Boost Your Security and Governance With SharePoint For Construction Best Practices

Joe Giegerich: 

Hi, everybody. Thank you as always for coming out to The ProjectReady Podcast. Today’s podcast, we’re going to be talking about M365 and specifically security as it relates to SharePoint and Teams. So this is a good piggyback off our last podcast around taxonomy, because taxonomy is essential for so many things, and the governance component, the security component will drive your taxonomy and back and forth. So they’re somewhat inseparable and it warrants its own conversation. 

One of the last podcasts we did was just that. And in fact, it was the one right before this which is SharePoint and the importance of taxonomy in the AEC. Upcoming podcast, the challenges of scalability of SharePoint for the AEC and within the enterprise. And so today, again, we’re going to be looking at security and how security governance and taxonomy all come together. So from there, as always with us today is Shaili Modi, the head of development for ProjectReady. And among the other components of security that are at your avail and then M365 stack is that security is wide-ranging within the product. 

And so everything from identity access management, data protection, compliance, threat protection, and then collaboration security itself. And then as you read about Copilot and artificial intelligence, they’re starting to release AI now that will allow you or aid you rather in maintaining that compliance and security. 

So going over to the SharePoint side and the Teams side specifically, there are some challenges out there as it relates to both. For one, what I regard as the overuse of Teams. Teams is a great product. It’s how I run my business every day. We were early adopters of it. However, behind that Teams site is a document library, so that’s where your docs go, but that’s actually a full-blown SharePoint site, with just the one library that if you’re a member of that team, you have full access, read write. It’s just the wild, wild west. 

So really what you need to do is start to build out that one SharePoint site. We’ve also known people who every time they have a different group of users, they’ll set up new Teams or rather channels within Teams, which what does that do? Creates another SharePoint site. So really taxonomy also helps you contain that sprawl. 

So Shaili, why don’t we start with the Teams component and some of the security challenges around there and then pivot into SharePoint. 

Shaili Modi-Oza: 

I think as you mentioned, Joe, with Teams, what they’re trying to do is, what we’ve seen a lot of companies, how they’re managing security is by creating different groups. So basically when we set up a new team, a Microsoft Teams team, it creates an M365 group. And that group has basically white permissions people who can either read or edit or have full access to that group. And the problem with that is if there are external users, if there are a bunch of team members coming in and out, and even in that specifically having them have a sub area which is more secure, it just becomes very complicated to manage that at the entire group level. 

That’s where when in Teams, if users start to use private channels, it creates yet another group and then yet another SharePoint site. It just becomes very unmanageable if you imagine you have hundreds of projects and thousands of users to just keep managing all of these different teams and groups at a high level is very complicated to just use that out of box functionality to manage that. 

Joe: 

And so, part of that challenge is the communication access to recordings and meetings. And again, the other thing is part of the content that people are just throwing up into that document library. Yes? 

Shaili: 

Right. Yep, yep. Yeah, because it’s just everybody in the group has access to it basically. 

Joe: 

So how would addressing taxonomy as part of this assist in the governance and security component? 

Shaili: 

Yeah, so we’ve seen even just keeping the context of groups, now people use Azure Active Directory groups where automatically based on the user’s role or functionality in their Active Directory, it adds them to groups, but they’re still then adding those groups to get access to SharePoint sites, which at some way becomes unmanageable. So I feel that within that SharePoint site that we’ve been talking about, which kind of is behind Teams already, it’s a full-blown SharePoint site and we have already been talking about the importance of taxonomy. 

So instead of having just that one single documents library, use the capacity that SharePoint has and it does best adding different documents library, which can all be security trimmed, there would be financial data in a financial library, meeting recordings can be in a different meetings recordings library so that permissions can be handled much better and users can find content also much easily honestly, rather than it all being in a single documents library. If it’s properly segregated, it’s much easier to manage and find what you’re looking for in that site as well. 

