RealTime IT News

Collaboration Apps Mean New Security Concerns

As enterprises implement collaboration applications to increase staff productivity and cut costs, they are increasing the risk of security breaches, according to a survey conducted for Rohati Systems that was released today.

The 117 respondents, all high-level IT executives from enterprises of various sizes, have deployed applications such as Web-based Intranet portals, Web 2.0 applications, Common Internet File Systems, IBM (NYSE: IBM) Lotus Notes, content management systems and Microsoft (NASDAQ: MSFT) SharePoint to communicate and collaborate internally and with external partners.

Seventy-one percent of the respondents said their organizations have not implemented adequate security to protect data in a collaborative environment.

Unauthorized user access to and use of applications, data, information and files and the risk of data loss or data breaches are among their greatest security concerns.

"Collaboration is necessary to drive productivity and revenues, but you need to ensure that you understand who is accessing what," Shane Buckley, CEO of Rohati, told InternetNews.com. "It's amazing how many enterprises don't know that and are just making assumptions."

Once they know who is touching what application, enterprises must put controls in place. "Controls don't exist in collaboration applications, which, by their very nature are almost viral," Buckley said. "You must either get developers to recode your applications, which takes millions of dollars and up to 24 months, or you put in something like a datacenter firewall on steroids."

Basic authentication, consisting of the user name and password, was used to secure collaborative applications by 79 percent of the respondents' companies. Another 31 percent used secure sign-on applications such as Kerberos; 26 percent used enhanced authentication and authorization systems such as tokens and smart cards.

Despite this, the respondents were bothered that IT cannot exert enough control over collaborative applications to ensure security.

Forty-nine percent of the respondents said their greatest concern is that they cannot enforce consistent access policies across all the applications and data. Another 16 percent were worried about their inability to audit and report on access and usage to meet compliance requirements, and 13 percent feared the lack of visibility into users' actions.

Even more to worry about

Unauthorized user access to applications, data and information bothered 40 percent of the respondents. Another 29 percent feared data losses or breaches, 14 percent were concerned about unauthorized or malicious user of files stored in information repositories, and 13 percent feared that users would make unauthorized changes to data.

When it came to who might get unauthorized access to sensitive data, 50 percent of the respondent cited employees. Respondents were more concerned about domestic contractors than foreign contractors -- 33 percent worried about domestic contractors and 28 percent were concerned with foreign contractors.

Partners were also an area of concern, with 29 percent of the respondents fearing partners might get unauthorized access to sensitive data.

Inadequate security could lead to compliance violations, 36 percent of the respondents said. Data privacy issues concerned another 28 percent, and 18 percent feared the financial impact of a data breach.

Compliance violations will be even more of an issue in 2009, as regulators are expected to tighten up on this issue in the wake of the financial meltdown, while the costs of a data breach have been well publicized after the TJX breach.

The increasing popularity of SharePoint contributes to IT's problems. "One of the common use cases customers share with us is SharePoint control," Rohati's Buckley said.

"It's an incredible tool which lets individuals publish documents and Web pages to the ecosystem, but the problem is that users aren't always concerned with corporate policy and SharePoint doesn't have the inherent ability to create enterprise policy," he added.