SharePoint 2013: Exciting new capabilities to share (leak?) sensitive data

sharepoint

By Andy Han

SharePoint 2013, made generally available (GA) earlier this year, introduces several new features that will impact how information is shared across the enterprise: new social capabilities, improved search, cross-site publishing, and a roadmap for companies that want to move to Office 365 in the Azure cloud. The net impact seems to be that sharing information inside and outside an organization will be even easier. This will likely create new challenges for organizations that want to control how teams are accessing and distributing data in SharePoint.

However, one problem is that SharePoint still only supports container-based controls. IT Administrators and site owners must define and manage Access Control Lists to control SharePoint containers (site collections, sites, webparts, lists and libraries, and so on). Microsoft admits that managing access control in this way can be messy, as they write in their best practices guide:

Most websites are created speedily, with the aim of solving a particular problem or getting a specific set of information to people who need it quickly…That’s good, but the structure of the site that you start with often becomes the default structure as your site collection grows and is required to meet other kinds of needs. This growth can result in permissions-settings chaos, where everyone in the organization has full control over sub-sites or every individual requires new permissions for every new site they need to use.

 The same article discourages companies from applying “unique permissions” to sensitive documents; the advice is to instead segregate sensitive data in a specific site or library, and apply permissions based on this container.

Ironically, Microsoft alredy has a good solution to this problem. In their release of Windows Server 2012, Microsoft introduced attribute based access control (ABAC) in its Dynamic Access Control (DAC) feature, which allows you to design controls based on multiple attributes associated with a resource—and attributes are stored in the metadata of a file and thus traverse storage in different containers. DAC is not supported in SharePoint 2013.

While SharePoint does allow you to apply metadata to files uploaded into SharePoint (for Office files, and with 2013, PDFs as well), as well as target SharePoint data using “terms” rather than locations (in its Term Manager feature), there is no direct connection between file metadata, terms, and access controls for users and security groups. So, you can neither apply controls easily across a class of data no matter where it is stored, nor easily define a class that contains multiple attributes (for example, project team and level of sensitivity, etc.).

If the goal of SharePoint is to empower organizations to safely share their critical data,  new expansions in sharing capability should have parallel advances in access control. The more precise and manageable the controls, the more organizations can open up sharing channels with the assurance that their data is secure.

Advertisements

2 thoughts on “SharePoint 2013: Exciting new capabilities to share (leak?) sensitive data

  1. Nice article Andy,
    In case you were not aware a module exists now that allows you to implement Attribute Based Access Control in SharePoint.
    Enterprise Security Services Platform for SharePoint allows user attributes to be defined either via ADFS Claims or membership of an AD group. ESSP then allows you to define a data classification scheme that will then control access to sensitive documents based on those attributes.
    You can find more out here: https://berkeley.solutions/essp-sharepoint

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s