I have written before, and will say again, that Microsoft Excel does not have security. It does actually have some security features but most users don't know about them and, if they do, they are frequently not implemented. In any case, as Microsoft has explicitly stated, the security features in Excel are not actually there to …
Not just security
Security may be important for some categories of spreadsheet, but more fundamental is getting the spreadsheet correct in the first place. My experience (confirmed by numerous surveys) is that a substantial minority of spreadsheets contain significant errors. This has the potential to cause serious problems, particularly in SMEs that may not be able to implement the controls that are available to larger organisations.
Spreadsheet errors are an integrity issue
I think spreadsheet errors are a very serious problem - see http://panko.cba.hawaii.edu/ssr/.
But I also think they are also a "security" issue - Security is Confidentiality, Integrity and Availability, not just Confidentiality. OK, I know that coding errors aren't usually considered security risks (although the fixes often are) but I think that our habit of treating security-related defects as something different to system defects in general tends to reduce security - things fall into the gap between the security assessment and normal testing...
Security is ...
Confidentiality, Availability, Non Repudiation, Integrity. As a security professional, this is the mantra I (and most of the industry) preach.
What I like (on cursory examination) is the possibility of assigning rules to spreadsheets that haven't even been created. That's a boon to those who have to manage the security of these files. What I suspect doesn't work, although the article talks about it in a roundabout fashion, is the transfer of cellular security. But access control to the actual spreadsheet is a good first step.
However, the stumbling block is that someone, perhaps the creator, must apply internal security. So the security manager has to personally touch every new file anyways, since I don't trust the creator to adequately set up permissions and ACLs.
dillon, CISSP, in Tejas
Conference on spreadsheet risks July 11-13
The European Spreadsheet Risk Interest Group welcomes discussion of spreadsheet security at our annual conference:
'Enterprise Spreadsheet Management: A Necessary Evil'
University of Greenwich, London UK July 11-13 2007
This conference will provide attendees with an opportunity to share experiences with a broad range of researchers, practitioners and recognised leaders in the field of spreadsheet research.
Pre-conference information is at http://www.uwic.ac.uk/eusprig/2007