When search is too powerful!

Posted on August 1, 2012 by Andrew Woodward

This post forms part of a series of upcoming posts focusing on the Information Governance pillar from 21apps 5 Pillars of SharePoint Governance.

Info-Governance

Microsoft have invested a significantly in making the search in SharePoint awesome, its one of the real selling points of the platform and in SharePoint 2013 continues that trend.

So why would anyone say

“This search is too powerful, we may have to turn this off”

The root cause is a lack of information governance but how could this manifest itself.

Scenario 1.

Northwind (replace with any company you like) have been using file shares for many years, the folder structure is all over the place and no one really knows where to find anything let alone what is on there.  IT have come along and installed this great product call SharePoint without really telling anyone and decide that it would be great to be able to search these files shares.

A few clicks in central admin and BAM, we have the crawler all over the file shares…

Scenario 2.

Contoso (replace with any company you like) have been using SharePoint 2003 for many years, making good use of the team sites, document libraries and the like but have found the search in SharePoint Portal Server less than useful and no one has really managed to get it working. It’s been left forgotten and people have gone about their business pretty much one their own.  Adding users, uploading content, collaborating within their silos…

IT come along and move all this content onto a shiny new SharePoint 2010 deployment – sure they will have talked to teams about  the size of the site collections and if they want to migrate it or not.  But they will always work on the basis of we need to give them in 2010 what you had in 2003.   That’s what a good migration does right!

Common Problem

What both of these scenarios have in common is a lack of responsibility for the information, what happens to the commercial documents?  the disciplinary reports? the employment contracts?

Does the organisation have an effective information/knowledge department?  Do they even consider the securing of sensitive information part of their remit?  Unlikely – that’s what Security are for!

Security are all about ‘I told you so’… ok not all of them are, but security is about making the business aware of the risks.  If you look back (and you have a security department) I bet you will find an entry on a risk register saying ‘There is a risk that sensitive information could be seen by people without the correct authority’ the business owner at some point many years ago said, sure we accept this and will put processes and procedures  in place in order to get the security tick box filled.

Time passes… working in silos, storing these sensitive or commercial documents in team areas (sites/folder) is what we have always done.  But has anyone recently given any thought to who may be accessing this?  Perhaps someone has added the NT Authenticated Users to the visitors group to make it easier to share some policy document?  Who checks?

Add a powerful search

Along come IT and install this all singing all dancing SharePoint 2010, crawl goes off and does its thing… everything is great finally we can find things we are looking for… then the phone rings/email arrives/madness ensues

Someone has found something they shouldn’t have…  it’s easy done (why not try it now) – go search for Salary, Disciplinary, Commercial, Review, Contract  – I’m sure you can think of many more words.

headless-chickens

Headless chickens start to run around the office, emergency meetings are called and the proverbial shit hits the fan.

Q. Why can people suddenly see this sensitive information?!’@#&*”!

A. They always could, nothings changed, only now we have a decent search engine so it’s easier to find.

Q. <only hearing part of the answer>

Who put this search in? Why wasn’t I told!

Turn it off it’s too powerful!

If your lucky you get away with demonstrating that a quick audit of sites, removal of unneeded permissions and an incremental crawl removes these from the index for people that don’t have access.  If you unlucky you may have to turn off search for a while, which sort of defeats the object.

What you will end up with is a lack of trust from some senior people in the business, people in security licking their index finger and chalking up a hit and a desire to make everything locked down. Which isn’t ideal when your trying to convince people of the real benefits SharePoint can bring.

Root cause

Before a decent search engine came on the scene security was achieved through obfuscation.  People had access they just didn’t know where to look… or that was what people thought, who actually knew?

The problem was that people weren’t made responsible for the information, weren’t provided guidance and support on where and how to store the information or provided with the tools to validate it. There was no effective Information Governance in place.

Recommendations

Take a look at your information governance, do you

  • Have a well defined information architecture
  • Delegate ownership and responsibility
  • Provide guidance on how to store sensitive information
  • Have steps in your migration to review security settings

None of the activities are difficult, but they do require collaboration with the business and more importantly a desire by the business to take ownership of and responsibility for the information they create and consume.

And if you are unlucky to be in a meeting where people are saying “Search is too powerful, turn it off” – try turn it around and say that by having this powerful search we have highlighted issues and can put in place, with confidence, good governance… this time the business will take notice.

Have you experienced anything similar?  How did you deal with it?  Did you have to turn off search?  or get shot of SharePoint?

This entry was posted in Governance, SharePoint and tagged , , . Bookmark the permalink.