Is SharePoint Secure?

Does Microsoft SharePoint meet your organization's security standards?

According to Microsoft, more than 200,000 organizations and over 190 million people now use their SharePoint platform. With that number of global users, you may question how secure it really is. 

What is SharePoint?

Before we answer that question, let’s briefly talk about what SharePoint is. This Microsoft 365 cloud-based service provides intranets, team sites, and content management for businesses and organizations of all sizes. The platform comes standard with most business and enterprise-level MS365 accounts.

Utilizing SharePoint allows your employees to create areas known as sites where they can share documents and information with teammates, partners and even customers. According to Microsoft, SharePoint is used to connect, inform, manage content, track projects and share resources. It allows for easy and secure collaboration both inside and outside of the company. 

Basically speaking, SharePoint plays a role in extending your office from your physical building to any place with an Internet connection— effectively allowing your employees to work from anywhere.

Which is great, right? A single storage silo for all things related to your company. But is it secure?

As is often the case with technology, there is both a simple answer and a more correct, complex answer. Let's take a look at both.

The simple answer is yes, it is secure. 

However, the more correct, but complex, answer is, as with anything, in order to maintain security, both parties must set it up and use it correctly.

SharePoint Security Efforts

From the developer side, Microsoft implements several layers of security to protect user data. Microsoft relies on two-factor authentication and none of their engineers has standing access to user accounts. Any logins to organization accounts by engineering staff require code review and management approval, and every login by MS staff is only valid for a limited time. In the event that you must generate a support ticket, you can control Microsoft's access to your content through the Customer Lockbox. By utilizing the Lockbox, you ensure the engineer assigned to your case only gets access to the file in question, and you have the ability to approve or deny a request to get into your secure data.

When your data is being shared via the internet, Microsoft uses high-level encryption and redirects all connections through HTTPS. Simply stated, this is the secure version of the protocol used to share data between a web browser and a website. 

We could continue on about the limited number of Microsoft employees granted access to the datacenters, the multiple levels of verification they go through including smart cards and biometrics. We could talk about the many security officers patrolling the data centers, the multitude of high-tech motion sensors and video surveillance standing watch over where your data is being stored or even delve into how intrusion detection alerts work. We could even talk about how your data is encrypted using BitLocker. If you really want to know, Microsoft does a pretty good job outlining their security protocols. But the reality is that all this gets into the nitty gritty details of technology— and most people don’t actually want to know what's under the hood. Suffice it to say— Microsoft has taken all the necessary steps on their side to protect your data.

Your Security Responsibilities

But data security is a two-way street. There are also steps that you need to take in order to enhance SharePoint’s existing security.

We'll say it again: use 2FA

You can begin by implementing two-factor authentication. This mitigates the damage that can happen when passwords are given out, stolen or otherwise compromised. The second authentication can be made through a phone call, a text message or an app. (If you want to learn more about our favorite MFA apps, check out this post.)

Restrict access to a need-to-know basis

To maintain security, you need to put thought into who has access to your account. Roles-based access control simplifies more granular control. What this mean in plain English is that you choose the employees who you want to have access to the account based on their working roles within your company. You can also limit the content they can access and what they can do with it. By paying careful attention while creating these roles, you can simplify access management in the future. However, if you set it up incorrectly, you could inadvertently create a weak point in your system.

Track users and system-level changes

By using the permissions, auditing, and monitoring tools built into SharePoint, you can track user activities and system changes within the software. Not only do these tools simplify the administration of your site, they also ensure accountability among your team. You can monitor who logs in, when they are in the system and what they do while they are there.

Updating and removing permissions

But monitoring logins alone isn't enough. You must also be vigilant about reviewing and updating permissions. Think about when an employee leaves your company. How quickly is their SharePoint access deactivated? Or maybe someone is promoted and needs more access to secure content. How quickly is their access changed? Make sure your IT department (whether in-house or outsourced) works closely with those performing the Human Resource role.

Set healthy expectations

Set expectations with your employees about security policies from their first day on your team. Your internal security training should include everything from helping them choose a strong password to providing training on how to securely use the system to recognizing phishing attempts.

Mind the updates

We all know those software update reminders are a real pain. But when SharePoint issues updates designed to upgrade the system against new threats, it really is up to you to apply these updates regularly to maintain a high level of security. Failure to update any software leaves you vulnerable to attack.

At the end of the day, all these measures put you in control of further strengthening SharePoint’s security. Long story short, SharePoint is secure— and it can be even more secure if you make sure you take the right steps in setting up and administering your SharePoint site. 

Does this all sound like too much work? Get in touch with one of our experts today either by using the chatbox (the blue icon at bottom right) or via our webform. We'd love to hear from you!