Managing the Risk of Collaboration Tools

Untitled Document

As environments like Web 2.0, enterprise collaboration, and virtualization become pervasive, business people are working together in ways previously unimaginable. The interconnectivity of these environments leads to greater employee productivity, while diminishing the importance of physical location - business people can be more productive than ever before, even when out of the office. Virtualization and collaboration enable organizations to innovate in new ways and rely more heavily on remote employees, contractors and consultants.

But how do organizations balance the business value of collaboration and virtualization with the reality of risk management and compliance? Opening up greater access from various devices certainly enhances productivity, but they also expose significant security issues. How can it be done in a manner that doesn't sacrifice business value and preserves as much of the egalitarian values of collaboration as possible? Let's take a look at some of the technologies that are unlocking hidden value in the enterprise and the new levels of exposure and risk these technologies bring.

Enterprise Collaboration

Collaboration is all about groups of people working on and sharing common content, including documents, data, and discussion forums. The beauty of collaboration is that it provides an environment for real-time revision tracking and provides alerts to content changes - empowering business users to work together in previously unforeseen ways. Typical forms of collaboration include file shares, discussion groups and project calendars.

One of the most popular collaborative tools in the market right now is Microsoft SharePoint, facilitating collaboration communications and content management. Industry pundits herald SharePoint as a key driver for Office 2007 sales, and its quickly being adopted in the enterprise. However, tools such as SharePoint bring new levels of exposure that have yet to be addressed by regulations or best-practice company policies. For instance, how do companies manage the risk from an identity and access management perspective when thousands of employee portals are cropping up without any checks and balances? With company sensitive documents being posted and shared, what controls are in place to ensure people only with proper access can view such information? While collaboration and its usage is viral by nature, there needs to be some level of access control that manages who is "collaborating" with potentially sensitive data and who is responsible for that data's use.

Enterprise Virtualization

Forrester Research recently issued a report stating that 51 percent of North American companies have deployed or are testing virtualization technology. What makes virtualization so popular? Virtualization is about delivering any application or data to anybody at anytime in a more cost effective manner - making it especially relevant to organizations with a large mobile or geographically dispersed workforce. As an organization's workforce becomes increasingly distributed, access to critical applications and data is required from a variety of locations and devices. Virtualization affords today's workforce access to the enterprise anytime and anywhere - without costly client software installs and without bogging down network performance.

Virtualization's strengths in providing "anytime anywhere" access also represent the greatest threats to enterprise security and compliance. Virtualization technology excels at providing user access to applications and data - but it is not designed to determine whether that user should have access to those applications at all. Virtualization creates a new level of exposure in adhering to compliance and security policies -- adding layers of complexity to company access policies as well as enforcement of these policies.

Compliance in the New World

So what's an organization to do? Should they forgo the obvious and needed benefits and competitive advantages afforded by these technologies because of security concerns? Of course not. But, organizations need to understand the vulnerabilities they are introducing into their information security strategies by leveraging these as well as enterprise Web 2.0 technologies.

Identity management and access compliance software has traditionally focused on in-house enterprise access - the act of putting the policies and procedures in place to ensure that users only have access to the applications and data to which they've been granted rights based upon their job or role within the organization.

The introduction of collaborative tools like SharePoint and virtualized access complicate matters. Both environments provide limited visibility into how a user achieved access to a particular application or data and make it more difficult to determine what content is being shared. This muddies the compliance waters considerably.

The key to effectively and securely deploying virtualization and collaboration technology is to ensure that policies are in place to control access and content and that they are being enforced - every time.

Manually provisioning and reviewing access to these environments and applications can be a tremendous burden to an organization's IT staff. To ensure policy is being enforced correctly every time virtualized or collaborative access is established, organizations need to automate the enforcement of security and regulatory policies for access to these environments.

The key is establishing strong policy and automating workflows to ensure these policies are followed every time. Access policy also cannot be demonstrated solely in IT terms. For example, simply showing a line-of-business manager that someone has access to an Active Directory Group will not create the ability of ensuring proper access. It needs to be shown in business terms that can be easily understood. Also, this solution greatly alleviates what can be a labor-intensive effort by the IT Staff, and puts control into the hands of the line-of-business managers - giving them the ability to create access only where it's appropriate, and only for the properly credentialed. Automation also provides an auditing mechanism to provide periodic checks of users' access to ensure that it's in line with corporate policy.

While these productivity environments will revolutionize the way organizations do business, addressing the security and compliance vulnerabilities raised by collaborative and virtualized environments is a top priority. Organizations can maintain unparalleled productivity and innovation while maintaining access compliance through automating the creation, enforcement and validation of corporate policy, providing a mechanism for quick remediation and removal for anyone who fails to follow company policy.

About the Author

Kurt Johnson is responsible for Courion's strategic direction, product management, and securing and managing Courion's alliances and partnerships. Prior to Courion, he was vice president of the Service Management Strategies program at META Group, a leading industry research organization, where he established himself as a leading authority on the help desk, IT service management, system management and IT outsourcing markets. Johnson is widely recognized as an authority on support automation and self-service operations.

More by Kurt Johnson

About Courion

Courionís award-winning Access Assurance solutions are used by more than four hundred organizations and over 9 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courionís business-driven approach results in unparalleled customer success by ensuring usersí access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at, our blog at, or on Twitter at