At CipherPoint, we hear this a lot from SharePoint architects and administrators: "we need to increase the security of our SharePoint sites to accommodate sensitive content". We also hear this frequently: "we have to comply with (take your pick, HIPAA, PCI DSS, GLBA, ITAR/EAR, state breach laws), so we are looking for encryption solution for SharePoint."

We love to field inquiries like this, and we love to help customers achieve their SharePoint security and compliance objectives.

However, there are some questions you should ask yourself in addition to these high level concerns. And you should ask yourself these questions before reaching out to vendors, lest you get steered in a wrong direction.

Here's some pertinent questions aimed at surfacing the real issues underneath those broad concerns about the need to increase SharePoint security and compliance.

• What threats matter to our organization with respect to content in SharePoint? Insiders? If so, do I care about SharePoint administrators, database/storage administrators, or end users?
• Are we concerned about external hackers?
• Is loss or theft of media a concern? This would include loss or theft of servers, client devices, or data copied onto removable media at client devices.  
• Are we concerned about the security of the content while stored in SharePoint, while the data is in transit, or the security of the data when in use at the endpoint?
• What broad security issues concern me? Separation of duties? Escalation of priveleges?
• Do we have regulatory mandates that impact our SharePoint sites? Which ones, and what do they say about things such as audit/logging, data protection, and access control for regulated data?
• What's the worst case scenario for data in SharePoint? For example, if we have personally identifiable information for employees or customers stored in SharePoint, what would it look like if the data were lost or stolen? Are we subject to breach notification laws, and what would it cost us to recover from the breach, notify affected individuals, and plug the security gaps?

Use of a web-accessible platform like SharePoint presents many potential threats and scenarios to consider. SharePoint users are starting to have a number of different choices with which to address pieces of the overall problem. Which vendors you should focus on should largely be driven by the answers to questions such as these. Caveat emptor, no one vendor can address all of these problems today, and there's no silver bullet for SharePoint security and compliance. You should expect, however, that the vendors you are working with can provide clarity around exactly which threats they can help you with, and which ones they don't address.

Through use of appropriate third party products and native SharePoint platform controls, SharePoint sites can be secured to a degree allowing for almost any use case, including for sensitive and regulated content.

JD