Survey: Collaboration applications inadequately secured
There is a lapse around the security of collaboration applications used in enterprises, concludes a survey by access management vendor Rohati.
To improve communication and responsiveness among employees, enterprises utilize collaboration applications such as web-based intranet portals, common internet file systems (CIFS) and Microsoft SharePoint.
Rohati surveyed 117 CIOs, CISOs and IT executives and more than half of the respondents reported their organizations use collaboration applications. Seventy-one percent, though, reported not taking steps to adequately secure data in a collaborative environment.
“We were surprised at the high level of customers who were concerned with the inadequacy of their own controls,” Shane Buckley, CTO of Rohati, told SCMagazineUS.com.
Organizations may be using collaboration applications that fail to meet regulatory compliance mandates, Buckley said.
“Almost every enterprise out there has some compliance issues,” Buckley said. “The question is if your risk profile is increasing as you go forward. As the collaborative devices are being rolled out, the risk profile is increasing.”
Some 40 percent of survey respondents said the issue of unauthorized users accessing potentially sensitive data and information was the No. 1 risk associated with collaboration applications. Another 29 percent were most concerned that it could lead to a data breach and 14 percent said they were most concerned about malicious use of stored information, such as a disgruntled employee deleting or copying certain files.
Collaborative environments were developed to be flexible and easy to access. Enterprises could be housing sensitive data, such as board meeting notes, or forecasting and planning information, in collaborative environments, Matt Shanahan, senior vice president of AdmitOne Security told SCMagazineUS.com Thursday.
The security investments weren't made on these applications, Shanahan said.
Gaining access to a collaborative environment often requires just a username and password so by using phishing and socially engineered exploits, it would be fairly easily for a cybercriminal to obtain login credentials to break in, Shanahan said.
Highlighting the risk of insider threat, Buckley pointed out that security professionals are most concerned over their own employees gaining unauthorized access, more than they are about foreign or domestic contractors, partners, or customers.
In response to how their organization secures collaboration applications, 79 percent said they use basic authentication username and passwords, 31 used secure sign-ons, 26 percent used enhanced authentication such as tokens or smartcards, and 15 percent used granular entitlement controls.
While the majority of IT security professionals recognize the risks associated with collaborative applications, 60 percent reported that implementing an access management solution would be too expensive and 54 percent said securing with a legacy application would be too complex. A smaller number of respondents said it was not an IT priority (32 percent) or not an executive priority (39 percent).
Organizations should have monitoring mechanisms to identify anomalous activities, said Ryan Barnett, director of application security, Breach Security, in an email to SCMagazineUS.com Thursday.
Barnett described one defense technique -- setting so called "Honey Tokens," which are fake sensitive data items that should never be accessed, mixed in with real data. You can then have your security monitoring software -- such as a web application firewall -- alert you if it ever sees this data leaving the application. This would indicate that a legitimate user is poking around at unauthorized data, Barnett said.