10 Replies Latest reply on Mar 6, 2011 7:12 PM by bjewell

    Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?

    lindsaymay

      I was asked to do some research to discover the percentage of companies who have an extranet. I am looking for information to help support our Jive instance as there have been some financial information security concerns brought up by our CFO. We are an authenticated, employee-only community, so no one outside of the company has the ability to create a profile. I think the main concern is that we will get hacked, and then potential sensitive financial and system information will be vulnerable.

       

       

      Has anyone else dealt with this aspect of security specifically? I'd love to hear your thoughts.

       

      Basically, I need to provide reassurance (numbers) that there are other companies like us who provide information to our team members on this type of platform. Any data you can provide would be greatly appreciated!!

        • Re: Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?
          trishaliu

          Hello Lindsay -

           

          We are just provisioning access for contractors to our employee community as we speak. It was a very long process in working through the data privacy and security concerns. I think the most helpful structure to have in place is clear corporate policy about what is OK / not OK to post inside the employee community (i.e., governance). If it OK to post financials within your community, then you may want to consider access controls so that the non-employee team members cannot view this content.

           

          Here are some items we considered in the implementation:

           

          Business need: Allow access to contractors who are hired to support specific projects, including client consulting and instructional development.

           

          System info:

           

          • Our account structure is similar to yours. Accounts are driven from our corporate AD system. For the contractor access, AD accounts were created for them.
          • Space and group access levels were reviewed to ensure that sensitive data resided within access-controlled areas.
          • Each contractor is supporting a specific project(s). The person is directed to the specific container URL for that project.

           

          I hope this is helpful!

           

          Trisha

            • Re: Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?
              lindsaymay

              Thank you, Trisha.  Our site is restricted to employees only and we launched company-wide since September 20, so fairly new still. We are using sites (spaces) for official company information, that is available to all team members ie. HR, Accounts Payable, Corp Comm, etc, and we use groups to communicate with specific groups of team members (ex. Personal Training Department Heads) that are usually private groups.

               

              I think the most helpful structure to have in place is clear corporate policy about what is OK / not OK to post inside the employee community (i.e., governance). If it OK to post financials within your community, then you may want to consider access controls so that the non-employee team members cannot view this content.

              Sorry if I wasn't clear before, were not looking to let vendors inside to give access to the information. I say "extranet" only because technically our intranet is available via the web. Right now we have been pretty open as far as what our user guideline contains. Basically, if you wouldn't send it in an email, don't put it on our system.

               

              It may come down to restricting posting sensitive financial information if necessary. We have also created a "useful links" area right on our home page which takes employees to the applications and systems that they use on a frequent basis... there is now some concern that if our site was hacked, the hacker would know about all of the other systems we use.

              1 person found this helpful
                • Re: Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?
                  trishaliu

                  Ooops, guess I should have clarified what was meant by 'extranet!'

                   

                  Frank, great guidelines on the security considerations - thank you for sharing!

                   

                  Trisha

                  • Re: Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?
                    bjewell

                    We use Jive as part of our intranet and it's available externally as well. We use space security and private/secret groups to restrict collaboration on certain topics/areas. We provide guidelines on what should be discussed where, and individual business units have also set their own expectations with their teams on what goes where (e.g. some store certain information in Sharepoint instead of Jive). When those guidelines are abused, we have a process in place (using the Jive Report Abuse functionality) to address the problem, and that is managed by our corporate security team.

                     

                    From a security perspective, all accounts are AD accounts. Our internal network security team routinely audits our account creation process and tools (and the process for inactivating accounts), as well as the Jive application itself for vulnerabilities. Our team also does active development on Jive, and with every code release we push, we have required regression test plans that must be run. These focus on making sure restricted areas are not viewable by those without permission to view.

                • Re: Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?
                  FrankGebhardt

                  Hi Lindsay,

                   

                  our Jive installation is for employees only. We have also debated long about making the installation available outside our firewall. Items for consideration were

                  • how secure is our directory service that we use for authentication? What monitoring is in place? What rules exist for passwords (strength, change interval)?
                  • how secure is access to Jive from the outside world? - firewall, proxy and reverse proxy, recognised SSL certificate, VPN, 2 factor security, blocking access after x failed login attempts, ..
                  • what is the confidentiality level of information that is available on Jive? - public, internal, confidential, highly confidential
                  • all involved systems are kept up to date to the latest applicable security patch.

                   

                  Our basic premise is: We have a significant number of remote workers that need the information on our Jive installation on a daily basis. Hence we decided internal information can be on Jive in open groups and spaces, confidential information can be on Jive in private groups or access restricted spaces, highly confidential information should not be on Jive. From a security point of view we have all of the above except 2 factor security which is under consideration.

                   

                  cheers

                  Frank

                  1 person found this helpful
                  • Re: Does anyone have data on percentage of companies who use this type of platform for an intranet/extranet?
                    tmaurer

                    Ours is available outside firewalls, and is used as or in place of an intranet. We've had an external company do an audit of the site and our procedures, and that has been very helpful both in closing gaps as well as comvincing our internal auditors of the safety of information.

                     

                    We also struggle with contractors, freelancers, temp-to-perm, temporary and intern positions. So much work is done on our Jive site that some access needs to be provided for these people. As more companies use this for an intranet, it would be really great if Jive would work with some of us to put some additional workflow or tools around this, because managing non-employee access has turned into a large pain. I had heard from others that LDAP was a great way to help resolve this, but internal sources at UBM tell me that companies who are providing contract employees are curcumventing that by simply giving login details from contractor X to contractor Y when they decide to move people on and off projects. Anyone else have a process for dealing with this that they'd like to share?