Storing data on cloud-based collaboration platforms like SharePoint Online and Office 365 can pose serious data security and compliance concerns for enterprises. While many technology-focused organizations are interested in moving information to cloud collaboration platforms, recent news surrounding issues of information leaks and security breaches are causing major concerns. With the broad adoption of on-premise SharePoint, and the strong adoption of Office 365 and SharePoint Online, coming to grips with collaboration security is an important, growing issue.
Two aspects of security that present serious threats to information confidentiality are privileged accounts and lack of awareness regarding what data is stored in user-empowered platforms such as SharePoint. As organizations contemplate moving to cloud computing, these issues become even more difficult. In SharePoint Online and Office 365, determining what sort of data is stored there is a challenge, and in terms of privileged administrator accounts, you have to consider administrators from the cloud service provider as your new potential “insider threat.” However, there are steps that IT teams can take to mitigate these threats and increase the security of their data stored in SharePoint sites on cloud platforms.
In order to understand and analyze what risk is present in the use of SaaS applications such as Office 365, you have to start with understanding the actual data being stored in the platform. The value of the information has to be assessed, as does its criticality to the organization.
There is obviously a lot of variation in the type of information that is stored in these online collaboration platforms. What is important here is to understand what data is being stored and how sensitive or confidential it is; where it is stored in your cloud collaboration sites; and by whom. In addition, special attention should be paid to data that falls under a regulatory compliance regime. In either case, security controls may be necessary to mitigate risk and to meet compliance requirements.
How do you determine what sort of data is being stored in your collaboration sites? Some organizations attempt to mandate this by policy. Others will periodically scan their collaboration systems. A third unfortunate category might be those organizations that ignore the issue and hope for the best.
A recent industry survey conducted by CipherPoint found that nearly 50% of on-premise SharePoint users have not scanned their SharePoint sites, and that 80% of Office 365/SharePoint Online users have never scanned their sites. The problem with ignoring this issue or relying solely on policies to govern behavior is that it is easy for even well intentioned users to make mistakes, and to put sensitive or regulated data into SharePoint or Office 365 systems. Better to “trust but verify” by establishing policies, and by periodically checking actual use vs. policy by scanning.
Knowing what sensitive and regulated data is being stored in your collaboration systems is a key first step toward adequately securing these platforms. Once you understand the scope of the problem, securing this information means determining who should access the data, assigning appropriate permissions and access controls, encrypting the data at rest, and then keeping audit trails and access reports. While this may sound like an overwhelming list of tasks, security technologies have come a long way over the past few years in terms of usability. Some of the important criteria to look for in data-security solutions for collaboration systems include:
• Ability to deliver cross-platform support for on-premise SharePoint sites and file servers, and for Office 365 and SharePoint Online
• Sophisticated encryption-key-management capabilities that simplify management of key life cycles, including rotation and ageing of keys
• Transparent operation to minimize end-user adoption issues
• Universal support for PCs, laptops, tablets and smartphones as endpoint devices
• Robust audit reporting for all valid access and invalid access attempts to sensitive information
• Insertion at a high enough level in the technology stack to protect against sophisticated insider threats, while still protecting against simpler threats (loss or theft of devices and media)
With new technologies come new threats, and it is incumbent upon IT managers to assess and mitigate risk. As collaboration platforms become more popular, and as they attract more sensitive and regulated data, gaining an understanding of where this data is being stored and deploying the right mix of security controls is critical.
Mike Fleck is CEO of CipherPoint, creator of SharePoint security products.