the boldon james sharepoint security challenges …... the boldon james sharepoint security...

www.boldonjames.com

The Boldon James SharePoint Security Challenges Survey FINDINGS REPORT

A Boldon James Commissioned Research Survey

Microsoft Global Go-To-Market partner for Messaging in Defence and Public Safety

www.boldonjames.com

Introduction Microsoft SharePoint has revolutionised the way businesses work by providing a structured, readily-available and reliable collaboration platform. The ability to immediately access up-to-date business critical information helps businesses to gain more visibility and control of projects, and for teams to work closely together to deliver the best results.

SharePoint is by design a document sharing system but offers so much more in terms of functionality. Documents can be managed, shared, edited and emailed from one interface helping to improve confidence, operational efficiency and control over company information. With SharePoint you can interrogate your data thoroughly, drill down into more detailed information, automate regular reports and easily change settings, team views and the way reports and documents are displayed.

The system is designed to offer effortless sharing of documents and this by itself raises some interesting questions about security and how important it is to adopt a company-wide SharePoint security policy in order to protect the valuable data that the system will house.

This report is based on the results of a survey commissioned by Boldon James and conducted by eMedia at the end of 2012. The survey was designed to gain insight into approaches to SharePoint security and was completed by 214 IT professionals. The group of respondents was also asked to give their thoughts about protective marking (also known as classification) of SharePoint assets and to give details about the size of their company and their job role. The latter information would be used to give context to the answers given by those surveyed.

This report outlines the key findings of the survey and analyses the meaning of the results using the current IT landscape as a backdrop. These findings will give IT professionals valuable insight into the ways that some of their peers are handling SharePoint security ‘in the wild’ and help them to improve their own security solutions. Within the survey analysis we have included specific commentary that highlights where protective marking has a beneficial role to play – as exemplified by the Boldon James SharePoint Classifier product that we describe at the end of this document.

We would like to thank those who took the time to complete the survey and share their thoughts and concerns about SharePoint security with us.

Survey Results and Analysis

Question 1: How Many PC Users Are There In Your Organisation?

Respondents were asked to specify how many PC users their organisation has and were given a number of ranges to choose between.

27% were from companies with less than 25 PC users whilst 20% were from companies with more than 5000 PC users. The number of PC users in a company can have a huge influence on operations and how security policies are planned and implemented, but it can take only one person to cause a corruption or loss of data or to create a security risk. No matter what the size of your business, you should always ensure you have robust security policies in place.

SharePoint is used in a wide range of business settings from small start-ups to larger organisations with branch offices spread out across the globe. Whether your SharePoint services are in the cloud or held on one dedicated server in your server room, you need to consider the protection of your data at all times.

Larger organisations need to pay particular attention to information security policies as large numbers of PC users can multiply risk. Such policies should be enforced, monitored, reviewed and updated to ensure all PC users adhere to the policy and know why it is in place.

Implementing a protective marking solution for SharePoint will help to educate users about data loss prevention and highlight the real value of the documents they work with every day. Boldon James SharePoint Classifier is easy-to- implement and defines a clear set of controls that can be applied by any organisation no matter what the size or business sector.

www.boldonjames.com BJRS250413

Whitepaper

Question 2: What Is Your Role In Relation To SharePoint In Your Organisation

Respondents were asked to specify their role in their organisation in relation to SharePoint. 65 administrators made up 30% of the results whilst 27% of those surveyed were SharePoint users.

Many larger organisations also employed SharePoint developers and architects suggesting more complex SharePoint installations

were in place in these companies. 30% of respondents specified “Other” when surveyed and these roles may include SharePoint trainers, business owners, helpdesk technicians and sole traders.

This particular question provides an insight as to the perspective of the respondent and the manner in which their organisation is using SharePoint services ‘in the wild’. When considering a protective marking solution for SharePoint you should ensure that it needs no specialist skills in order to be deployed, configured or managed and so can easily meet the skills base of your IT organisation.

Question 3: How Long Have You Been Using SharePoint?

Respondents were asked how long they had been using SharePoint or whether they were moving straight to the latest release – SharePoint 2013.

Only 14% of those surveyed have been using SharePoint for over 5 years. This suggests that SharePoint was perhaps not the right solution for some businesses when it was first released and that later capabilities made it a more viable option. 38% of those surveyed said they had been using SharePoint for under 3 years.

103 (48%) people surveyed said they were not using SharePoint yet because they were planning to adopt SharePoint 2013. Microsoft has firmly positioned SharePoint 2013 as being all about

collaboration in the enterprise.

