Home » SharePoint 2013 » A Business Case for Including a Security Plan for SharePoint 2013

A Business Case for Including a Security Plan for SharePoint 2013

No review of the business case for correctly planning for the administration of SharePoint 2013, on premises, would be complete without a look at security. In a video tutorial, nearly 9 minutes in length, titled SharePoint 2013 Security, Michael Noel makes a case for including security in an implementation plan for the computing platform.

Noel organizes security administration for SharePoint 2013 into four containers:

  1. Infrastructure
  2. Data
  3. Transport
  4. and Rights Management

These four containers should work equally well for stakeholders considering a business case for SharePoint.

1) Infrastructure

Stakeholders should be aware that every service added to SharePoint includes an account. Malicious individuals can assign privileges to any of these accounts, so security review policies should include controls over just how privileges are added to any service account. As Noel explains in his video tutorial, the Kerberos authentication method must be enabled to ensure adequate access controls for users, accounts, etc.

2) Data

Noel presents the case for implementing a Roles Based Access Control (RBAC) method. Stakeholders can also find a report on Role Based Access Control (RBAC) and Role Based Security on the U.S. National Institute of Standards and Technology web site. The content included on the U.S. NIST site on this topic includes a presentation on the Economic Benefits of Roles Based Access Controls. My quick scan of this document revealed an authoritative opinion on the importance of RBAC and its value as loss deterrent in any plan for data exchange between users, and even machine-to-machine data communications.

Noel includes an example of how a RBAC method might be applied to a set of users in this last video tutorial in his set on SharePoint 2013 Administration.

3) Transport

Transport security amounts to safeguarding the TCP/IP stack, which is the layer in the OSI network packet model providing the basis for data communications over the Ethernet protocol. Web pages, which are published as HTML documents through a variety of methods, are presented at the application layer, above the transport layer. Encryption technologies, including SSL, which Noel presents in this video, amount to methods of securing the transport layer from malicious, subversive activity.

If, for no other reason than the current concern over a security hole found in the Open Source version of SSH, any business case for a SharePoint implementation must include a presentation of a transport security model, along with the controls intended to manage this network layer.

Rights Management

Noel presents the Rights Management Service (RMS) as a component of Active Directory Rights Management (ADRM). This security feature, which is unique to Microsoft server architecture, offers stakeholders a method of safeguarding content stored in SharePoint 2013 shared document libraries, etc. This feature, alone, may provide an implementation plan for SharePoint 2013 with enough value to assure its acceptance for an organization.

Ira Michael Blonder

© Rehmani Consulting, Inc. & Ira Michael Blonder, 2014 All Rights Reserved