April 21, 2014
Security is central to any SharePoint installation, but a new study shows that security breaches may be more widespread and more severe than previously thought. At the SharePoint Conference in Las Vegas, CryptZone conducted an anonymous survey of SharePoint users. Read the full report in DarkReading.com’s article, “Cryptzone Survey Reveals SharePoint Users are Breaching Security Policies.”
The article begins:
“A study, conducted amongst attendees at last month’s Microsoft’s SharePoint Conference in Las Vegas (USA), has found that at least 36% of SharePoint users are breaching security policies, and gaining access to sensitive and confidential information to which they are not entitled. It also found that . . . nearly a quarter of them later confessed they knew of individuals who had accessed content that they were not entitled to, demonstrating that users were ignoring this directive. Most alarmingly of all, the majority of administrators perceive their ‘permission’ to be unrestricted.”
Stephen E. Arnold is a longtime leader in search and a follower of all things SharePoint. He reports his finding on his Web site ArnoldIT.com. He has found that security is among the top concerns of all SharePoint managers. Although users don’t typically want to share about their security weaknesses, greater transparency about security concerns can lead to more secure practices and implementations.
Emily Rae Aldridge, April 21, 2014
February 19, 2014
The announcement from Centrifuge titled Centrifuge Systems Strengthens Big Data Discovery and Security promotes the release of Centrifuge 2.10. The new features of the link analysis and visualization software include the ability to block access as well as grant access to specific individuals, a more flexible method of login validation and the ability to “define hidden data sources, data connections and connection parameters.” Stan Dushko, Chief Product Officer at Centrifuge, explains the upgrades and the reasoning behind them,
“With organizations steadily gathering vast amounts of data and much of it proprietary or sensitive in nature, exposing it within visualization tools without proper security controls in place may have unforeseen consequence…Can we really take the chance of providing open access to data we haven’t previously reviewed? Not knowing what’s in the data, is all the more reason to enforce proper security controls especially when the data itself is used to grant access or discover its existence altogether.”
The Big Data business intelligence software provider promises customers peace of mind and total confidence in their technology. They believe their system to be above and beyond the dashboard management systems of “traditional business intelligence solutions” due to their displays possibility of being reorganized in a more interactive way. Speaking of organization, you may notice that finding Centrifuge Systems in Google is an interesting exercise.
Chelsea Kerwin, February 19, 2014
January 15, 2014
The article ZyLAB Launches Intellectual Property Protection Program For Big Data on MetroCorpCounsel discusses the announcement by software developer ZyLAB only a few months after their thirtieth anniversary. The new program contains components of eDiscovery and Information Risk Management along with libraries that users can customize to protect and localize intellectual property. It is intended for use mainly by commercial enterprises in safeguarding their often-unprotected IP.
The article explains:
“The ZyLAB Intellectual Property Protection Program has been developed to support commercial organizations in protecting these important assets.
With ZyLAB’s eDiscovery and Information Risk Management System companies can locate Intellectual Property on their computer systems and actively prevent leakage or theft of this sensitive and valuable information. A user-installable library containing best practice methodology for eDiscovery enables the automatic identification of files that may contain IP. The library is available as an add-on to the ZyLAB platform.”
This process makes it much easier to notice those employees storing large amounts of IP in their emails or other personal locations, because it recognizes information that includes IP automatically. The prevention of data leakage ensures that companies will not have to face the loss of revenue, but also helps them to avoid lawsuits. As in so many areas, prevention beats cleanup when it comes to IP, according to chief strategist at ZyLAB Johannes Scholtes.
Chelsea Kerwin, January 15, 2014
January 10, 2014
When Netflix first launched I read an article about how everyone’s individual movie tastes are different. There are not any two alike and Netflix created an algorithm that managed to track each user’s queue down to the individual. It was scary and amazing at the same time. Netflix eventually decided to can the algorithm (or at least they told us), but it still leaves a thought that small traces of metadata can lead to you. The Threat Post, a Web site that tracks Internet security threats, reported on how “Stanford Researchers Find Connecting Metadata With User Names Is Simple.”
A claim has been made that user phone data anonymously generated cannot be tracked back to an individual. Stanford Researchers proved otherwise. The team started the Metaphone program that collects data from volunteers with Android phones. The project’s main point was to collect calls, text messages, and social network information for the Stanford Security Lab to connect metadata and surveillance. They selected 5,000 random numbers and were able to match 27% of the them using Web sites people user everyday.