New features in SharePoint 2013 include greater functionality of ‘My Sites’. These new features include strong micro-blogging capabilities complete with ‘like’, ‘hashtag’ and ‘mention’

features. SharePoint is increasingly harnessing social networking concepts and focusing on wider communities outside of the business environment. Opening SharePoint for collaboration with external partners and customers creates opportunities for more efficient business processes, but also introduces greater risk of information leakage.

SharePoint 2013 also introduces more robust security measures including advanced authentication between users, servers and applications. However, there are no specific features to address security awareness amongst the users. Regardless of the generation of SharePoint you elect to deploy you should consider using a robust protective marking system for your documents and emails within SharePoint as this will help to reinforce your IT security policy and ensure all users comply with its tenets.

In addition to boosting security awareness, a protective marking solution can enhance your existing security solutions. Tools for

Data Loss Prevention (DLP) and compliance are more effective when protective marking is used to provide business context for the documents stored in SharePoint libraries.

Question 4: Is SharePoint Access In Your Organisation Restricted In Any Way?

Respondents were asked how access was controlled if at all and at what level. SharePoint offers granular security options and we were keen to see to what extent these were being used.

15% of those surveyed said that only particular departments have access to SharePoint, whilst 23% said they had set up access-controlled groups for SharePoint. If you are familiar with Windows access control lists, they work in a very similar way on SharePoint. Using list-based security gives you total control of your data down to the very last document and specifies exactly what users can and cannot do when they login to your SharePoint service.

20% of those questioned said that everybody in their organisation had access to SharePoint whilst 4% said that they also opened up SharePoint access to a number of third parties outside of their organisation. SharePoint is a valuable tool for teams to collaborate in-house and can also help to build strong business relationships with clients and other business associates. Being able to share


Whitepaper

data and collaborate on projects within a shared environment can help to avoid project delays and improve results.

5% of those surveyed said that anybody could access their SharePoint environment and information. This does not necessarily suggest a security flaw or vulnerability. Many organisations allow anonymous access to their SharePoint environment and allow all visitors to view their data. This works very well in the case of intranet or extranet environments. However, anonymous access does need to be set up in the correct manner so as not to jeopardise data in other SharePoint zones.

42% of those surveyed said that they were not using SharePoint yet. It is assumed, based on Question 3, that these people are planning to adopt SharePoint 2013.

Where there is open access to material stored in SharePoint,a protective marking solution can ensure that all users understand the relative sensitivity of the information they encounter. Even where access is more tightly controlled, a marking solution can help project or departmental users to identify sensitive information and apply appropriate safeguarding.

Question 5: Does Your Organisation Have An Information Security Policy And Does It Encompass SharePoint?

The question was designed to gather information on the types of security policies in existence, if any, and to determine whether SharePoint security was high priority.

The good news is that 35% of those surveyed said they had an information security policy in place and that it included SharePoint

use. 25% of those surveyed have an information security management policy in place although it does not cover SharePoint.

5% of those questioned said they had an information security policy in place but that it was not enforced. An IT policy, especially one controlling security and protecting data, should be enforced company-wide. Otherwise, you are leaving your data open to misuse and abuse. It is not difficult to enforce a security policy and creating security awareness amongst users is a fundamental step towards that enforcement. The best security policies are those which every employee must sign to show that he or she has understood the implications of not complying with the terms of the policy and therefore are enforceable through the HR department.

13% of those surveyed said they were in the process of developing a security policy. This is a great time to include SharePoint security and to investigate the SharePoint security measures that could be implemented to control access and protect shared data.

22% of those surveyed said they had no policy in place and there were no plans in place to develop one. These results were quite surprising and concerning at the same time. With no security policy in place, it can become increasingly difficult to manage users and the data within your company. Electronic data is the lifeblood for most businesses and loss or leakage of critical data could be catastrophic for most organisations.

Think about how you use documents and other data, both within your SharePoint environment and outside. Are you confident that your sensitive data can be readily identified by those involved in its handling? Can you easily apply metadata that helps your other security solutions control the exchange of data? A protective marking system offers a consistent way to identify and structure your key business information – automatically applying metadata to improve control over information exchange.

Question 6: What Has Driven or What Would Drive You To Develop An Information Security Policy?

This question allowed multiple answers and was designed to gain an insight into concerns or external pressures that might be a catalyst to developing an information security policy.


Whitepaper

118 responses cited concerns about data loss whilst 137 responses voiced concerns about inappropriate sharing and access of data within the organisation. Many companies invest heavily in their perimeter security whilst continuing to ignore the threat to company data from inside the perimeter – from the users themselves.

