Menu
MSD probes use of all-of-government SharePoint application

MSD probes use of all-of-government SharePoint application

A decision to use the government Shared Workspace to collect sensitive external data appears flawed.

The use of an all-of-government shared workspace to collect sensitive external data will be investigated after a Ministry of Social Development security failure.

The use of an all-of-government shared workspace to collect sensitive external data will be investigated after a Ministry of Social Development security failure.

A Microsoft SharePoint application used by over 30 of the largest government agencies will be at the centre of an independent security review announced by Social Development Minister Anne Tolley yesterday.

The review, into the ministry's use of the government Shared Workspace for a sensitive data collection programme and a subsequent security failure, follows an internal report Tolley described as "disappointing".

"It's extremely disappointing that the report appears to raise more questions than answers on the security of the IT system and the governance of the project," she said.

The Ministry of Social Development decided to use the Department of Internal Affairs' all-of-government Shared Workspace as an interim platform to collect individual client data from external social services providers funded by the government.

MSD said the data was being collected to help government understand who was using such external services and the impact of the programmes.

However, shortly after roll-out, one external provider was able to access another's folder where individually identifiable data was due to be lodged.

No data was in the folder at the time, but the issue was serious enough for the ministry to cancel all external access permissions to the portal.

The independent review will look into the circumstances that led to the privacy failure, the decisions made about why the Shared Workspace was used and security measures taken.

SharePoint can be deployed securely, but this is considered tricky when external parties are included. However, a description on the Department of Internal Affairs' ICT services website appears to describe it as suitable for use with external parties.

"Shared Workspace is a secure, online collaboration tool for government agencies to share information with each other and with their third party project partners."

Explaining the failure, MSD's head of the data collection programme, Peter Galvin, told Radio New Zealand the ministry's own IT people suggested using the Shared Workspace after security reviews provided confidence it would be fit-for-purpose.

Each provider was to have their own folder for uploading data but an error with access permissions settings led to the failure.

“We’d set up permissions on who could see what folder, and we found there had been an error in setting up the permissions on a folder, which meant that other providers when they went into the shared workspace could see that particular folder," Galvin said.

Social Development Minister Anne Tolley
Social Development Minister Anne Tolley

That gave the ministry "significant pause for thought", Galvin said. The ministry had to make a call on whether to persist with using that platform, he said.

"On balance and in the interests of security we couldn't in good conscience continue to pursue that platform."

Galvin said the Shared Workspace was always supposed to be an interim solution. The ministry is now working on a permanent replacement.

Seeming to throw further doubt on the decision to use the Shared Workspace, Galvin said the new system will be standalone, not a shared space, so there would be no risk of one provider seeing another's data.

The final terms of the replacement system were still under negotiation, he said, but it would be controlled directly by MSD.

The Department of Internal Affairs is currently using SharePoint 2010 to run the workspace, but is developing a roadmap to upgrade to SharePoint 2016.

A spokesperson said the Shared Workspace would continue to be available to eligible agencies for as long as they consider it meets their needs.

Microsoft referred queries about the issue to the ministry.

The independent review will be led by former Deloitte NZ consultant Murray Jack, supported by private sector IT and privacy specialists. It is due to be completed by the end of the month. The review will also look into the governance and management of the project.

Providers are continuing to collect data to be uploaded into the new IT system, once it is launched.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags New ZealandSharepointMicrosoftsecurityMinistry of Social Developmentmsdgovernmentprivacy

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments