For many organisations, Windows SharePoint services has fast become the tool of choice for collaborative working. The website host, often used to share access to documents and applications, is easy to use, easy to set up and works seamlessly with the Microsoft Office suite.
But according to a new survey, that ease of use means that SharePoint sites can proliferate out of control and expose confidential information to the wrong people.
"The challenge is that users can set these sites up, expose information to other people on the site, and there are very few controls in place," said Stuart Hodkinson, U.K. country manager at security company Courion Corp., which conducted the survey.
The Web-based poll of 163 business managers revealed that more than 86% were concerned that sensitive data could be stored on SharePoint sites, while another 22% said they had already found sensitive data on SharePoint sites that should not have been there. In addition, 34% of respondents had no policy for SharePoint usage, while 36% of those surveyed did not monitor the activity.
The great advantage of SharePoint is that users can create their own sites and invite others to join as participants. This makes it ideal as a platform for collaboration on projects, and has contributed to its rapid adoption across the world. For example, the U.K. chapter of the SharePoint Users Group boasts more than 4,000 members.
But Hodkinson said the proliferation of Microsoft's SharePoint sites was hard to control, and it was even difficult to manage the information they handled, and who had access to sites.
"The problem is that a site could be set up for a specific reason, then two or three months down the line, people start to confuse it with another SharePoint site, and start exposing confidential information, such as an Excel spreadsheet pertaining to M&A activity," he said.
"It is possible to use Microsoft admin tools to mine Active Directory attributes to discover where SharePoint sites are. But then you need a different interface to see who has administrative access, and there is no easy way of viewing all this information in a single location."
Hodkinson added that before the end of December, Courion plans to launch a product that will perform that function, sniffing out SharePoint sites on the network and reporting on who has access.
Gavin Williams, head of the infrastructure practice at Avanade Inc. (a joint venture between Microsoft and Accenture Inc.), acknowledged some of the problems of SharePoint security, but emphasised the benefits that companies are getting from the technology.
"SharePoint doesn't create new problems. It has the same issues as we have around file servers, and how we manage access," he said. "But you don't want to discourage enthusiasm. IT can't afford to become a blocker. It needs to be seen as an enabler to drive additional activity inside an organisation."
His advice for a successful implementation of SharePoint services was to work first with the business to design the functions that people want to achieve, then run a pilot where users perform their everyday functions. Having established who needs what information, he said, it is possible to establish a workable policy in collaboration with the rest of the business, and set up sites and groups for certain functions.
The Courion report concluded that as a bare minimum, companies should monitor the creation of new sites in order to gauge the potential for SharePoint security problems. The survey found that 55% do monitor new site creation, while more than one-third said they do not and another 7.5% did not know.
Courion's advice is that system administrators and security personnel need to be able to answer the following questions:
- What SharePoint sites are on our network and who owns them?
- Who has access to these sites and what permissions do they have?
- Are sites with sensitive data being managed using best practices consistent with the organization's security policies?
- How can I fix sites that are exposing the organization to security problems?