Top Security Challenges with SharePoint Collaboration
In today’s business environment successful companies rely upon the rapid and efficient exchange of information. Collaboration between employees is a critical part of this equation and a key driver for increasing competitiveness and productivity. Effective collaboration requires timely access to information— both structured (databases) and unstructured (file systems, online content and communications).
Many companies have invested in SharePoint for managing their unstructured information. However, few have realized the potential efficiencies and productivities that SharePoint offers because of concerns about the security of the information stored in it. Worse still, many continue to maintain legacy document management systems to store sensitive information and continue to incur the associated software maintenance, labor and hardware costs. This drastically reduces the ROI on their SharePoint investment.
Top 6 Capabilities Required for SharePoint Encryption
Failing to encrypt content properly still remains a challenge in 2013 despite industry experts recommending it as an important line of defence against data breaches.
In an IT World article on best practices for preventing breaches, Leon Rodriguez, director of the Office for Civil Rights is quoted as saying that encryption technology is key to avoiding breaches. He continues within an HHS announcement to say, “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Most companies fall into three boats; one they either do not encrypt at all; two, they are encrypting content based on standards from five years ago; or three they are automatically encrypting content within SharePoint based on the presence of sensitive content.
For those organizations in the first two boats, here are six capabilities you need to provide if handing any sensitive personal or health-related data (PII or PHI), or confidential company information (intellectual property (IP), board documents, M&A).
LV= Improves Site Quality, Brand Integrity and Accessibility
LV= employs over 5,500 people and serves around five million customers with a range of financial products. As a trusted UK brand, the Web Content Team required a solution for scanning site quality, brand integrity and accessibility to extend LV=’s credibility to the Web.
The Challenge
The Web Content Team at LV= knew that for their website and a dozen subsidiary sites to be viewed as professional and usable, they should be both error-free and accessible. To achieve this level of professionalism, the team relied purely on daily manual reviews of key Web pages for spelling, broken links and accessibility.
The challenge was that deep into the sites, the team did not know if any broken links, typos or brand inconsistencies existed unless it was brought to their attention by a site user. This posed a significant problem when destination links (particularly external links) were broken.
To better serve its five million customers, LV= required a solution that could scan content regularly to provide a more efficient process for addressing site quality. Furthermore, LV= needed to ensure all its Web pages complied with the UK’s Equality Act 2010 and WCAG 2.0 AA accessibility standards as content was changed and updated.
Military Data Theft and the Lessons Your Business Can Learn from It
A Washington Post article reported that Sixing Liu, a Chinese citizen, was sentenced in federal court in violation of a U.S. arms embargo act for stealing thousands of files from L-3 Communications, a small company owning a major defense contract to develop a device called a disk resonator gyroscope for the US government. The article reported that:
“David Smukowski, president of Sensors in Motion, the small company in Bellevue, Wash., developing the technology with L-3 estimated that the loss of this tiny piece of technology alone could ultimately cost the U.S. military hundreds of millions of dollars.”
“…in November 2010, Liu made an electronic archive of his work e-mail and transferred it to his personal computer along with the entire Sensors in Motion program folder, according to court records.”
“… Liu downloaded documents for programs in which he had no involvement, though the judge said Liu knew “just how sensitive the material he had was.””
“…Liu was convicted last September of…possessing and transporting stolen trade secrets.”
The article demonstrates the risk one person’s actions can bring to a military, federal, healthcare, financial or enterprise organization. The article included C. Frank Figliuzzi’s, the former head of the FBI’s Counterintelligence Division, statement to Congress last year that perhaps the most important measure against the theft of proprietary information “is identifying and taking defensive measures against employees.”
Web Accessibility Still an Anomaly
Imagine driving into a shopping mall with no handicap parking spaces, no ramps to get on the side walk and no automatic doors to even get in. It wouldn’t happen in the US today because the ADA requires equal access to “public accommodations,” such as restaurants, retail stores, movie theaters, recreational facilities and other physical spaces. So why in today’s age of online shopping and access to information is it that Web inaccessibility is still the norm?
