Will the rise of SharePoint services lead to increased data loss?

By Ron Condon, UK Bureau Chief 20 Nov 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve!

But according to a new survey, that ease of use means that SharePoint sites can proliferate out of control and expose confidential information to the wrong people.

"The challenge is that users can set these sites up, expose information to other people on the site, and there are very few controls in place," said Stuart Hodkinson, U.K. country manager at security company Courion Corp., which conducted the survey.

The Web-based poll of 163 business managers revealed that more than 86% were concerned that sensitive data could be stored on SharePoint sites, while another 22% said they had already found sensitive data on SharePoint sites that should not have been there. In addition, 34% of respondents had no policy for SharePoint usage, while 36% of those surveyed did not monitor the activity.

The great advantage of SharePoint is that users can create their own sites and invite others to join as participants. This makes it ideal as a platform for collaboration on projects, and has contributed to its rapid adoption across the world. For example, the U.K. chapter of the SharePoint Users Group boasts more than 4,000 members.

But Hodkinson said the proliferation of sites was hard to control, and it was even difficult to manage the information they handled, and who had access to sites.

"The problem is that a site could be set up for a specific reason, then two or three months down the line, people start to confuse it with another SharePoint site, and start exposing confidential information, such as an Excel spreadsheet pertaining to M&A activity," he said.

"It is possible to use Microsoft admin tools to mine Active Directory attributes to discover where SharePoint sites are. But then you need a different interface to see who has administrative access, and there is no easy way of viewing all this information in a single location."

Hodkinson added that before the end of December, Courion plans to launch a product that will perform that function, sniffing out SharePoint sites on the network and reporting on who has access.

Gavin Williams, head of the infrastructure practice at Avanade Inc. (a joint venture between Microsoft and Accenture Inc.), acknowledged some of the problems of SharePoint security, but emphasised the benefits that companies are getting from the technology.

"SharePoint doesn't create new problems. It has the same issues as we have around file servers, and how we manage access," he said. "But you don't want to discourage enthusiasm. IT can't afford to become a blocker. It needs to be seen as an enabler to drive additional activity inside an organisation."

His advice for a successful implementation was to work first with the business to design the functions that people want to achieve, then run a pilot where users perform their everyday functions. Having established who needs what information, he said, it is possible to establish a workable policy in collaboration with the rest of the business, and set up sites and groups for certain functions.

The Courion report concluded that as a bare minimum, companies should monitor the creation of new sites in order to gauge the potential for security problems. The survey found that 55% do monitor new site creation, while more than one-third said they do not and another 7.5% did not know.

Courion's advice is that system administrators and security personnel need to be able to answer the following questions:

• What SharePoint sites are on our network and who owns them?
• Who has access to these sites and what permissions do they have?
• Are sites with sensitive data being managed using best practices consistent with the organization's security policies?
• How can I fix sites that are exposing the organization to security problems?

Tags: Enterprise Data Storage,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Storage How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition What are USB flash drive security best practices? XSS bugs, information leakage top list of website vulnerabilities Forrester advises cautious approach to cloud computing services NHS imposes USB stick security IAS 6 aims to lock down data from government departments, suppliers Are iPhone encryption features on the way? Data Protection Solutions and Strategy Data leak prevention: Mistakes in database design, business processes Sourcefire to ignite new offerings for virtualisation security USB drive security project protects endpoints, aids CoCo compliance How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary