Clearly one of the most challenging things in managing SharePoint is permissions. Supporting SharePoint adoption requires trust in the platform, and in many cases, the out-of-the-box permissions management just doesn’t quite meet the needs. In fact, in many environments it is poor governance and poor management practices that lead to security leaks that ultimately give SharePoint a bad name. Failed deployments can be linked back to poor management practices as it leads to permissions, authentication, and security controls and the lack thereof. The key to successful deployments is appropriate data governance. Managing your assets means proper controls. The reality of any out-of-the-box SharePoint deployment means applying permissions manually. Applying permissions is manual, which is labor intensive when it’s centralized, and even when it is a delegated process, there is a lack of effective and consistent process for data governance.
In addressing these needs TITUS has built a suite of products for managing security across the SharePoint Server and Office client and Adobe client platforms. SharePoint’s solution is integrated with the client solutions. The key to understanding the TITUS solutions for data governance is TITUS Metadata Security for SharePoint. It provides the proper controls at the right levels while dynamically addressing your data governance needs.
Figure 1: TITUS Metadata Security for SharePoint
Understanding Challenges Today
Today permissions management is labor intensive. Users upload documents, libraries have permissions set up on them, and rarely do permissions get set on items. If they do they are simply inherited. When inheritance is broken, all of a sudden people think documents went missing and confusion ensues.
Not only is permissions management labor intensive, it is very challenging to keep consistent. Some folders, lists, or libraries are mixed with confidential and public information. How does one deal with having data that’s designed for different groups and yet in the same storage locations?
As well, as a user, how many times have you been asked to upload a document to a site, and this is the first time you’re visiting the site? You’re wondering, “Is this site wide open or am I even going to have problems accessing the site?” It’s not so uncommon to not have permissions, and the site administrator continues to get frustrated and then ultimately decides to just open up permissions to everyone.
In understanding the challenges of compliance, it’s important to understand that the core of data governance is permissions, authentication, and authorization. The solution is visual labels. Being able to clearly see something is classified, sensitive, or quite opposite… public is very important. Classifications, watermarks and clear marking standards can meet objectives for HIPAA, SOX, ITAR, CUI, GPMS, and various ISO standards.
Figure 2: TITUS Metadata Security: Settings
Let’s understand the problem, and let’s look at the challenges.
- Item Security – Today adding security to items is possible, but it’s becoming something that is often avoided. The more granular the security, the more difficult it is to manage. When someone leaves employment there is no way to give the replacing new employee the rights of the exiting employee.
- What are the Real Effective Permissions – Permissions in SharePoint are very challenging to troubleshoot. As a result of security trimming the user may not see a file. Why are they not seeing that file? Is it because they don’t have rights, is it not targeted to them, is it trimmed due to AD group membership, or SharePoint permissions levels? The complexity of trimming can be a challenge.
- Permissions: A High Volume Support Issue - Permissions is the No. 1 support issue with SharePoint, based on my experience in Microsoft IT. In fact I’ve seen that more than half of the issues that tier 1 support deals with are fixing and troubleshooting permissions issues. It’s a pain. It’s gotten better with each subsequent version, but it still isn’t easy.
- Column-Based Security – There is no way out of the box to be able to assign rights based on information in a column. If someone wants to mark something as confidential, they have to mark it, and then go into the permissions of that item and change the rights.
- Visualizing Permissions – It’s a challenge for a user to know if when they upload documents and put them in the same place as many other documents… some are public, some are confidential. When there are lots of users and lots of documents the ability for a user to understand what rights they have, or what rights other users have, they will be very confused.
My Experience with TITUS Metadata Security
Security is a big problem. I spoke at a CSO summit a few years ago and got an earful from security leadership. They were mad. They were concerned about compliance. They were concerned about lack of visibility and real manageability around the SharePoint platform. At the time I had to tell them to invest in management products for getting their arms around SharePoint. I still agree permissions cloning and reporting can help, but some of what I found enlightening in what I found with TITUS was the ability for users who were uploading documents themselves would understand the intuitive nature of leveraging enterprise content types and securing documents based on classifications, and rules.
In the screenshot of Figure 2 above, you can see a number of rules applied on top of SharePoint’s normal permissions. TITUS works with SharePoint ACLs. For example Finance Content = Content that is marked as Finance, and Contractor should only be able to see content marked as Public. This rules-based approach requires that good structure is in place, but allows you to bulk apply rules and change rules that apply at a very granular level.
