Web 2.0-inspired communities and social-networking tools are migrating into the enterprise and bringing with them risks that many organizations are unprepared to address. The challenge is to balance the business value of the new tools with the reality of risk management and compliance. The market for enterprise collaboration tools will increase as organizations continue to seek the associated benefits of improved communication, content management and context-driven information sharing. However, without the proper framework to enforce procedures, the resulting shared workspaces can quickly become unmanageable, increasing the risk of sensitive content being disseminated outside of its intended audience.
From a compliance perspective, much of the technology focus has been on ensuring that users can get access to data and resources, with less thought about whether or not users should have that access. Organizations must establish risk-based governance and controls to ensure sensitive corporate or consumer data is not getting into the wrong hands, thus ensuring long-term security and compliance with security policy and industry regulations.
The responsibility is even greater as business managers assume more accountability for compliance with business policy and regulations such as Basel II, the Health Insurance Portability and Accountability Act, Payment Card Industry standards and the Sarbanes-Oxley Act. They need to be able to answer questions associated with what data is being shared, who has access, who needs access, and who is ultimately responsible for managing the information.
For example, popular collaboration tools such as Microsoft SharePoint bring new levels of exposure that have yet to be addressed by regulations or best practice company policies. Given the viral nature of SharePoint environments, organizations can be faced with responsibility for thousands of employee portals -- all operating without any formal checks and balances, and virtually no oversight in terms of compliance or security exposure.
With sensitive documents being posted and shared, companies need controls that ensure only employees with proper access can view certain information. Improved levels of access control will allow better management over who is collaborating with potentially sensitive data, and whether or not they should be.
Ensuring consistent policy enforcement
The key to effectively and securely deploying collaboration technology is to ensure that policies are in place to control access and content, and that those policies are enforced every time. When SharePoint or any other collaborative technology is implemented in conjunction with a provisioning and compliance solution, business managers can enforce a set of controls -- both preventive and detective -- that are appropriate for different types of corporate sites, such as those requiring low security needs (company softball team), medium security needs (internal project team) or high security needs (merger and acquisition team).
Managers should be able to automatically grant access to job-relevant sites without calling on IT resources, and be able to revoke access if an individual is out of compliance with business policies and regulations. Organizations should also provide checks to ensure the documents and type of information being shared line up with the security level designated by the site. Managers can then see who in the organization has access to what information and what role they play in the organization.
Traditionally, compliance software and identity and access management solutions have focused on in-house enterprise access -- the act of putting the policies and procedures in place to ensure users only have access to applications and data to which they've been granted rights based on their role within the organization.
Manually provisioning and reviewing access to collaborative environments and applications can be a tremendous burden on IT. Organizations need to automate the enforcement of security and regulatory policies for access to these environments. By empowering business managers to grant and rescind access automatically, companies can save time, cut costs and ensure consistent quality of service.
While these highly productive, collaborative environments will revolutionize the way organizations do business, addressing the security and compliance vulnerabilities raised by collaborative environments remains a top priority. By taking an identity management approach to risk management, organizations can maintain unparalleled productivity and innovation while maintaining access compliance by automating the creation, enforcement and validation of corporate policy, providing a mechanism for quick remediation and removal of any policy outliers.
By learning to control collaboration, not inhibit it, enterprises will be able to maximize the reward without the risk.
Johnson is vice president of Corporate Development for Courion Corp.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.