The SharePoint collaboration tool, which has been licensed more than 85 million times to an estimated 17,000 companies, is one of the easiest-to-use tools in the Windows suite, experts say. In fact, it's so simple that many employees and workgroups deploy it without even asking the IT department for help. But this ease of use has a price: Many IT organizations haven't properly secured their SharePoint deployments, and many others don't know what sensitive data might be stored or exchanged there.
In a survey published earlier this week and sponsored by security vendor Trend Micro, Osterman Research reported that only 60 percent of companies have deployed security tools specifically for SharePoint, while the other 40 percent are relying on traditional server and endpoint security applications. But founder and president Michael Osterman observes that SharePoint data tends to travel beyond these boundaries -- SharePoint data is often shared across networks and applications, and sometimes even outside the company.
"Deploying antimalware software at the endpoint or on a server does not fully secure the SharePoint environment -- the underlying database, Web pages, etc.," Osterman says.
Osterman's findings are supported by another study conducted by Courion, also a SharePoint security provider, back in September. In that study, Courion found that 25 percent of IT managers believed their SharePoint security was weak, or that they weren't sure and were worried about it. Nine percent of respondents said their organizations had suffered a breach that may have been attributable to a leak of sensitive data from SharePoint.
And just last month, Microsoft patched a vulnerability in SharePoint 2008 and Search Server 2008 that might allow users to access parts of the SharePoint server and execute administrative tasks. These tasks might not allow the users to get direct access to protected information, but they could cause the server to stop responding to legitimate requests or provide attackers with additional information, such as the email addresses of users on the system, Microsoft said.
The problem, observers say, is that most companies don't have a clear, enforceable policy for using SharePoint. In many companies, any user can set up a SharePoint site, and, often, there are no guidelines for who can access it or what data can be stored there. Some users assume that because it's used on the company's internal network, SharePoint data must be protected by the standard corporate security defenses, they say. In other cases, employees make the mistake of offering SharePoint access to business partners or contractors outside of the company, without taking steps to secure the exchange of data.
While Microsoft offers some basic administrative tools for restricting access to SharePoint data, many users complain that SharePoint administration is too complex and doesn't go far enough. As a result, a number of third-party vendors are now offering software that they say provides more comprehensive SharePoint security. While vendors such as Courion, Trend Micro, Rohati, and WorldExtend offer SharePoint security tools, Exostar offers a software-as-a-service capability called ForumPass4, which is billed as a more secure collaboration tool for the aerospace and defense environments.
But before such tools can be effective, enterprises must recognize the vulnerabilities of collaborative environments, like SharePoint, and define policies for using them, said Shane Buckley, CEO of Rohati, following the publication of the company's own study on the topic last month. That study indicates that 66 percent of companies believe their organizations need authorization enforcement policies for controlling the ability to print, store, and delete files in collaborative environments.
"The shocking truth that this survey validates is that enterprises are deploying collaboration applications with little to no security policies that can enforce access controls," Buckley said. Such deployments may not only make organizations vulnerable to breaches, but also may jeopardize their compliance with regulatory requirements, he noted.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message