Businesses are increasingly reliant on electronic collaboration, requiring that teams can collaboratively create, manage and share documents on which they are working. Those teams may not only be geographically distributed within an organisation, but will frequently encompass individuals from third parties. As recent Quocirca research The distributed business shows, larger European organisations operate, on average, from 33 locations and a growing number are providing access to the internal applications to contractors, partners, suppliers and customers.

One tool that is favoured for enabling collaboration is Microsoft's SharePoint—either the free Windows SharePoint Services (WSS) version, bundled with Microsoft server operating systems, or the full Microsoft Office SharePoint Server (MOSS) portal-based platform. According to Microsoft's 2008 annual report, more than 100 million licences had been purchased for MOSS by end-2007, generating more than $1bn revenue for Microsoft, an increase of 35% over the previous year. This makes it the most widely used portal product worldwide, especially since many are using the free WSS version, with an upgrade to MOSS the obvious next step.

SharePoint enables workers to share documents online and provides a number of other collaboration features such as shared calendars, discussion boards and search capabilities. For many it is their de facto content management system.

SharePoint appeals because it is accessible and functional—but it is also easy to set up. This is leading to the number of SharePoint sites proliferating, often unnoticed by IT and in some cases SharePoint sites using WSS are established without the usual process or rigour that is normally associated with an IT implementation. This can mean that stringent controls over access permissions and security may be lacking, leaving every user free to make changes to the site and leading to problems of unauthorised access to confidential information.

Technology vendor Courion, a provider of enterprise provisioning solutions, recently conducted a survey of Microsoft SharePoint administrators and other IT personnel regarding the state of the security of their SharePoint implementations. It found that SharePoint sites are being deployed in large organisations without strong governance or consideration for security guidelines and best practices. In particular, while 86% of respondents are concerned that sensitive data is being stored on SharePoint sites, the majority of organisations surveyed are not monitoring the creation of SharePoint sites to ensure that they are managed in compliance with corporate guidelines and policies. Overall, just 15.5% of respondents indicated that the security of their SharePoint sites was strong and around a third said their security was either weak, or they didn't know the state of their SharePoint security.

With data leakage prevention a key focus for many organisations today, this paints a worrying picture as the survey data indicates that granting user access to data stored on SharePoint sites is primarily done on an ad hoc basis, rather than under the control of an automated, repeatable and auditable process. In many cases, the organisations surveyed stated that there were a number of instances where sensitive data was discovered on their SharePoint sites that should never have been there. This means that there are holes in their security defences and that sensitive data could easily be leaked out of an organisation.

This is something that is not lost on Axceler, a provider of administration and developer products for collaboration environments, including tools to search, analyse and control SharePoint environments. These can be used to uncover unknown or non-compliant SharePoint sites to identify potential problems. To help organisations control the proliferation of SharePoint sites so that they can ensure that sensitive data is not being compromised, Axceler has put together a five-step process that it recommends organisations follow. Whilst these are just a starting point, many organisations could benefit from following these steps to plug a seemingly often-neglected security hole that could derail their data protection efforts, regardless of the toolset they use to achieve this.

Five tips from Axceler:

• Figure out just what's there: identify all SharePoint sites, web applications, lists and document libraries that make up your SharePoint farm/estate, not just the ones that have been set up through formal channels.
• Centralise permissions: organisations need to gain control of who has the right to create, access and administer SharePoint sites.
• Track storage: take steps to understand storage usage and needs of all SharePoint sites.
• Plug holes before the auditors find them: even if they don't confront you on a daily basis, issues of governance and compliance are of growing importance, as is enterprise visibility.
• Minimise fire-fights: put processes in place to anticipate problem situations—and resolve them before they turn into a drop-everything emergency.