer today!
 Ponemon, Corporate Data: A Protected Asset or a Ticking Time Bomb? (2014)
 Verizon, Data Breach Investigations Report (2017)
SPorganizer is a trademark of DocAuto, Inc. SharePoint is a registered trademark of Microsoft.