With the Microsoft SharePoint conference having recently taken place, I have been thinking a lot about SharePoint lately (haven’t you?) and about what a powerful and dangerous tool it can be.

Before I get into what I’ve been thinking about, here are a few things to consider:

• A Microsoft employee recently told me that SharePoint has been the most rapidly adopted product in Microsoft’s history. While I haven’t been able to confirm this, it doesn’t really matter - what matters is, it’s everywhere and it got there quickly…

• A large number of the installations where first put in as side projects or experiments that ended up proving out.

• SharePoint, particularly when it’s an experiment, seems to be initially managed by someone that takes it on as an additional responsibility because they realize the power of the solution and want to wake their company up to the possibilities – it’s not a core focus of their position.

• If SharePoint is embraced by an organization, it quickly expands to include huge amounts of data - often including data that is very sensitive.

• Once SharePoint becomes part of how a company functions, new SharePoint functionality is often built and implemented by the organization (often these efforts are out-sourced, particularly before internal SharePoint expertise is built-up.)

I think the entire concept of SharePoint (and the other knowledge sharing solutions out there) is fantastic. I’m a big believer in collaboration and data sharing and the positive impact that can be had when a company empowers its employees. The ability to manage, through a common platform, access to company data is great.

Now, If you read the points above, you should quickly see that there is also a real potential for disaster here as well - a complicated environment, access to huge amounts of potentially sensitive information, and application customization that could possibly have an impact on access to all of that information…

Maybe it’s not cardholder data and the card brands aren’t threatening you with fines and the like, but I don’t think any retailer would like to have their quarterly numbers leaked before the official release date. How about trade or manufacturing secrets sold to a competitor? Employee’s personal information exposed and used in identity theft? Information about an upcoming merger leaked to the competition?

These issues are real and can be just as damaging as any compliance issue.

I guess my point is this - SharePoint can be a very powerful tool for an organization, but, just because it may not include PCI-relevant data doesn’t mean that security isn’t important. SharePoint provides access to data that you typically don’t want leaving the company and it needs to be considered a potential security risk – not shut down, not curtailed to the point where it’s useless, but it does need to be considered when looking at your security strategy.

And yes, you certainly can use SharePoint itself to handle user management and access, but don’t place all your hope in managing users - understand the overall security picture of your SharePoint implementation. It’s the only way of really understanding the risks involved.

Interestingly enough, it doesn’t seem like there are many out in the security community that have really been able to show expertise with SharePoint security assessment and gap analysis - plenty that claim to understand user management, but very few have experience looking at SharePoint security holistically.

There are a few firms that have developed expertise and proven themselves, but I think the SharePoint user community is currently hard-pressed to find good, independent partners that aren’t also trying to sell them SharePoint development or hosting services (which I find sorta funny because none of these companies seem to recognize the inherent conflict of interest involved with that model.)

Related articles by Zemanta

• Eight Pros and Eight Cons to SharePoint 2010 (cmswatch.com)
• Closing thoughts on SharePoint Conference (cmswatch.com)