Survey: Are SharePoint sites the weakest link?

Twenty-two percent of the managers surveyed said they had found sensitive data on SharePoint sites.

(Credit: Courion)

Eighty-seven percent of IT managers cited content-sharing and employee collaboration service SharePoint as their top concern for leaking sensitive data, according to a survey schedule for release on Tuesday.

Courion, an access management and compliance company, found that SharePoint sites are being deployed in some corporations without consideration of security's best practices. More than 33 percent of the organizations surveyed said they did not have a policy to manage the rights necessary to create SharePoint sites.

The study of 150 business managers conducted in September found that companies lack automated tools for provisioning SharePoint users and managing their access rights. About 37 percent of companies surveyed said they were not monitoring the creation of new SharePoint sites to make sure they conform to existing corporate guidelines and policies. Most companies, the survey showed, are largely unaware of what is happening within the information sharing environment.

A spokesperson for Microsoft said: "Any enterprise software development project should be approached with managed planning and deployments. SharePoint is no exception to this, and SharePoint installations by default do not allow software developers or end users to upload custom code without oversight by system administrators."

The survey sampled a diverse group of financial services, high tech, manufacturing, health care, retail, and public sector managers.

(Credit: Courion)

[Penguinisto]

Well, to be fair, it takes a whole hell of a lot (in resources, money, and work) to build and maintain a working --and secure-- SharePoint site.

Personally, why not use a decent (and secured) CMS for the external-facing bit, and then whatever you like internally? It'd save a lot of headache and heartache. Anything in-between can go through a bottleneck of sorts to (humans) check content and to (servers) provide a security buffer of sorts.

[kojacked]

"Well, to be fair, it takes a whole hell of a lot (in resources, money, and work) to build and maintain a working --and secure-- SharePoint site."

This great insight from someone with years and years of SharePoint experience... Nice FUD.

"About 37 percent of companies surveyed said they were not monitoring the creation of new SharePoint sites to make sure they conform to existing corporate guidelines and policies. Most companies, the survey showed, are largely unaware of what is happening within the information sharing environment."

I don't know any CMSs that automatically insure they are compliant with corporate guidelines and policies. It's a management problem not a tool problem.

[Penguinisto]

I deal with SharePoint right now, genius... and no you don't want to know what it involves on the security side. No corporate policy in the world will prevent a site from being opened to the planet accidentally, when the service itself is unnecessarily complex and proprietary.

[jessiethe3rd]

If you have good AD and policy system in place along with possibly Rights Management Server you really have the issue pretty much figured out. Without the right setup to the infrastructure to begin with though SharePoint becomes a very sloppy mess. Rights Management Server is very cool allowing you to lock down documents with easy and prevent people from getting access to stuff they have no right to.

[px75]

For most enterprises this will work well. However, for project intensive companies where people work in a matrixed organization (e.g. Pharma, high tech research and development, upstream oil and gas exploration and production, and high end finance and insurace) it is very difficult even with a federated RMS.

Delegation of authority is how project people get access. That cannot be reflected in the nromal authentication/authorization facilities of a company. In fact enterprises rely on federated authroization managed by individual applications. And, that is a huge expense. Provisioning of content should be dynamic and secure. There is one way - and that is to cluster content contextually through a ontology engine or a corporate metadata server

[ppgreat]

Don't be fooled. Friends don't let friends do SharePoint.

[eferron]

A bunch of random ramblings... here goes...

Windows SharePoint Services simply happens to be one of the most widely and officially or unsupported collaboration tools deployed in the enterprise today, however CIO's seem to rarely get social trends with a technical core/component. Examples include the resistance to Instant Messaging by most CIO's your organization may have it but in many cases it was/is not a priority on their list for deployment, I am finding in my cases IM will get a free pass in some deployments. In other organizations the CIO is just plain against it. Collaboration among employees like the type of document sharing often found in SharePoint is often ignored and the CIO just looks like he or she does not get it. I will tell you why most of them don't get it. Most CIO or IT Sr. Leaders have a salaried collaboration solution sitting outside of their office, called an executive admin. They rarely are forced to deal with sharing documents, calendar information, looking up contacts, or issues related to the average cubicle dweller.

This is not the fault of any one given product it is the unwillingness or inability for Sr. IT leaders to spot and cultivate social trends in technology so they put the infrastructure and planning in place to support end user productivity versus taking the outdated mentality that their users are dumb, stupid or simple.

Blogging, Wiki's, Social Networks are other trends that are moving well beyond the 5 year mark and still have not been validated by Sr. IT leaders. These scenarios will continue to present risk to organizations until they are embraced and given their proper role in a modern enterprise versus a the viral deployments we see today.

Anyone recall CompuServe, AOL and Prodigy e-mail and having to make a special request to get an account to e-mail people outside the organization? Seems like we have been here before.

[Pank2008]

a good remedy for this problem is the "managed services" approach. rather than wading into the hassles of implementing a solution oneself, one is better off letting it be managed by an expert who knows the pitfalls. we have implemented a web based collaboration solution called <A HREF="http://www.hyperoffice.com"> HyperOffice </A>, and security and compliance is their hassle, and a simple architecture lets us very effectively manage access to data.

[Seaspray0]

Sharepoint was intented to be an open ended web based collaboration tool. The interface is designed so that the average person in the company can build websites and store documents without requiring any intervention by the IT people. Basically, employees can build a site. Unfortunately, employee's are not known for controlling access permissions well. The software is capable of being secure, it's the employees building the site that are not.