SharePoint security is a complicated topic that a lot of people tend to overlook. As an example of the complexity, there are six different permission levels that you can set within the SharePoint system, each with their own specific use case.
1. SharePoint Site Permissions
The first permission level, and in most organizations regarded as the top permission level, is the SharePoint site permissions. The way SharePoint works implies that all of the data that’s stored inside a site would inherit all of the permissions set up on a site level, unless specified otherwise. This means that you can basically use a SharePoint site to store your important data, if you can ensure that this site has the correct security settings in place, including the appropriate permissions. It is one of the best practices for SharePoint security and highly recommended for everyone.
Speaking of inheritance, it’s important to mention that setting up specific permissions for a single folder or a single library implies two important steps: inheritance breaking and permission changes.
For example, you want to change a folder’s permissions to make them different from the entire site’s permissions that this folder inherits. The first step of the process would be to locate the folder in question and to go to the folder permissions menu. It can be usually located either via the settings icon or through the drop-down menu. The next step after getting into the Permissions tab is to click the “Stop inheriting permissions” button, this allows you to change this folder’s permissions as you wish. And the next step is, of course, the actual changes that you’re doing to this folder’s permissions.
This concludes the regular permission changing process for objects in the majority of cases within a SharePoint ecosystem. Reverting any changes and getting back to inheriting permissions from a folder/library/site/farm is possible by simply clicking the “Inherit permissions” button in the Permissions menu of an object in question (all of the custom permissions should be deleted automatically in the process of inheritance restoration).
2. Document Library Permissions
Moving on, there’s a different level for specific cases when you’re storing a certain amount of data within a SharePoint site but you want your data to have different security settings – this option is called permissions on a document library. In this case you can create a new document library that contains your data and change specific security settings just for this library (this includes the inheritance breaking process, as well, that you’ll need to do on a document library before setting up your own permissions). This process allows the entire site to work properly but your data would have different settings than anything else.
3. SharePoint folder security
Going a bit further into the system you can also work with SharePoint folder security. The process is almost completely similar to the one with the document library – you break the inheritance first, and then set up your own rules, but folders often imply that the amount of information inside them is smaller than in a document library, as a Document Library can contain multiple folders.
4. SharePoint file security
Of course, when there’s folders, there’s files, or native SharePoint file security. If there’s only one or a few files that you’re working with, you can just set up file-specific permissions for each one of them, also with the inheritance breaking process as before, however this can become hard to manage as time goes by. If are a lot of files within the system with different permission levels it is easy to lose track of the important or highly sensitive files.
While setting up document permissions for important files makes it somewhat better, there’s still the fact that your company has to have specific policies for a particular classification level, even though SharePoint’s capabilities are limited in this regard. Without such policies it’s possible for users to manipulate the file’s metadata to change the document’s protection level, thus alleviating or disabling some, if not all of the protection measures.
5. Password protection
The last one is password protection, and it has nothing to do with SharePoint in the first place. Some applications (MS Excel, MS Word, and so on) offer you the ability to protect your files with a password, meaning that you’ll have to remember each of the passwords for all of your files for this to work properly. Office Online also refuses to work with password-protected files, so you won’t get those to work in SharePoint Online, either.
6. Additional security features
While we’re on the topic of SharePoint file security and SharePoint folder security specifically, there’s a number of things included in SharePoint that ensures proper security levels, including:
- Data encryption mid-transit and at rest;
- Constantly audit every file within the system;
- Extensive reporting features, and so on.
It is important to clarify that while these features are useful, they are not capable of countering every possible attack angle when it comes to data protection. For example, data encryption often means that the database itself is encrypted at rest, and the data inside of a TLS tunnel is encrypted, but this still leaves this data vulnerable to some of the approaches, like insider threat. In this case, it’s safer to make sure that the content is encrypted even before it is sent via an encrypted tunnel and stored in an encrypted database, lessening the chances of a data breach through various means.
Adjusting Document Access Control
The nature of business processes makes it so that you’ll have to change a specific document’s permissions from time to time, according to what you need to do at the time. Doing it the regular way is quite slow and inefficient, so here’s three different techniques on how to handle document access control in specific situations:
- Employing Workflows to change permissions. A secondary Workflow is capable of changing the user’s (or group’s) permissions when set up correctly. The process itself is similar to the regular way of working with permissions – you break the inheritance first, and then change permissions. For example, if you need a specific group of users to have Edit permissions for the approval process, but they only have Read permissions – you can use one Workflow to change their permissions before the process begins, and another Workflow – to revert the changes as soon as the approval process is complete.
- Using folders to change permissions. Another permission changing technique is based on working with folders. You can create several folders with different permission levels and simply move the documents to the right folder to perform the necessary action (for example, the approval process, as described above).
- Using groups to change permissions. The last technique is a bit more complicated and suggests that you have custom modules in place and want to restrict access to specific interface parts. This can be done via group management, creating a SharePoint group with specific permission set and inviting people in that group allows you to change their capabilities in a short amount of time.
- Data-centric solutions. SharePoint itself is quite a comprehensive system, but as with any system there are gaps and limitations, particularly from a security perspective. To overcome these limitations, some companies employ the use of third-party security software to enhance out of the box capabilities. Data-centric solutions in particular can automatically adjust access and protection based on a document’s metadata, classification or MIP sensitivity label – no matter where it resides, among other things such as data-level protection beyond just encryption to force read-only access, hide files from unauthorized users, and more.
Get Data-Centric security with NC Protect
SharePoint itself is quite a comprehensive system, but as with any system there are gaps and limitations, particularly from a security perspective. Learn how NC Protect‘s data-centric approach discovers, classifies and secures SharePoint data using dynamic policies. Access and security are dynamically adjusted based on real-time comparison of user context and file content to make sure that users access, use and share files according to your business regulations and policies.
White Paper: Dynamic Data Loss Prevention in SharePoint
Achieve Real-Time, Attribute-based Data Security