PC users pose one of the biggest risks for a business and it is therefore essential to ensure that user training, access control and a stringent IT policy are in place for your key information handling systems. Whilst you can never ignore the threat posed by a rogue employee or the innocent victim of social engineering attack, it is simple human error that still presents the most common threat to your sensitive data.

Regulatory pressure was another reported reason for formulating an IT policy. If your organisation stores customer data, credit card details or financial information you will no doubt find yourself the subject of specific compliance controls. Compliance to such standards and legislation will almost certainly require you to enforce a robust IT security policy, with regular audits required to ensure the policy is being followed.

The ability to demonstrate data management compliance is significantly simplified with a comprehensive information classification strategy that includes protective marking. Many organisations adopt ISO 27001 as the basis for their Information Security Management System (ISMS) and this international standard clearly identifies the fundamental role of classifying assets as part of managing information security.

Question 7: How Does Your Organisation Make SharePoint Users Aware of the Security Requirements of Accessing Data?

12% of respondents questioned said that users were not made aware of SharePoint security and that they were left to make their own decisions. The risk of leaving users to their own devices without specific security training could mean data and business integrity is compromised. This could have serious consequences

for any business.

Training played a major part in security awareness with 38% of those surveyed saying they used training to teach users how to access data in the right manner. Whether training is arranged as formal classroom training or set out in a company handbook, it is essential that SharePoint users know the company rules concerning the handling of data. It is not unusual for organisations to follow disciplinary procedures when a security policy is breached and this can go a long way when trying to enforce good security practice.

43% of respondents said they were not yet using SharePoint and based on previous questions we can assume that these people were likely to be adopting the latest release – SharePoint 2013.

SharePoint provides a very flexible and open tool for sharing data, but it is important that users can be made aware of the safeguarding requirements of the documents they find there. Just because a user is permitted to access a document should not imply that they can do as they please with it. Consistent protective marking of documents will highlight to the users their responsibilities regarding the use of that information.

Question 8: What Approach Are You Planning to Take/Have You Taken to Addressing Security For Your SharePoint Environment?

This question allowed multiple responses and has been designed to gain an insight into the security control methods used in the workplace to manage access to SharePoint data.

SharePoint is quite versatile when it comes to access control and allows a number of methods to be used. SharePoint Access Control Lists (ACLs) were the most popular form of security control with 113 people responding that they used this method. For most IT security administrators, ACLs are a familiar concept and easy to set up but can be challenging to maintain over time and to scale to large numbers of users. However, they offer granular security

controls that can be set at user or group level.

78 people said they used departmental SharePoint deployment within their organisation. In this type of scenario, users are given a SharePoint role and a set of privileges associated with that role. For example, the contributor role allows the user to participate in web document discussions and subscribe to lists and documents. There are 5 roles available allowing administrators to assign the most relevant roles to users within the department.

Of the remaining respondents, web access management was favoured by 73 respondents whilst 41 others preferred fine-grained authorisation. 35 respondents are using information lifecycle control within their SharePoint environments.

With respondents using a mix of access control techniques both external and internal to SharePoint, it is important to consider that a protective marking solution needs to be agnostic to the choice of access control technology. By clearly identifying your sensitive information it becomes easier to ensure that your access control methodology is correctly connecting the right users to the right data.


Whitepaper

Question 9: Do You Currently Protectively Mark Information?

This question was designed to help us understand the level of awareness of protective marking of data and to find out whether and how this type of security strategy was being used.

65% of respondents are not yet marking any of their data. Protective marking ensures that all data is classified and helps to raise awareness to the existence of sensitive information within the workplace. For example, many Government agencies use protective marking to minimise inadvertent disclosure of confidential information. Commercial organisations employ protective marking to control, for example, intellectual property or information containing customer data. Classification solutions can also automate the application of encryption of highly sensitive and private data.

9% of respondents said they protectively mark all emails and the same percentage again said they do the same for all documents. 17% of respondents said they mark all email and documents.

Whether you are a large organisation bound to comply with regulations and data protection laws, or a small company looking to collaborate on multiple projects, SharePoint security is essential. However, the response to Question 5 tells us that only one third of organisations have a security policy that covers SharePoint. In many organisations SharePoint use has grown organically to become part of the fabric of the business without being subject to mainstream security controls. Any business that relies on SharePoint to store sensitive or confidential data should always ensure that its users understand their responsibilities for the safe handling of that information.

Question 10: What Do You See As The Biggest Benefit of Protectively Marking Information Held in SharePoint?