Last week the Wall Street Journal published an article on how online shopping is extremely inaccessible for the blind. In one example cited, a user was only able to guess the text fields required to complete a purchase. Currently there are no laws in place to ensure corporate websites are accessible to users with disabilities because most courts have ruled that the 1990 Americans with Disabilities Act (ADA) does not apply to the Internet. That however may soon be changing.
Reported in the Wall Street Journal article, “The U.S. Department of Justice is expected to issue new regulations on website accessibility later this year that could take a broad view of the ADA’s jurisdiction over websites. A Justice Department spokeswoman declined to comment.”
SharePoint Security: Will using folders cause problems with document duplication?
Previously I’ve blogged about two folders vs. metadata SharePoint security topics. The first was on the best way to secure documents and the second on when will folder navigation breakdown. In my last post of the series I’ll look at whether or not using folders for controlling document permissions will cause problems with document duplication:
Problem
Folders hide content. If it takes a long time for a user to find an important document, he or she is more likely to make a local copy of that document. Alternatively, that user might also move it to a folder higher up the tree to avoid having to search for it again in the future.
BYOD and Enterprise Mobile Security
Bring your own device (BYOD) is one of the hottest trends in 2013. One of the major concerns is enterprise security on these devices. Here is a snapshot of some recent surveys on the topic:
- “… Only 9 percent of respondents [in a survey on SANS Mobility/BYOD – Security Survey] felt completely aware of all mobile devices accessing their enterprise infrastructure and applications. At the same time, nearly 40 % felt they were fully aware of their devices, while nearly half did not have the level of awareness that they should.”
- A Gartner survey “found that many enterprises are allowing personal mobile devices to connect to the enterprise network. BYOD demand was higher in the BRIC countries where more Generation Y (Gen Y) employees are working. With the proliferation of BYOD, there are many security issues for enterprises to consider before they invest in mobile computing. According to the survey, the top issues were “use of privately owned devices” and “deployment of new enterprise mobile platforms.””
- An eWeek article “BYOD, Virtualization Affect Enterprise Security: F5 Networks” reported survey results that showed, “While respondents acknowledged BYOD as critical to an organization’s ability to achieve the level of security it wants, one-third of respondents admitted they are not prepared to provide adequate security to protect against threats associated with BYOD. Despite this, two-thirds of respondents said BYOD was having a somewhat to extremely high impact on security.”
SharePoint Security: When will folder navigation breakdown?
Many companies have a hard time choosing whether to use folders or metadata for security and classification in SharePoint. Out-of-the-box neither folders nor metadata can achieve effective security and classification in SharePoint.
Our latest white paper Folders vs. Metadata: 7 Questions to Assess Using Folders vs. Metadata for SharePoint Content Security looks at the top seven questions and struggles on this topic, and provides insight and solutions for more secure and effective document security.
Previously I blogged on Using Folders vs. Metadata for SharePoint Security and discussed if folders are the best way to secure documents. In this second post, I’m discussing folder navigation breakdown:
Problem
If a user selects a library, all he or she sees is the first layer of folders. This may begin to indicate what files are contained within those folders, but it doesn’t suggest anything about what might be contained within sub-folders. Hiding content and detail from users and forcing them to traverse folders until they find what they are looking for is not efficient.
SharePoint Security: Comments from the AIIM Survey
1. “Even though governance is established, compliance is faulty and monitoring is sketchy at best.”
2. “If you want compliance don’t use SharePoint.”
Content compliance and monitoring do not need to be faulty or sketchy. SharePoint can absolutely offer secure collaboration and compliance with the right tools in place. The points below offer a close look at some of the steps and solutions that can assist you.
3. “After migrating content it is difficult to retroactively apply rules.”
Many will face the migration obstacle as they move to SharePoint 2010/2013 or hybrid environments. What’s important here is that organizations can take proactive steps to clean and check content against compliance both before and after migration, and regardless of where it resides. Using third party solutions, compliance and security policies can easily be applied to scan of all the content within the platform. Some policies will be based on regulatory and industry standards, while others will be custom to the requirements of a specific organization. Rules can be set-up to determine what to do when confidential or regulated content is discovered to restrict access to it and control what actions can be taken with it. This helps to ensure that all content in SharePoint, regardless of whether it is new or old, is compliant with policies. Adding additional security around sensitive content helps reduce organizational risk and the threat of breaches.
4. “Currently taking a cautious approach until third party tools are in place.”
5. “As with many organizations that are using SharePoint, we know/understand the current and potential risks associated with it, but are still in the process of trying to “get our hands around it” from an organization/enterprise perspective.”
SharePoint can be a mammoth task to secure; and trying to secure it without content compliance and security solutions is an impossible task. Third party solutions for automated, content-aware compliance and security for SharePoint will ensure you are reducing risk while also maximizing your collaboration investment.
6. “Our organization lacks understanding of what’s actually in SharePoint, from a sensitive/regulated information perspective.”
The best thing about SharePoint is you can put anything in it, and the worst thing about SharePoint is you can put anything in it. Organizations need to balance an increasingly social collaborative environment while still meeting regulatory requirements. Many SharePoint sites seem to be a Wild West of unstructured content. But, there are solutions out there that can audit your site content to help you identify and secure sensitive and regulated information, helping you rein in compliance.
7. “Committing resources to tighten and maintain proper security requires a major, visible commitment from upper management to initiate and maintain the effort and incorporate it into the corporate culture.”
There are a lot of important take-aways from this comment. There is absolutely a need to have management buy-in and engagement on implementing proper SharePoint security features, but it’s too much to cover in one blog post. The emphasis should be on making compliance and security a seamless part of corporate culture. Training takes time and relying on staff to remember all the rules opens you up to those dreaded “whoops” moments. Using solutions that monitor content for compliance issues, taking the onus off the individual is the best way to ensure policies are enforced. After all balancing the need to collaborate with the need to maintain SharePoint security is essential to reducing organizational risk. Read how policy management can impact corporate culture.
8. “Compliance, security and record retention are must haves for us.”
This is the ultimate comment because compliance and security are must haves for all organizations using SharePoint. Effective compliance is the ability to not only have a governance strategy in place, but to also be able to manage risk by identifying issues and potential violations, and have a process in place for resolution and fine tuning. The most effective method for managing compliance and security risk in SharePoint is to protect sensitive information at the file level using automated solutions for classification, encryption and content restriction. To better protect your organization, you should consider how automated compliance and security products can remove some of the vulnerabilities and human diligence required to maintain SharePoint content security over the longer term.
Read more findings from the report including recommendations on improving SharePoint security or find out how selecting the right content compliance and security solution will help your organization achieve the full benefits of SharePoint by reading Microsoft SharePoint Security: Evaluating a Content Security Solution.
Do You Know Where Your Policies Are?
When an organization fails to manage policies, the organization quickly becomes something it never intended.
Policies define the organization’s governance culture and objectives. Without the guidance provided by well-written and effectively managed policies, corporate culture may morph and take the organization down unintended paths. Policies set the standard for acceptable and unacceptable conduct by defining boundaries for the behavior of individuals, the operation of business processes, and the establishment of relationships.
Let’s be clear. Policies in and of themselves do not ensure the right corporate culture. Merely creating thousands of policies is not the answer; in the case of policies often “less is more.” Even when well-written policies are issued, the game isn’t over. An organization can have a wide array of policies that “sit on the shelf” or are not adhered to resulting in the organization ending up in very hot water.
In my experience, policy management processes are in disarray introducing risk in today’s complex, dynamic, and distributed business environment. The typical organization lacks a structured means of policy management with an inconsistent maze of templates and processes with policy documents that are out of date (e.g., old versions), unauthorized, and scattered across file shares, SharePoint sites, and other content management systems. Inconsistency in policy management means processes, partners, employees, and systems behave like leaves blowing in the wind. Organizations struggle with policies that are out-of-date, ineffective, and not aligned to business needs. Policy inconsistency opens the doors to liability, as an organization may be held accountable for policy that is not appropriate or complied with.
Subscribe to our RSS Feed 
Follow Us on Twitter 
Find us on LinkedIn 