Control collaboration — don't inhibit

Web 2.0-inspired communities and social-networking tools are migrating into the enterprise and bringing with them risks that many organizations are unprepared to address. The challenge is to balance the business value of the new tools with the reality of risk management and compliance.

The market for enterprise collaboration tools will increase as organizations continue to seek the associated benefits of improved communication, content management and context-driven information sharing. However, without the proper framework to enforce procedures, the resulting shared workspaces can quickly become unmanageable, increasing the risk of sensitive content being disseminated outside of its intended audience.

From a compliance perspective, much of the technology focus has been on ensuring that users can get access to data and resources, with less thought about whether or not users should have that access. Organizations must establish risk-based governance and controls to ensure sensitive corporate or consumer data is not getting into the wrong hands, thus ensuring long-term security and compliance with security policy and industry regulations.

The responsibility is even greater as business managers assume more accountability for compliance with business policy and regulations such as Basel II, the Health Insurance Portability and Accountability Act, Payment Card Industry standards and the Sarbanes-Oxley Act. They need to be able to answer questions associated with what data is being shared, who has access, who needs access, and who is ultimately responsible for managing the information.

Click to see: This screenshot shows access to a pharmaceutical company's SharePoint site being blocked for Sarah Johnson, a managing partner of the company's investment firm. Because she is not an employee of the company running the trial, she is authorized for read-only access.

For example, popular collaboration tools such as Microsoft SharePoint bring new levels of exposure that have yet to be addressed by regulations or best practice company policies. Given the viral nature of SharePoint environments, organizations can be faced with responsibility for thousands of employee portals — all operating without any formal checks and balances, and virtually no oversight in terms of compliance or security exposure.

With sensitive documents being posted and shared, companies need controls that ensure only employees with proper access can view certain information. Improved levels of access control will allow better management over who is collaborating with potentially sensitive data, and whether or not they should be.

Ensuring consistent policy enforcement

The key to effectively and securely deploying collaboration technology is to ensure that policies are in place to control access and content, and that those policies are enforced every time. When SharePoint or any other collaborative technology is implemented in conjunction with a provisioning and compliance solution, business managers can enforce a set of controls — both preventive and detective — that are appropriate for different types of corporate sites, such as those requiring low security needs (company softball team), medium security needs (internal project team) or high security needs (merger and acquisition team).