Having your office adopt its own intranet social media for work purposes, Sharepoint, is often a great idea. But are there risks and dangers? Sydney Sharepoint developer MARCUS DERVIN explores the subject…
SharePoint is a very structured and secure platform, which is as safe as having a Shared Drive with permissions on it. It is very rare to come across a folder that you have access to on a Shared Drive that you shouldn’t have. And SharePoint is much the same way. However, there is a major risk with SharePoint, one I see again and again, and that is that people running SharePoint don’t know how to use it.
I have seen situations where everyone is entered as a Site Collection Administrator. This is extraordinary, as they have the power to delete sites, destroy information, completely deface sites and often then don’t even know how to edit a page. So why do they need this level of access? Admittedly this is usually for smaller organisations, but large companies can also feel the pain if inappropriate permissions handling.
Once someone is given the responsibility of managing a site, like a team site, normally they are given rights over permissions also. This is fine, but what if sensitive information is stored on the site. This happened once while I was on site with a very large bank in Australia. Someone put a very sensitive document on a SharePoint team site, and hid it from view. Of course the search crawl picked it up, and displayed it as a result depending on the search term entered. There was an enormous kerfuffle, and warnings emails were sent to the entire organisation on the dangers of posting files onto SharePoint.
Again it wasn’t SharePoint’s fault, just the person’s lack of knowledge. Therein lies the SharePoint dilemma. A great platform capable of delivering great benefits, but in the hands of people who don’t know it in depth, can be devastating. But then if you lock it down so much that people can’t collaborate, load information and share, then there is no point in using it at all.
What is the answer? Governance, more governance? Of course a governance framework is important, otherwise people will create a plethora of sub sites and chaos will reign. But even with a good framework, is governance the only answer? I don’t think so, it’s too hard to manage. You need an excellently oiled machine to be on top of all of the content created with approvals and workflows on everything. It’s just not possible without tying up the organisation in bureaucracy. So where is the balance?
In my opinion, you need to educate people well, get them supporting each other, and make some clear guidelines. Have a few simple bullets, messages, stickers, whatever works to remind people to use permissions properly in SharePoint. Especially in SharePoint 2013, Microsoft has made it a lot easier to share information to people by just typing their name. You no longer need to ask the site owner to change permissions. You can easily do that yourself, even sharing files with people outside your organisation.
So for me, the risk and danger of using SharePoint is having staff uneducated in SharePoint managing sensitive material in SharePoint. SharePoint itself is not the problem.
One other risk, which is common across all IT platforms, is having a proper backup and disaster recovery process. SharePoint administrators know how to take care of environments, but if the right people aren’t looking after things, not even backups will save you. You need to know what you are backing up, will a VM snapshot do? Will backing up the database? What about the code?
How often do you perform backups? Do you perform incremental or full or both?
Also, if for example 1 server in a farm goes down, do you have mirroring? What is the cost to the organisation to have SharePoint down for an hour, a day, a week? It’s crucial to answer these questions and deal with them properly. No-one is concerned about these things until something goes wrong. I worked for a company in 2000 where I saw a colleague get frogmarched out of the building because his backups weren’t able to be restored when there was a failure. And just today I spoke with a SharePoint administrator who was setting up backups in his new role as they hadn’t been configured by his predecessor.
Again, the risk comes down to people with a lack of knowledge, rather than SharePoint itself.
So make sure you have the right resources, or the right consultancy supporting you, or you could be courting SharePoint disaster.
