2 ways to control security and permissions in large organizations
Even though I primarily work with small to medium size businesses helping them implement SharePoint, from time to time, I also get approached by some larger organizations as well. While there are certainly best practices and limitations in SharePoint that are identical/similar, no matter what the size of the organization is, managing security and permissions in large organizations is quite different than managing the same in a smaller firm. So today, I want to share my thoughts on the two ways to manage security and permissions in large organizations. Specifically, I want to share two different models/schools of thought when it comes to approaching the while SharePoint security and permissions.
The typical security and permissions model
Modern SharePoint philosophy is that Site Owners are responsible for their content and its security/permissions. This is quite in contrast to the old days when we had classic SharePoint, where IT controlled the security and permissions of site collections and, in many cases, even its subsites. With modern SharePoint, it is “power to the users”. If I own a department (i.e., Human Resources) or a project, I am ultimately responsible for the content and who has access to that content. So as the owner, I am responsible for the following:
- Type of site to be created (communication or team site)
- Site Creation
- Access rights to the site and or portion of the content on a site
- Internal and External sharing
- The ability to synchronize documents to users’ computers
- Retention requirements for content on my site
- Backup requirements for the content
Security and permissions management in small organizations
The above model works quite well for small and even medium-sized businesses. Smaller teams make it easier to control and keep an eye on all the aspects/responsibilities I outlined above. It is also much easier to control and deliver the training to staff as well, educating them about the limitations, pitfalls, and consequences of their actions (i.e., external sharing, syncing, etc.)
How to control security and permissions in large organizations
Managing security and permissions in larger organizations is a very different challenge for IT. It is one thing to manage security and permissions in a tenant with 50-100 sites when you have 30-100 employees. And it is a very different task to do so at scale when you have thousands of users and thousands of sites as well. So below, I would like to summarize for you the two security & permissions models to consider.
Option 1 – Decentralized approach
A decentralized approach means that despite the fact that users might be part of a large organization, they enjoy the benefits of a small business where they have the freedom to create sites and teams as necessary and do not have many restrictions in place. That said, this does not mean at all that anyone can do whatever they want. Instead, a combination of the following instruments is in place to mitigate the “openness” of the environment:
- Controls within the SharePoint Admin Center
- Active Monitoring in place
- Compliance & Security policies in place
- Staff-wide training for site owners and end users
- Governance documented and implemented
Below I would like to expand on each of the bullet points I mentioned to provide a bit more context.
Controls within the SharePoint Admin Center
Out of the box, SharePoint is a bit of wild west. Anyone can pretty much do whatever they want. Create sites, synchronize content, share externally, and so on. Luckily, SharePoint administrators can configure settings behind the scenes to minimize or deactivate some activities. For example, you can disable site creations for regular users, thus preventing site sprawl and unnecessary cleanup. Likewise, Admins can disable external sharing on specific sites or allow external sharing but only to approved domains. Sync can also be disabled as well if necessary.
Active Monitoring in place
Just like Administrators can configure some settings behind the scenes, they can also use available reporting capabilities to monitor the users’ activities. For example, while pretty basic, SharePoint Admin Center does provide some statistics on the existing SharePoint sites.
Admins can also monitor activities using the Audit log capabilities available within the Compliance Center.
Finally, admins can also set up policy alerts to track unusual or suspicious activities in SharePoint and other applications.
Compliance & Security policies in place
One key decision for Admins and Business Users to consider would be to set up Retention compliance policies and data loss prevention policies within Microsoft Purview (formerly Security and Compliance Center). This will add additional controls on your data beyond the regular security and permissions. I mentioned some of these capabilities in my earlier post.
Staff-wide training for site owners and end users
As you probably already know from my blog, I am very big on training and user adoption. Out of all the items mentioned, this is by far the most important one. Staff-wide training will get you the biggest ROI in terms of the safety and security of data. It is often not the technology but the user error that leads to oversharing and accidental data loss. Many users migrating from file shares and even other cloud services need to understand things like the relationship between SharePoint and Teams, the concept of document libraries in SharePoint, and what happens when they synchronize libraries locally on a PC. Likewise, understanding the key limitations of SharePoint and basic do’s and don’ts is a must as well. I, for example, offer a variety of live courses, that address many of the items above.
Governance documented and implemented
While somewhat optional in small organizations, Governance is necessary in large organizations. It all starts with a Governance document/policy and consists of other elements as well, like a permanent Governance Committee, monitoring, etc. I documented the various components of Governance in this post.
Option 2 – Centralized (Big Brother) approach
The other model for managing security & permissions in a large organization is, of course, to utilize the “Big Brother” approach. With this option, IT controls most security & permissions settings, not just in the back-end SharePoint Admin Center, but also at the site level. I worked with several clients who controlled everything from site/team creations to maintaining site-level security, preventing users from sharing even internally and controlling site/library/folder access via Active Directory security groups. This probably represents the hardcore/extreme model, but I have seen a good number of cases where this is implemented.
My opinion
As you probably already figured out, I am not a huge fan of that second model. From my experience, the more restrictions you put on the users, the greater the chances are that users will find ways to avoid those restrictions, by using 3rd party software and applications that are not part of Microsoft 365. In my opinion, the decentralized approach model (Option 1), combined with proactive monitoring, training, and governance, is the middle-ground solution that offers freedom and power to the users, while providing a comfort level for IT and management that their data is secure.