I’m in the process of trying to categorize all our SharePoint sites into three classifications. Our approach was to try to do this at the site level. I immediately got push back from Finance saying they had content that was classified in their team sites but that some of the data was public. This definitely makes it a lot harder since I don’t yet have enterprise content types in place. Looking at how easy they sure make it seem to simply show whether a document is classified or public, it can make creating those rules a lot easier.
Figure 3: TITUS Metadata Security: The attributes on a user in AD can be leveraged in Claims
Where I find the real strength of what TITUS is doing is in the area of sensitive documents. That’s for sure their sweet spot. For many ad hoc team sites it won’t make sense to use something like this. The out-of-the-box contributor, member, reader would work just fine. What will get really interesting is claims-based authentication and extranets. Now when you have vendors coming in they should be seeing different content from the workforce. As well, those who are managers should be seeing much richer data than the average employee. These rules-based approaches can add much more logic in claims-based authorization when you combine the user identity and the role, group, or metadata about that user is leveraged for authorization.
What I like a lot about the TITUS approach is they seem to really embrace the SharePoint authentication and authorization methods. They honor the SharePoint security ACL. They don’t try to do something behind SharePoint’s back. Those are the solutions that concern me. Why not let SharePoint do its job. As well, it leverages timer jobs and will automatically apply SharePoint ACLs, so it doesn’t matter if the users are going via search, explorer view, RSS, or web services APIs. Competing products that try to add their layers may require you to shut off explorer view all together.
From logging to dynamic and fine grained policies, the users get what they should have access to, based on identity changes, metadata changes, and all this despite the fact that content is added and deleted. The rules engine is pretty impressive. Not seeing what you need? They have a professional services team who can help you figure out claims-based authorization with your information and your roles and needs.
So, What’s the Downside?
With all these rules, I think you will find there’s more to manage. SharePoint out-of-the-box permissions are a pain today, and the reality is there are information leaks that happen, based on poor management and poor oversight. What you’ll get from TITUS is a rules engine that will not correct user behavior 100%, but it will provide additional insight and make it easier for users to do the right thing.
Another downside is the requirement of getting your ducks in a row. You’re going to either need to implement good governance with enterprise content types, or leverage custom claims provider where the claims are associated with the user. This isn’t a bad thing. Claims can be difficult at first, it must be the right decision when deploying, but just because you can doesn’t mean you should.
The military, governments, hospitals, and those managing sensitive environments will find a well-managed deployment will be even more secure with TITUS. If you don’t care about security now, you’ll find it’s a chore. Your users will get annoyed filling out fields that they don’t care about, and when they should, they may get lazy. It’s important to use this where it counts.
With licensing, the product is per user and starts at 500 users with volume licensing discounts. There is a Standard, Enterprise and Claims level license. If you haven’t implemented claims with SharePoint yet, the Standard and Enterprise versions provide rule based security without needing claims. Organizations that need compliance for various standards including ISO will find it’s much easier to meet the standards for classifying data. Others, especially those just using SharePoint for simple document sharing and lightweight collaboration, will think this is not necessary.
The solution is deployed as a farm-level solution, so depending on how you want to manage permissions it may be providing more than you’re looking for in sites not needing more sensitive permissions management. The farm solution does mean you are deploying server side code, so this product doesn’t support Office 365.
TITUS Metadata Security for SharePoint provides a lot of great features for managing your environment, based on metadata. The key thing to understand is that it is dynamic. It enforces governance, based on rules or attributes of a user. These rules can be applied based on metadata on a document or list and can (optionally) incorporate attributes of a user or role in a claim.
In simple terms, if you mark a document as classified, only those with classified clearance would be able to see those documents. That’s pretty powerful since it can be automated and consistent. This solution puts emphasis on end user accountability. Leveraging the TITUS SharePoint Security Suite, that document you are uploading is required to be classified, and based on what you choose can have a date time stamp, a watermark and SharePoint security will be automatically enforced based on your choice of data classification and how it applies to my user attributes.
I am happy to see a solution like this that starts to bring focus on making SharePoint compliant and can do it in a straightforward way that is easy to understand.
I recommend downloading a trial of the TITUS SharePoint Security Suite (http://resources.titus.com/2012_WEB_SP_TRIAL_Suite_v2.html) and reading the TITUS whitepaper on Protecting Business Information With a SharePoint Data Governance Model (http://resources.titus.com/2012_WEB_SP_WP_Protect_Business_w_Data_Governance.html).