SharePoint users break own security rules

Privilege controls can work, but cannot cater for all eventualities, says Quocirca analyst Rob Bamforth.

SharePoint users break own security rules
SharePoint users break own security rules

Research just published claims to show that Microsoft SharePoint users are breaching their own company security policies. 

Originally launched in 2001, SharePoint is a web application framework and platform that integrates intranet, content management and document management under a broad Internet collaboration umbrella. The platform - which is designed for use by non-technical staff in major enterprises - integrates closely with Microsoft Office. 

The SharePoint Security Report report - sponsored by Cryptzone - is based on an anonymous survey of 100 attendees at the March SharePoint Conference in Las Vegas. Researchers found that 36 percent of SharePoint users are breaching security policies, and so gaining access to sensitive and confidential data to which they are not entitled. 

In addition, of the 19 percent of respondents whose organisations do not allow sensitive information to be stored within SharePoint environments, nearly a quarter of them later said they knew of individuals who had accessed content that they were also not entitled to - showing that users are ignoring their security directives. 

The real eye-opener is arguably that the majority of administrators perceive their ‘permissions' to be unrestricted - responding with comments anecdotally that included ‘I am entitled to see everything' and ‘administration access is God mode.' 

Håkan Saxmo, CTO of Cryptzone, said that the report highlights the need for a separation of duties, so that SharePoint admins are only responsible for performing normal administrative functions in SharePoint. 

In addition, he explained, using technical controls that enforce information security policies automatically - without changing the user experience - is fundamental to the security rules being maintained, as users will not follow the rules, just because they are there. 

The report concluded that the risk of SharePoint admins abusing access privileges without the knowledge of their employers remains extremely high - and that a high proportion of enterprises do not audit their system for compliance. Because of this, the report says the company cannot be sure they are not putting sensitive and confidential data at risk. 

Solutions to the security challenges identified in the report include recommendations to establish rule based encryption and access rights management to automate SharePoint security controls, and ensuring that encryption plus access management stays with the document - regardless of whether SharePoint content is moved, copied or changed in any way. 

In addition, the report recommends that, when granting access to external parties, admins ensure those users are only able to access the SharePoint resources that they need and that the content shared with them remains protected. 

Commenting on the report findings, Rob Bamforth, a principal analyst with Quocirca, the business research analysis house, said that, because SharePoint is a high-end business environment, the findings are very revealing - and highlight the fact that the human element is letting enterprise security down. 

"I think responses to Q4 - `Does your organisation store sensitive information in SharePoint – are most revealing, as 79 percent said they stored sensitive or confidential information on the SharePoint platform," he said, adding that shows the clear need for a security police enforcement technology in these organisations. 

Separation of duties, he says, is a possible solution, but this could be difficult to arrange in most companies. 

"The problem here is that a security policy enforcement solution is not always going to be able to keep up with changes caused by staff holidays and sickness. Privilege controls can work, but cannot cater for all eventualities," he explained. 

Adrian Davis, EMEA managing director with (ISC)2, the not-for-profit IT security association, said the research highlights the importance of management in a technical context. 

"Managers cannot assume that ‘IT will take care of it' and leave administrators to implement suitable controls to protect information and manage access by users. Additionally, managers cannot leave privileged users, such as system admins to work without supervision or at least regular review of what those privileged users are doing," he said. 

"The key to a successful deployment is having business, IT and information security working together to build the right architecture and environment so that the benefits of a SharePoint deployment can be maximised, whilst the risks of deliberate or accidental compromise of the confidentiality, integrity or availability of information are minimised," he added.