A Microsoft security expert warns that users of Microsoft’s SharePoint are increasingly putting sensitive, highly regulated data in the collaboration platform with little security and auditing. Worse yet, the audit tools in some versions of SharePoint are so convoluted as to be practically useless.
The warning comes from Randy Franklin Smith of Ultimate Windows Security in a webinar he hosted Thursday. I’ve written about another Smith webinar earlier this month on Active Directory. SharePoint has become a very popular tool for disparate participants in a project to work together on it online, sharing documents, other resources, writing, editing and more from wherever they are in the world. But a survey by Ultimate Windows Security shows users are increasingly sharing sensitive customer data related, financial information, human resources information and the like without adequately keeping track of it.
Asked if they shared privileged company information via SharePoint, 48 percent of respondents answered yes, while 43 percent answered no. Types of information shared included HR (21 percent), customer data (30.3 percent), financial (22.4 percent) and other proprietary information (32.9 percent).
Also, 30.3 percent of respondents plan to share more information via SharePoint going forward. But here’s the glaring statistic: While 76.3 percent of respondents said they keep a Windows audit log, only 36.8 percent of them keep a unique SharePoint audit log; 46.1 percent do not.
As SharePoint usage increases and as regulators look increasingly at SharePoint as a platform where data has to be protected -- i.e. under HIPAA, PCI, SOX and the like -- the need for a strong audit function is becoming more important, Smith said. But Microsoft fails to deliver.
In two specific versions of SharePoint -- Windows SharePoint Services 3.0 and SharePoint Foundation -- the audit function is basically unusable, he said. They both have an audit function but it is not exposed in the interface. The only way that an IT professional can access that audit functionality is by writing some kind of program that interfaces with the SharePoint object model API.
“It’s there but it’s not there. It’s a funny thing the way Microsoft did that,” Smith said.
SharePoint Standard and Enterprise editions do have a more accessible audit program. The audits track information such as what documents are shared, edited or deleted, what users have access to the system and what different permissions they enjoy.
But even if one can figure out how do get into the audit program in WSS 3.0 and Foundation, the information it provides is not easily “readable, translatable or actionable,” he added. The audit results are a series of ID codes that are just long strings of numbers and letters.
Now, as you would expect, comes Smith’s sales pitch. Ultimate Windows Security now offers LogBinder SP, which translates the byzantine audit codes into easy-to-identify tasks such as Edit, Copy, Delete, User Log-in/Log-out, Schema Change and more. It can be installed as an agent on any one of the SharePoint servers in an enterprise and generates “human-readable” audit results that can then be funneled into a Windows audit log or a third party security incident and event manager (SIEM) solution. One of them, GFI Events Manager also participated in the webinar.
The survey also showed that SharePoint users come from highly regulated industries: 38.2 percent have to comply with PCI; almost 20 percent with HIPAA; and 27.6 percent with SOX. However, 72 percent of respondents have not evaluated the compliance issues related to their SharePoint data.
This should be a wake-up call, said Gil Langston, sales engineer for the Americas for GFI: “A lot of compliance has a lot more to do with you being able to prove that you’re doing what you’re supposed to be doing rather than simply implementing something for compliance.”
It looks like a lot of SharePoint users need to understand that shortcomings of those versions of SharePoint.
Robert Mullins is a freelance journalist based in San Francisco. He has been writing about technology from Silicon Valley for more than a decade. He has covered such beats as network security, servers, storage, software development, telecommunications and, of course, Microsoft, for a variety of publications, most notably the IDG News Service and Network World.