Survey: Are SharePoint sites the weakest link?
Twenty-two percent of the managers surveyed said they had found sensitive data on SharePoint sites.
(Credit: Courion)Eighty-seven percent of IT managers cited content-sharing and employee collaboration service SharePoint as their top concern for leaking sensitive data, according to a survey schedule for release on Tuesday.
Courion, an access management and compliance company, found that SharePoint sites are being deployed in some corporations without consideration of security's best practices. More than 33 percent of the organizations surveyed said they did not have a policy to manage the rights necessary to create SharePoint sites.
The study of 150 business managers conducted in September found that companies lack automated tools for provisioning SharePoint users and managing their access rights. About 37 percent of companies surveyed said they were not monitoring the creation of new SharePoint sites to make sure they conform to existing corporate guidelines and policies. Most companies, the survey showed, are largely unaware of what is happening within the information sharing environment.
A spokesperson for Microsoft said: "Any enterprise software development project should be approached with managed planning and deployments. SharePoint is no exception to this, and SharePoint installations by default do not allow software developers or end users to upload custom code without oversight by system administrators."
The survey sampled a diverse group of financial services, high tech, manufacturing, health care, retail, and public sector managers.
(Credit: Courion)
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Personally, why not use a decent (and secured) CMS for the external-facing bit, and then whatever you like internally? It'd save a lot of headache and heartache. Anything in-between can go through a bottleneck of sorts to (humans) check content and to (servers) provide a security buffer of sorts.
This great insight from someone with years and years of SharePoint experience... Nice FUD.
"About 37 percent of companies surveyed said they were not monitoring the creation of new SharePoint sites to make sure they conform to existing corporate guidelines and policies. Most companies, the survey showed, are largely unaware of what is happening within the information sharing environment."
I don't know any CMSs that automatically insure they are compliant with corporate guidelines and policies. It's a management problem not a tool problem.
Delegation of authority is how project people get access. That cannot be reflected in the nromal authentication/authorization facilities of a company. In fact enterprises rely on federated authroization managed by individual applications. And, that is a huge expense. Provisioning of content should be dynamic and secure. There is one way - and that is to cluster content contextually through a ontology engine or a corporate metadata server
Windows SharePoint Services simply happens to be one of the most widely and officially or unsupported collaboration tools deployed in the enterprise today, however CIO's seem to rarely get social trends with a technical core/component. Examples include the resistance to Instant Messaging by most CIO's your organization may have it but in many cases it was/is not a priority on their list for deployment, I am finding in my cases IM will get a free pass in some deployments. In other organizations the CIO is just plain against it. Collaboration among employees like the type of document sharing often found in SharePoint is often ignored and the CIO just looks like he or she does not get it. I will tell you why most of them don't get it. Most CIO or IT Sr. Leaders have a salaried collaboration solution sitting outside of their office, called an executive admin. They rarely are forced to deal with sharing documents, calendar information, looking up contacts, or issues related to the average cubicle dweller.
This is not the fault of any one given product it is the unwillingness or inability for Sr. IT leaders to spot and cultivate social trends in technology so they put the infrastructure and planning in place to support end user productivity versus taking the outdated mentality that their users are dumb, stupid or simple.
Blogging, Wiki's, Social Networks are other trends that are moving well beyond the 5 year mark and still have not been validated by Sr. IT leaders. These scenarios will continue to present risk to organizations until they are embraced and given their proper role in a modern enterprise versus a the viral deployments we see today.
Anyone recall CompuServe, AOL and Prodigy e-mail and having to make a special request to get an account to e-mail people outside the organization? Seems like we have been here before.
- by Seaspray0 December 15, 2008 1:25 PM PST
- Sharepoint was intented to be an open ended web based collaboration tool. The interface is designed so that the average person in the company can build websites and store documents without requiring any intervention by the IT people. Basically, employees can build a site. Unfortunately, employee's are not known for controlling access permissions well. The software is capable of being secure, it's the employees building the site that are not.
- Reply to this comment
-
(9 Comments)