SharePoint Collaboration Meet Dynamic Permissions
SharePoint collaboration promises to make organizations more effective across all devices, greatly improving mobile access to content, people, and applications. This promise, however, can quickly result in significant business risks as collaboration in SharePoint becomes cumbersome, costly, inflexible and prone to security breaches.
Risky Business
Securely collaborating in SharePoint depends on the correct users gaining access to the correct documents. This results in significant challenges for SharePoint, exposing organizations to unnecessary risk and non-compliance. Today’s users don’t only need to access information from within the corporate network from a corporate PC—they need mobility. Organizations must balance the increased risk and need for users to work from less secure locations on less secure devices.
To grant access to documents based on the traditional permission model, administrators need to constantly update user/group definitions and document permissions to reflect collaboration needs. This is time-consuming and, to keep up, administrators often adopt a “security compromise” approach, which exposes the organization to significant security weaknesses. These intricate collaboration permissions can significantly impact system performance because the long list of permissions assigned to each user must be constantly evaluated against an equally long list of permissions assigned to each document. The permission process typically involves multiple departments resulting in significant lag between what’s needed and when actioned.
The result? Frustrated business users. And when frustrated, they start looking for quick fixes. That usually involves duplicating sites and documents as well as storing files on unsecured and uncontrolled locations. In most cases, attempting to solve the collaboration problem with permissions just results in a serious degradation in security and compliance.
Encryption Makes It Worse
Some companies turn to encryption as a mechanism to strengthen security. SharePoint increasingly turns to RMS as the encryption platform of choice. To date, this encryption is either applied manually by a user or a global RMS configuration is applied when documents are taken out of SharePoint. Manual encryption is too time-consuming and prone to error, and global encryption is not granular enough to mirror the collaboration needs. As a consequence, RMS is not widely used.
SharePoint 2016 is capable of automatically quarantining at-rest documents containing sensitive content. However, this does nothing to solve the problem of collaboration and permission management. At-rest document encryption also results in a significant increase in processing overhead. Information has to be decrypted and re-encrypted every time it is viewed, changed and saved. Even tens of users collaborating on hundreds of documents can overload the encryption service. Hundreds of users collaborating on thousands of documents is completely impractical. The decision becomes either to put up with the performance degradation or use encryption sparingly. Again and consequently, RMS adoption is limited.
Using traditional, static permissions or encryption is not the solution. It limits secure document collaboration and editing, and requires a high level of IT overhead to regulate—ensuring documents only leave the company when they should.
Dynamic Permissions Solve the Collaboration Problem
To overcome these issues, a new style of permission management, dynamic permissions, is now used. Dynamic permissions offer an additional layer in the permission management model, controlled by a set of policy rules. Every SharePoint interaction by a user or application is validated against these rules. Permissions are applied on-the-fly, based on the properties of the user and the document they are attempting to access. These policy rules not only marry traditional permissions with user and document properties (i.e., “permission by metadata”), but can also harness information about users’ connection to SharePoint, such as their IP address, country of origin, and access device type.
With dynamic permissions, the administrative burden is significantly lessened and much of the administrative effort can be decentralized to the departments that own the documents and understand the needs of their users. Whenever a policy rule is changed, the changes are applied instantaneously across the farm. This flexibility ensures complex collaboration rules are readily defined and enforced across the organization.
Dynamic permission rules can also dictate when encryption is applied. Applied on-the-fly, permissions can be used to not only restrict the user’s access, but also what he or she is allowed to do with the information—view, edit, delete, print, copy, download, or distribute. Dynamic permissions also secure documents attached to emails. Encryption is tailored to the recipient of the email for each attachment, even when forwarded to unintended audiences.
With the increased use of BYOD, significant security breaches can occur due to accidental device loss (including phones and USB sticks). Dynamic permissions silently encrypt information for just the current user as it is edited or downloaded to devices. Document access periods can be specified, so even if lost, there is no security breach.
Global companies need their users to collaborate on documents from many different devices and locations. The demands on permissions and encryption change constantly, and static encryption with RMS alone doesn’t solve these problems. To keep up with the evolving requirements of modern collaborative environments, permission management must adapt at the same pace. Adding the additional layer of dynamic permissions to an organization’s permission management model is needed to reduce risk while encouraging secure collaboration.
Cryptzone secures the enterprise with dynamic, identity-driven security solutions that protect critical services, applications and content from internal and external threats.
Email: sales@cryptzone.com; Phone: +1.888.272.2484 (US & Canada), Web address: www.cryptzone.com