Whenever the topic of moving to the cloud comes up, it’s inevitable that the topic of security also arises. And rightly so: the cloud can create a host of security risks concerning who has access to services and data, from both an IT and an end-user perspective.
A recent article on SharePoint adoption cited the results of a survey of over 1,000 SharePoint professionals that asked where their SharePoint implementation is located. The results show that a majority of implementations are on-site:
- 49% of respondents still host SharePoint on-premises.
- 25% use hybrid configurations of on-premises and Microsoft 365 (and Office 365).
- Only 24% use strictly M365.
Even so, does the location of the SharePoint implementation really matter? In other words, is the greatest security concern where your SharePoint resides?
In some regards, it isn’t. While SharePoint does provide its own security to protect the data it holds (whether on-premises or in the cloud), using this security also raises questions about how you should implement and manage security.
By remaining on-premises, you have two options:
- using the built-in SharePoint groups
- using Active Directory groups to provide access to SharePoint-based resources
So, which is better?
Let’s examine the first option. There are a few disadvantages to using SharePoint’s built-in security. First, it’s yet another layer of security that needs to be managed, maintained, and validated. Second, it may politically separate IT security, in that it may lead to an internal battle between the IT team, which needs to manage the security, and the SharePoint team, which doesn’t want IT poking around in its servers.
I’m a big proponent of simplifying IT (both technically and politically), so I prefer the second option: a solution in which SharePoint security is more centrally managed by using Active Directory groups. Of course, using Active Directory groups means that IT will need to set up group assignments initially within SharePoint (so IT is, technically, still poking around). But once that’s done, IT’s involvement is relatively hands-off. IT only needs to update group memberships and ownership as part of a comprehensive AD group management strategy.
By going this route, IT teams actually stay much less involved in managing SharePoint than if they managed security in SharePoint directly (which should keep the SharePoint teams happy). Furthermore, the task of updating permissions for who should have access is a far simpler task (think adding and removing users from groups), and — if you adhere to an ongoing group management strategy — both your Active Directory and SharePoint implementations will enjoy a stronger security stance. It’s a win-win for everybody.