Microsoft SharePoint enables information sharing and report publishing. It also provides a search facility for users to find content. The problem is that, all too easily, any one can find things they shouldn’t. The result is inappropriate snooping, actively promoted by SharePoint, and that spells trouble for every organization using the tool.
Before we go on its worth clarifying that SharePoint, itself, isn’t insecure, it’s the way it’s used that causes the problem. The reason is the controls used by most organizations are inadequate. For example, access rights in SharePoint relate to users but hidden behind location proxies.
For example – two colleagues sitting next to each other will have access to data. However, this doesn’t mean that they both need, or in fact should, be able to access the same information. If user one discovers he doesn’t have access to a particular file, and his colleague does, the reality is he’ll simply ask for him to ‘copy’ the file somewhere they can both access. After all, it’s just an IT ‘mistake’. The problem is it’s not just them that can now see and access the file – every one that has access to the shared directory can too. Add SharePoint to the mix and suddenly information that was previously hidden is not only available, but also appears in search results!
If you think this doesn’t happen I’m sorry to be the bearer of bad news – it not only does but most people don’t think it’s a problem. In a recent survey, conducted amongst 100 SharePoint users, 34% confessed they never really thought about the security implications of SharePoint. Perhaps more worryingly, 45% have copied confidential or sensitive information from SharePoint to a local PC, USB key or even emailed it to a third party, with 18% confessing regularly doing it.
The main reasons for copying documents from SharePoint are either to work from home (43%) or share it with third parties who don’t have access (over 55%). What this demonstrates is that SharePoint, while supposedly a business enabler, is actually seen by many employees as a barrier to productivity so doesn’t live up to its full potential as an inclusive collaboration tool.
While it could be considered admirable that employees are so dedicated to getting the job done, the fact remains that they’re flouting procedures and security put in place for good reason. Ignoring the consequences is a risky strategy.
Organizations recognize the workforce needs to be able to collaborate effectively, and it does, but they’re unwittingly encouraging lax security practices. If we’re not careful the danger will quickly outweigh the benefits. Under HIPAA, for example, organizations must now come clean if they suffer a breach of healthcare information affecting 500+ individuals – unsurprisingly the notification list is extensive! European legislation and other industries are all expected to introduce similar regulations.
Security is 3D
Rather than ignoring what’s happening, organizations need to recognize the increasing porosity of the perimeter and that, for some, it may not even exist.
Today, security tends to be focused on users and their location. For example, what a user can access when in the relatively safe confines of the office will be different from what he can see when connecting remotely in the evening working from home, or the device being used. By the same token, where the information is stored can determine who has access – we return to our previous example of a file that one user could see but another couldn’t.
While historically that model worked, in today’s collaborative environment it is impractical. If a document is confidential then, no matter where it is located, the information it contains remains sensitive and should be secured. As our dutiful employees previously demonstrated, by moving the file to a shared directory the veil is lifted!
To prevent this a third dimension needs to be added:
User + Location + Context = The Full Picture
Organizations must add true user based rights AND supplement it with context based information to introduce a control model required for today’s collaborative environment.
However, here we encounter another issue. Going back to our survey, while a third of administrators feel that users are capable of controlling access rights all too often they’re not given the responsibility. Instead, it is IT administrators that remain overwhelmingly responsible for managing access rights within SharePoint (69%) – although the true figure is likely to be higher as 22% of users are blissfully unaware how access rights are managed and, therefore, it’s a pretty fair bet that its IT pulling the strings!
This is worrying. Not least because IT professionals aren’t best placed to determine why certain information is confidential and therefore introduce adequate control. But actually a third (35%) of SharePoint administrators are being nosy themselves, snooping around and peeking at documents they’re not meant to read.
In case you’re interested, when digging deeper to see what was being viewed, 34% were looking at employee details, 23% salary details and eight percent merger and acquisition details and even redundancy notices!
Organizations serious about security need to embrace a three dimensional model and that means:
The user: should determine if something is sensitive or confidential, and therefore responsible for securing the sensitive content within the documents they author. Perhaps this will then encourage them to be more active in protecting the organisation as a whole from data breaches.
The location: when this sensitive information is then transferred to SharePoint it should be secured (and that means encrypted) and, more importantly, remain so even if moved to another location or device.
The context: employing predefined security policies that secure information based on the context i.e. the type of document, where it’s going and where its from. Again, the specific rights of the document should remain in force even if the document is moved within, or from, SharePoint.
If you’re intending to harness the power of SharePoint then do it without compromising security. With this three dimensional approach, no one function needs to have access rights to sensitive information. Sorry IT administrators, no more sneaky peeks!