Protectively marking SharePoint information has a host of benefits for businesses and users and can also ensure you are compliant with regulations, applicable legislation and best practice within your industry.

36% of those surveyed said that the biggest benefit of protective marking to them was increased user awareness of security responsibilities. Raising security awareness amongst your users should be paramount if you want your security policies to be successful. If you implement protective marking across your company then it is a good idea to formulate a separate protective marking policy or to incorporate a clear set of protective marking rules within your corporate IT security policy.

Whether you have a tightly enforced IT security policy or a looser one, it is important that your users understand both the contents and the purpose of that policy. 22% of those surveyed believed protective marking would help to enforce their information assurance policy.

Data loss prevention was also a big concern for 17% of respondents. Loss of critical data can be harmful to a company’s bottom line and reputation. By focusing protection on sensitive, confidential and other important documents you can mitigate the risk of damaging data leaks, data deletion and data corruption.

Protective marking can assist you in managing your unstructured data in a more consistent manner. Often sensitive information can ‘hide’ amongst less important data which is subject to looser protection. Protective marking can help you to identify this critical data so that it can be subject to appropriate safeguarding. 25% of respondents said that protective marking would help them to control unstructured information.


Whitepaper

Conclusion

Whether you are using SharePoint as a collaboration tool or as a convenient method of storing, sharing and accessing business data, it is important that your data is protected in the best way possible. This can be done in part by using the security functionality supplied within SharePoint itself; however the addition of a protective marking solution will ensure stronger user engagement in protecting your data. The benefits of augmenting native SharePoint functionality with a protective marking solution are many and not least that it gives you greater visibility and control over your most sensitive and business critical data.

The results of the survey also showed that respondents were concerned about user behaviour and security awareness amongst their user communities. However, it is somewhat contradictory that many of the respondents said they had no IT policy in place or that it was not enforced across their business. This could be down to complacency, confusion as to where the responsibility for developing such a policy lies or simply lack of awareness.

Many of the survey results suggested that respondents had deferred deploying earlier releases of SharePoint whilst waiting for enhanced features. However SharePoint 2013 provides no additional benefits over the proceeding release when you are looking to introduce a protective marking solution. Protective marking can be applied just as easily to existing SharePoint deployments as it can be included within the planning for a new SharePoint deployment.

With over a third of respondents already engaging in protective marking it seems clear that the classification of information has already become a mainstream element in security management. By ensuring protective marking encompasses SharePoint use, you can maintain consistent levels of safeguarding for your key information assets whilst exploiting the full benefits of Microsoft’s flagship collaboration platform.

About Boldon James SharePoint Classifier

Boldon James SharePoint Classifier puts classification labelling at the heart of data loss prevention by giving users the ability to apply relevant labels to any file held in the document libraries of Microsoft SharePoint. As well as ensuring users understand the value of the data they handle, the labelling metadata can be used to provide consistent control over the dissemination of that information – increasing the effectiveness of data loss prevention measures and meeting key security management objectives of ISO27001.

SharePoint Classifier works in concert with other Classifier products that integrate classification and labelling into the key productivity tools of Microsoft Outlook, Word Excel, PowerPoint, Visio and Project.

Together the Boldon James Classifier products engage users in structuring information using business-centric labelling, raising awareness of security responsibilities and applying control to the exchange of information.


Whitepaper

About Boldon James

For almost 30 years, Boldon James has been a leader in Secure Information Exchange software, helping organisations of all sizes manage sensitive information securely and in compliance with legislation and standards, in some of the most demanding messaging environments in the world.

Our Classifier product range extends the capabilities of Microsoft core infrastructure products to allow users to apply relevant visual & metadata labels (protective markings) to messages and documents in order to enforce information assurance policies, raise user awareness of security policies and orchestrate multiple security technologies.

Our customers range from commercial businesses to Government, Defence & Intelligence organisations and we are a Microsoft Global Go-To-Market Partner and a Gold ISV. Boldon James is a wholly-owned subsidiary of QinetiQ, a FTSE 250 company, with offices in the UK, US, Australia and Europe and channel partners worldwide.

© 2013 Boldon James Ltd. All rights reserved.

The copyright of this paper is solely vested in Boldon James Ltd. The contents must not be reproduced, used, distributed or disclosed (wholly or in part) without the prior written permission of Boldon James Ltd. The Boldon James logo and all product names are trademarks of Boldon James Ltd. All other trademarks are the property of their respective owners and are acknowledged. Boldon James Ltd. (registered number 5357068) is registered in Great Britain with registered offices at Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX.