Risk
1/28/2009
05:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft SharePoint: A Weak Link In Enterprise Security?

Popular collaboration tool is easy to deploy, but hard to secure, experts say

SharePoint, one of the fastest-growing applications in the Windows environment, may also be turning into one of its most serious security liabilities, according to researchers and security vendors.

The SharePoint collaboration tool, which has been licensed more than 85 million times to an estimated 17,000 companies, is one of the easiest-to-use tools in the Windows suite, experts say. In fact, it's so simple that many employees and workgroups deploy it without even asking the IT department for help. But this ease of use has a price: Many IT organizations haven't properly secured their SharePoint deployments, and many others don't know what sensitive data might be stored or exchanged there.

In a survey published earlier this week and sponsored by security vendor Trend Micro, Osterman Research reported that only 60 percent of companies have deployed security tools specifically for SharePoint, while the other 40 percent are relying on traditional server and endpoint security applications. But founder and president Michael Osterman observes that SharePoint data tends to travel beyond these boundaries -- SharePoint data is often shared across networks and applications, and sometimes even outside the company.

"Deploying antimalware software at the endpoint or on a server does not fully secure the SharePoint environment -- the underlying database, Web pages, etc.," Osterman says.

Osterman's findings are supported by another study conducted by Courion, also a SharePoint security provider, back in September. In that study, Courion found that 25 percent of IT managers believed their SharePoint security was weak, or that they weren't sure and were worried about it. Nine percent of respondents said their organizations had suffered a breach that may have been attributable to a leak of sensitive data from SharePoint.

And just last month, Microsoft patched a vulnerability in SharePoint 2008 and Search Server 2008 that might allow users to access parts of the SharePoint server and execute administrative tasks. These tasks might not allow the users to get direct access to protected information, but they could cause the server to stop responding to legitimate requests or provide attackers with additional information, such as the email addresses of users on the system, Microsoft said.

The problem, observers say, is that most companies don't have a clear, enforceable policy for using SharePoint. In many companies, any user can set up a SharePoint site, and, often, there are no guidelines for who can access it or what data can be stored there. Some users assume that because it's used on the company's internal network, SharePoint data must be protected by the standard corporate security defenses, they say. In other cases, employees make the mistake of offering SharePoint access to business partners or contractors outside of the company, without taking steps to secure the exchange of data.

While Microsoft offers some basic administrative tools for restricting access to SharePoint data, many users complain that SharePoint administration is too complex and doesn't go far enough. As a result, a number of third-party vendors are now offering software that they say provides more comprehensive SharePoint security. While vendors such as Courion, Trend Micro, Rohati, and WorldExtend offer SharePoint security tools, Exostar offers a software-as-a-service capability called ForumPass4, which is billed as a more secure collaboration tool for the aerospace and defense environments.

But before such tools can be effective, enterprises must recognize the vulnerabilities of collaborative environments, like SharePoint, and define policies for using them, said Shane Buckley, CEO of Rohati, following the publication of the company's own study on the topic last month. That study indicates that 66 percent of companies believe their organizations need authorization enforcement policies for controlling the ability to print, store, and delete files in collaborative environments.

"The shocking truth that this survey validates is that enterprises are deploying collaboration applications with little to no security policies that can enforce access controls," Buckley said. Such deployments may not only make organizations vulnerable to breaches, but also may jeopardize their compliance with regulatory requirements, he noted.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.