Joe: 

According to KPMG, 82% of owners feel they need to be able to collaborate more with contractors that secure collaboration. Let me go this other way. If you can do governance and security seamlessly and invisibly and have a tied to your taxonomy, that absolutely facilitates collaboration at that point and that collaboration mentioning that one factoid, they’re contractors, external people. So that’s another big thing that I think is important in the taxonomy of the SharePoint site is to have an eye to not only your internal users as to what they can access based upon a role, but also your external users, which are your vendors and your clients. 

So what are the challenges though? So great, you can build out a whole bunch of different libraries, but at scale we mentioned what if you have hundreds of teams because you have hundreds of projects. What do you do with those hundreds of SharePoint sites to maintain that security in a way that doesn’t cause too much overhead? 

Shaili: 

And another biggest problem with the external users is that SharePoint and Teams, they all have this inherent kind of a share with functionality, which is very dangerous. We’ve seen people use that and it causes a whole lot of issues. So if you’re trying to share something externally and you use the share with functionality, that user temporarily gets access, but then other users lose access. There isn’t an easy way to manage that, but if we create that taxonomy in place that anybody who is an external user would always have access to this one library and other users have access to these libraries, basically setting that up in that manner and managing it at the role level. That if somebody has this role, they have access to this library, I feel that’s a much better way to manage it. And then users can come in and out. But that consistency thing of the role to the content and SharePoint seems like the correct combination and a correct way to set it up. 

Joe: 

Yeah. You mentioned the share with thing, which I’m glad you did because there are three levels, am I correct about what you can set to share with? Just within your organization, somebody who’s sort of registered as a guest in your AD for want of a better description, and a free for all. And Microsoft has struggled for years, I think, trying to satisfy clients’ demands of, “Well, we want it to be easy, but we want it to be secure, but we want it to be easy, but we want it to be secure.” 

And the default you’ll see all over the place is share with and you can just, anybody with the link can access and that is a very, very bad idea. So that medium tier as we go for Goldilocks, at a minimum, these people should be registered inside your tenant. So why don’t we talk about two things then. One is the way Active Directory can work with guest accounts and then talk about some ways we can solve for that maintenance of security and governance inside a SharePoint site. 

Shaili: 

With guest accounts basically there’s a one-time registration that is required, so that makes it so that if there were guest users, they would have to register in your Azure Active Directory. And basically once they have that account in place, they would just have access. So then they would be able to come into SharePoint and anywhere in M365, essentially, once they have access. It basically makes it much easier and safe and more secure rather than using that open link that they would just be able to access anyway. So it adds that added layer of security and also then tracks the user as well, as the user looks at documents or if they have ability to upload or edit, it would keep a track of everything as well if they’re logged in as a registered user, for sure. 

Joe: 

Right, you get that audit trail. Because basically all it does is it takes a guest account, Joe at Gmail and just makes it an object in AD. That was a big advancement, I thought. And I remember going back to when SharePoint was on premise many years ago, it still is for a number of clients, but for the most part. That there was all this confusion of, “I want to include people who are not part of my organization. Do I have to buy a separate license?” There was, I forget what, they had a separate front facing license. All that got simplified once they said, “Look, you can put any guest in here, we’ll manage it as an object.” 

Shaili: 

Yeah, it’s very much more seamless. And if you look at the Teams and such, it’s all integrated seamlessly as well. You can invite guests to the Teams team as well. You can invite them to collaborate there. So it’s pretty seamless inviting external users. 

Joe: 

So that’s a huge step forward. We automate that process, we make that ability to register somebody a lot easier, frankly. Not that it’s terribly difficult, but it takes time from your IT desk. So it’s all well and good that you can get that guest account in. But again, going to what most folks do and unfortunately drives that taxonomy is they have their own AD groups and you go, okay, based upon this AD group, this role of this user has this kind of access. 

That just doesn’t really work neatly though for the AEC, because different people in the same organization can have different roles. And again, the nature of an AEC project is, it’s you and a whole bunch of other stakeholders, right? Always. Unless you’re completely horizontally integrated, integrated REIT, and even then you don’t want all departments looking at each other. So the challenges at scale are you’re going to have to set those unique permissions per library and people come and go. So talk about that a bit, Shaili. 

Shaili: 

I think library level permissions are handled well by SharePoint. We can basically set up distinct permissions on different libraries where again, by role, some users can have read access, some users can have contribute or more. That can all be set up at the library level. However, out of the box, there’s no easy way to manage that. And doing it for hundreds of projects for all the libraries, it’s very difficult. So that’s where programmatically ProjectReady is able to set that up where once it’s defined that, “Okay, these users have with these roles would have unique permissions for these libraries”, we can just automate that from the ProjectReady interface. We can manage the team simply in a single location. We are adding vendors, removing people, replacing team members in the automatically it goes through the sites and takes care of all of that SharePoint security automatically. And then that just makes it that much easier for the end users to not worry about that security aspect. All they need to do is manage the team and because they’re adding, removing correct users with the appropriate roles, it just takes care of that security. 

Joe: 

The roles as defined on the AEC level, not on an organizational level, right? Because that’s the only role that really counts. 

Shaili: 

Yeah. 

Joe: 

And that mapping. Yeah, so that’s what our earliest days among the many, many things we do is we work with Autodesk where we can update that security based upon the same role, somewhat different conversation. But for us, the bit of the driver of the mission, the holy grail for us was to take all those good aspects of that M365 stack and make it usable in organizations that are project centric rather, and the very nature of those projects to be highly dynamic. 

So if you can then programmatically administer unique permissions to libraries, we even boot up new libraries based upon a new role being added to a project, all this kind of slick stuff. So assuming you can do that, which we can, what that frees you up to do is that now you can have libraries that it makes you rethink the way it is. 

You’ll see people that have one library with tons of folders and they’re going in and they’re doing all this hand tooling. If you can dynamically manage security, that frees up your taxonomy to have legal be in legal, for finance to be in finance. You don’t even have to set up separate. Very typically all financial documents, all legal documents will exist in some finance department or whatever, or legal department, which it still probably can flow there or should flow there. But within the project site itself, you can now orchestrate a much more meaningful orchestration and definition of containers for the different types of content that you want with that security. It frees you up is my contention. Not like all designers, all engineers, no. How about different libraries that reflect different functional areas or are much more specific to content? 

Shaili: 

Yeah, definitely. I think it shifts the way users have been. Everybody is very used to a file folder structure and sub folders and which makes it very difficult to manage that kind of, you have a high level folder called a department and then sub folders of legal and other folders in there. Then there’s no security. Everybody has access to it instead of that thinking of it at a library level. And we’ve also used a concept of having a main library and technically a different library, but also a sub library. And where certain documents, if you are generating bid documents, certain documents need to be security, generally you would create a separate library for those and then have working documents and one library. So just a lot of different options to set up libraries in a way that makes sense in terms of managing security rather than just having them all dumped in one location. 

Joe: 

You can fine tune that. And one of the advantages of once you can govern programmatically and intelligently, the advantages to having a more refined structure of libraries and folders therein, means that you’ll get, well better search, you’ll be able to apply compliance better. I mean there’s this big thing around AI of which we’re going to be releasing integrations to Microsoft Copilot in the coming months. But what everybody knows is that… How I go this route? Everybody thinks AI is a magic tool where you just talk to the computer and the nice person in the box gives you an answer. But we all know about hallucination, right? So that’s because the data isn’t clean. 

So one of the great advantages of being able to be free of the governance and security component programmatically to get you a better taxonomy is that now you can apply all those other tools that are coming down the pike. So when you think about a compliance and records retention, it’s looking at content of type and the same thing with AI. And if you can give it a better consistency, you’re going to get better results everywhere and anywhere I can think of. Do you have any other comments on that or any other feedback? 

Shaili: 

Yeah, I think with the new Copilot, Microsoft is coming up with great modules to help us add that layer of AI to SharePoint. And if we have this, basically when we set up a project from ProjectReady, it has that consistent taxonomy across projects. So all the projects would have a consistent set of libraries, content types within them. So that way then if we use these tools, they basically, that’s what it looks for, the consistency of the taxonomy of where the content lives. It can then basically AI is like, it’s kind of machine learning. So if you feed in that pattern, it’s definitely going to be much more effective than everything being in a single project or single library. If it has that kind of consistent taxonomy, it’s going to make it much, much more better to use for sure. 

Joe: 

Yeah, it goes back to garbage in, garbage out. And almost worse too, let’s say AI, you don’t bother to structure your content in SharePoint, you don’t have any real scalable taxonomy on how data relates across these platforms and the like. And let’s say it returns 80% of it, now you’re going to have to read through all of it to find out what 20% is wrong. It’s almost worse if you ask me, right? 

If we’ve ever looked at those AI generated transcripts, just use your commercial Copilot on your desktop and troll the internet. By the time you go in and check if any of that stuff is right, I think you’ve been better off building it by hand half the time. But if you have tight taxonomy, if you have intelligent structured data sources, well then you can really get a lot of bang for that buck. You can really have at it. 

Shaili: 

Yeah, it could be more reliable for sure. 

Joe: 

And so ultimately the comments that we have here today and the discourse that you’ve been listening to have been based upon us working with clients. And so we see this all the time and it’s a paradigm shift for you and your end users, but once we’ve liberated our clients, if you will, I mean we have some clients that run updates of security 9,000 times in a week. Now they have thousands of users. 

So at scale, this really adds up. Think how long it would take you to go in and change permissions on every library and every project site that you have? Which is why people don’t do it, right? It’s just onerous. So we see people doing that all the time and working with our clients, Shaili rightly said, “Wait a minute, if we just group libraries together, you can begin to mimic the way file folders look and feel to end users.” Right? So let me ask you, Shaili, based upon working with our customers, any sort of tips even on the approach of how to get that right and how to transition people into that world? 

Shaili: 

Yeah, I think it’s always a combination. And as you said, people are not doing that because it’s so difficult to manage security at that level. So people just kind of stick with the one library and folders and sub folders. So every time we work with customers, we try to get to a bit of a middle ground. We don’t want to completely disrupt the way everybody’s working, yet trying to make it more manageable and have that taxonomy which is reusable in place. 

So definitely it’s like a change in thought process, I feel. Instead of thinking of it as a file folder structure, we would think of it in terms of security or who needs access to what and what is the appropriate way to get this data organized so that we can separate it in a way that these are the assets that need to be security trimmed, these are how we need to tag and organize the documents. And then that would be a great starting point. 

A good thing with SharePoint now is that these templates that we create, they’re malleable. We can go back and make updates. So it’s not like, okay, it’s a one-time setup and then that’s what you’re stuck with. It can be updated as you go, but it’s definitely a good kind of starting point for most of our customers as we help them figure out what that initial schema is going to be as well. 

Joe: 

Exactly. And then the other thing that I’ve found worked well as we’ve been dealing with folks is have them drive. So what do I mean by this? We used to try to approach people on a much more abstract level of like, “Okay, what would you consider to be a type of content?” I mean all valid, but to the uninitiated, a bit overwhelming. 

And so by building out something representative and going, “Here. Here’s how you add a library or a folder.” This way the subject matter experts in your organization can directly participate. And it’s a couple of clicks. It’s not a big deal, but it enables the end user. So rather than have endless interviews and try to explain this transition, go, “Here, let’s just give you a quick example, show you how to add stuff yourself”, and then work with your subject matter experts to bring the two aspects of taxonomy together, which will give you the best search and intelligence around that content and its orchestration, coupled with the secure access to it. And that’s worked really well, particularly on this one very large client we’re just sort of working with over the last year. It was very, very effective. 

All right, so that’s a bit more on the topic of SharePoint and Teams. It is a great product, folks. It is just how do you corral it into doing what you want it to do and how do you approach it in a way that’s not just doing a forklift of file folders into a library? And so these are things that we have long and deep knowledge of. Love to hear back from you. Any comments, success stories, anything on your own end that you would be willing to share with us here, we’d love to put that up on our site as part of a discussion. 

And as always look forward to next time. I think just listening today, the next thing we’ll probably have at least a Microsoft topic on is the application of Copilot to the AEC. It is here, it is now, and it’s something that we’re pretty excited about. So with that, thank you Shaili. Thank you everybody for listening. Talk to you next time. 

Shaili: 

Thank you.