The article states:
“ ‘What about if an organization were willing to put in some manpower? To conservatively approximate human analysis, we randomly sampled 100 numbers from our dataset, and then ran Google searches on each. In under an hour, we were able to associate an individual or a business with 60 of the 100 numbers. When we added in our three initial sources, we were up to 73,’ said Jonathan Mayer and Patrick Mutchler in a blog post explaining the results.”
The article also points out that if money was not a problem, then the results would be even more accurate. The Stanford Researchers users a cheap data aggregator instead and accurately matched 91 out of 100 numbers. Data is not as protected or as anonymous as we thought. People are willing to share their whole lives on social media, but when security is mentioned they go bonkers over an issue like this? It is still a scary thought, but where is the line drawn over willing shared information and privacy?
Whitney Grace, January 10, 2014
December 24, 2013
While SharePoint is the mostly widely used collaboration software available, broad adoption does not quell the security concerns of organizations. And as mobile becomes more widely adopted, access is not limited to a single at-work machine. Organizations are getting creative about security and KM World covers a newly available solution in its story, “Secure collaboration in SharePoint and File Shares from HiSoftware.”
The article begins:
“HiSoftware has launched a new version of Security Sheriff specifically designed for secure collaboration of sensitive information stored in File Shares and SharePoint. The company explains the new Secure Document Viewer included in Security Sheriff allows users to open an encrypted document in a protected state to ensure that a user with read-only permission cannot open and decrypt a document, then manually distribute it using print, save as and send to actions, or copy its contents. It will then remove the file from their system once the file is closed.”
Stephen E. Arnold is a long time leader in search and the man behind ArnoldIT.com. He spends a lot of time writing about SharePoint and security is a common topic. SharePoint isn’t going anywhere anytime soon, so users would do well to pay attention to what the experts have to say about security.
Emily Rae Aldridge, December 24, 2013
December 9, 2013
Oracle prides itself on its Secure Enterprise Search that is advertised as offering secure, high quality search that easily works across all information sources on the enterprise format. The search product digs deep in local, private, and shared files housed on databases, intranets, document management systems, applications, and portals. With great ease it crawls and indexes results, guaranteeing that the first items in the results list are the most relevant. Also the Secure Enterprise Search offers analytics on search results and usage patterns.
Oracle provides current and prospective clients with “Oracle Secure Enterprise Search Documentation.” Oracle has released the 11g version of the Secure Enterprise Search with the following key assets:
· “Highly secure crawling, indexing, and searching
· A simple, intuitive search interface with browsing and display of search results by automatically-extracted topic and metadata attribute clusters
· Excellent search quality, with the most relevant items for a query shown first, even when the query spans diverse public or private data sources
· Analytics on search results and understanding of usage patterns
· Sub-second query performance
· Ease of administration and maintenance leveraging your existing IT expertise.”
Oracle continues to be one of the reliable enterprise searches, but like most software these days it faces strong competition from open source technology.
Whitney Grace, December 09, 2013
November 12, 2013
Those of us with experience in IT may not be surprised by the revelations InfoWorld shares in “6 Dirty Secrets of the IT Industry.” This magazine of IT gospel asked its readers to share their observations of shady IT matters, then fact-checked the results. See the article for the whole roster, but I’ll share a few bits here.
Secret number one is the broadest; Writer Dan Tynan colorfully titles this one, “Sys admins have your company by the short hairs.” He quotes Pierluigi Stella, CTO of security firm Network Box USA, who gives each of us good reason to send our IT departments the random gift basket:
“There are no secrets for IT. I can run a sniffer on my firewall and see every single packet that comes in and out of a specific computer. I can see what people write in their messages, where they go to on the Internet, what they post on Facebook. In fact, only ethics keep IT people from misusing and abusing this power. Think of it as having a mini-NSA in your office.”
Speaking of the NSA, Tynan calls those government snoopers “punks compared to consumer marketing companies and data brokers.” He cites the practices in casinos as the epitome of this very individualized marketing tactic, and provides examples. He goes on to quote former casino executive and Louisiana State University professor Michael Simon, who emphasizes that the practice is far from limited to casinos:
“I teach an MBA class on database analysis and mining, and all the companies we study collect customer information and target offers specific to customer habits. It’s routine business practice today, and it’s no secret. For example, I bring my dog to PetSmart for specific services and products, and the offers they send me are specific to my spending habits. . . instead of wasting time sending me stuff I won’t use like discounts on cat food or tropical fish.”
Whether you, like Simon, appreciate targeted marketing or you find it creepy, it is worth remembering how much data these entities are collecting on each of us.
It is also good to keep in mind some pitfalls of another practice that has become commonplace—storing data in the cloud. In fact, this could be the most disconcerting item on this list. Though we tend to think of the cloud in nebulous terms, that data is actually stored on real servers somewhere. When our data shares rack space with that of other entities, we run the risk of intrusion and confiscation through no fault of our own. The article emphasizes:
“Your cloud data could be swept up in an investigation of an entirely unrelated matter — simply because it was unlucky enough to be kept on the same servers as the persons being investigated. . . . Users who want to protect themselves against this worst-case scenario need to know where their data is actually being kept and which laws may pertain to it, says David Campbell, CEO of cloud security firm JumpCloud. ‘Our recommendation is to find cloud providers that guarantee physical location of servers and data, such as Amazon, so that you can limit your risk proactively,’ he says.”
Another suggestion is to encrypt your data, of course. Keeping a local backup is another good idea, since law enforcement seems to be under no obligation to grant access to your own confiscated data. For some of us, this is just more evidence that sensitive information does not belong in the cloud. Caveat Emptor.
Cynthia Murrell, November 12, 2013
November 3, 2013
If you are tracking the evolution of open source enterprise search vendors, you may want to read “Enterprise Search Technology: Leading the Battle against Internal Threats without Sacrificing Employee Privacy.” In my years of covering the intersection of enterprise search, I marvel at a fresh conflation. In my talk next week at the search conference in Washington, DC, I may ask the audience about this issue. Until then, consider the LucidWorks’ viewpoint. Fascinating. Fascinating indeed. search continues to move in new and surprising directions. For case studies of vendors who have pioneered new directions in search, check out the case studies at www.xenky.com/vendlor-profiles.
Stephen E Arnold, November 3, 2013
October 10, 2013
As more and more information moves to the Cloud, questions arise about how to secure that data. CipherPoint has announced a new Cloud data security solution that hopes to help solve the problem. Read more in the EON article, “CipherPoint Announces Cloud Data Security Solution for SharePoint Online and Office365.”
The article begins:
“With CipherPoint Eclipse™ for SharePoint Online and Office365, organizations can now identify, secure and audit access to sensitive and regulated data stored in cloud collaboration platforms. This new solution provides customers with robust encryption, using industry standard encryption algorithms, access control, audit reporting and customer-controlled encryption keys to address real concerns that large enterprises have about cloud security.”
Stephen E. Arnold, a longtime expert in search and founder of Arnold IT, has frequently noted that while SharePoint is the most widely used enterprise solution, it is not necessarily the highest functioning. Key features are still lacking and it might not be much longer before even the biggest enterprises go looking for other solutions, including open source. Enterprises still using SharePoint often have to supplement with additional add-ons, such as the security solution that CipherPoint now offers.
Emily Rae Aldridge, October 10, 2013
September 27, 2013
Microsoft’s recent SharePoint security bulletin left a few developers shaking in their the code. According to Threat Post’s article, “SharePoint Fixes Priority For September 2013 Patch Tuesday,” online SharePoint installations are vulnerable to thirteen critical threats and Microsoft only patched ten of them. The threats lead to remote code execution on the collaboration server. Nearly all versions of SharePoint are affected and any installation that has disabled the user highest risk.
The CVE-2013-1330 bug is the worst threat. It is a remote code execution that gives the attacker privileges in the context of W3WP service account, but it requires authentication to gain access. If that feature is turned off, your SharePoint installation is a delightful smorgasbord of hacked information.
Some are surprised about Microsoft’s alarm and user ignorance:
“ ‘It’s interesting that Microsoft prioritized the SharePoint bulletin as highly as they did. In theory, the vulnerability requires authentication. Given the frequency with which people disable SharePoint authentication and the ease of access to documentation on that process, the priority needs to be that high,’ said Tyler Reguly, technical manager of security research and development at Tripwire. ‘People know their computers and email need good passwords. It boggles my mind that we see so many SharePoint deployments in anonymous mode. ‘”
I have been told multiple times by online expert Stephen E Arnold of Arnold IT to always take security risks seriously and find a solution quickly or private information will be stolen faster than a Google search.
Whitney Grace, September 27, 2013