Blogs

The More People Use SharePoint, The More Important Governance Becomes

By Christian Buckley posted 12-01-2015 00:57

  

According to an AIIM survey a couple years back, more than 50% of corporations are using SharePoint Server. In addition, their data showed that for 22% of the companies, every employee had adopted the technology. Ok, if *every* employee was truly using the platform within those companies, that would be very impressive -- but also a bit scary. That's a lot of people moving around a system, touching content, and potentially breaking things.

Now add to that the increasingly chaotic collaboration environment in which users add consumer-based tools, cloud storage systems, and mobile apps that are not likely being tracked, much less providing secure, compliant, and governed access to your intellectual property. What’s even scarier is how often content management systems get left out of the security equation altogether. When we read about these massive data breaches, the first thing reported in the news is always denial of service this or, anonymous that. Everyone is so focused on external vulnerabilities that they forget about the insider threat. According to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.

The overall view on SharePoint or any internal service is that because it’s inside the firewall, its presumed safe. It’s no wonder, really. In the vulnerability assessment world for example, the regulatory bodies (PCI, SOX, etc.) tend to put more emphasis on the perimeter devices than internal. PCI requires that companies taking credit cards have quarterly scans of all perimeter devices and one full blown external penetration test per year, while a “vulnerability assessment process” is all the description given for what needs to happen in the internal environment. This isn’t to say I disagree with what PCI is doing, I think that they’ve done great work advancing security awareness and adoption in the enterprise, but there is still so much more that is left untouched.

The results of this lack of emphasis speak for themselves. Swedish IT security risk Management Company Cryptzone Group said a recent survey showed almost one in three (30%) Microsoft SharePoint users have disregarded security measures and admitted to copying and distributing sensitive or confidential documents through non-secure means.

Kind of a grim outlook, I know. The first thought is to just lock SharePoint down as tight as you can and never bend or break. Of course, in the real world, this isn’t really plausible. You’ll end up constantly on the phone with your users and adoption will be poor. On the other hand, you can just say forget it, open the floodgates and let people do as they please. Adoption will be great, but you’ll spend all your time on the phone with your users because something is broken. It’s the classic battle of attrition between security and efficiency, either way it’s a lot of work. The good news is there is actually light at the end of the tunnel, and it’s not anything revolutionary. Permissions management, governance, strong policy, and enforcement are all you need from a technology side.

Life is about all things in moderation, so the best route is to find a nice blend of all things. Giving users access, but with control; being restrictive, but only after a certain amount of freedom. Administrators need to have some degree of control over their entire infrastructure, allowing them to quickly identify challenging areas, fix issues on the fly, and enforce policies to keep things clean going forward. As much as we think we can just handle it on our own, realistically it’s just not possible.

The last piece of the puzzle, and arguably the most important, is end-user training. Cryptzone further reported that, of the 92% of respondents who understood the risk, only 13% believe that protecting company data is not their responsibility. That just goes to show that most people do believe they play a part in keeping company data safe, they just don’t know how.

The analogy I like to use is “cook and clean”; design, present, train, follow up. Design a security policy around the value of your data, present the policy to the company, train end users, implement, and follow up. The best part of this method is more than half of the work can be automated.

A 2009 survey from Surety revealed that 46% of respondents estimated that the data housed in their SharePoint systems was valued greater than $10 million. Nearly 30% of survey respondents valued the electronic records housed in their SharePoint systems at more than $50 million, with 9% indicating that their data was valued greater than $500 million. And with File data growing 60% annually, the value is only going to increase.

0 comments
1109 views