According to an AIIM survey a couple years back, more than 50% of
corporations are using SharePoint Server. In addition, their data showed that
for 22% of the companies, every employee had adopted the technology. Ok, if
*every* employee was truly using the platform within those companies, that would
be very impressive -- but also a bit scary. That's a lot of people moving around
a system, touching content, and potentially breaking things.
Now add to that the increasingly chaotic collaboration environment in which
users add consumer-based tools, cloud storage systems, and mobile apps that are
not likely being tracked, much less providing secure, compliant, and governed
access to your intellectual property. What’s even scarier is how often content
management systems get left out of the security equation altogether. When we
read about these massive data breaches, the first thing reported in the news is
always denial of service this or, anonymous that. Everyone is so focused on
external vulnerabilities that they forget about the insider threat. According to
Forrester Research, the majority of security breaches involve internal
employees, with some estimates as high as 85 percent.
The overall view on SharePoint or any internal service is that because it’s
inside the firewall, its presumed safe. It’s no wonder, really. In the
vulnerability assessment world for example, the regulatory bodies (PCI, SOX,
etc.) tend to put more emphasis on the perimeter devices than internal. PCI
requires that companies taking credit cards have quarterly scans of all
perimeter devices and one full blown external penetration test per year, while a
“vulnerability assessment process” is all the description given for what needs
to happen in the internal environment. This isn’t to say I disagree with what
PCI is doing, I think that they’ve done great work advancing security awareness
and adoption in the enterprise, but there is still so much more that is left
untouched.
The results of this lack of emphasis speak for themselves. Swedish IT
security risk Management Company Cryptzone Group said a recent survey showed
almost one in three (30%) Microsoft SharePoint users have disregarded security
measures and admitted to copying and distributing sensitive or confidential
documents through non-secure means.
Kind of a grim outlook, I know. The first thought is to just lock SharePoint
down as tight as you can and never bend or break. Of course, in the real world,
this isn’t really plausible. You’ll end up constantly on the phone with your
users and adoption will be poor. On the other hand, you can just say forget it,
open the floodgates and let people do as they please. Adoption will be great,
but you’ll spend all your time on the phone with your users because something is
broken. It’s the classic battle of attrition between security and efficiency,
either way it’s a lot of work. The good news is there is actually light at the
end of the tunnel, and it’s not anything revolutionary. Permissions management,
governance, strong policy, and enforcement are all you need from a technology
side.
Life is about all things in moderation, so the best route is to find a nice
blend of all things. Giving users access, but with control; being restrictive,
but only after a certain amount of freedom. Administrators need to have some
degree of control over their entire infrastructure, allowing them to quickly
identify challenging areas, fix issues on the fly, and enforce policies to keep
things clean going forward. As much as we think we can just handle it on our
own, realistically it’s just not possible.
The last piece of the puzzle, and arguably the most important, is end-user
training. Cryptzone further reported that, of the 92% of respondents who
understood the risk, only 13% believe that protecting company data is not their
responsibility. That just goes to show that most people do believe they play a
part in keeping company data safe, they just don’t know how.
The analogy I like to use is “cook and clean”; design, present, train, follow
up. Design a security policy around the value of your data, present the policy
to the company, train end users, implement, and follow up. The best part of this
method is more than half of the work can be automated.
A 2009 survey from Surety revealed that 46% of respondents estimated that the
data housed in their SharePoint systems was valued greater than $10 million.
Nearly 30% of survey respondents valued the electronic records housed in their
SharePoint systems at more than $50 million, with 9% indicating that their data
was valued greater than $500 million. And with File data growing 60% annually,
the value is only going to increase.