Why security pros hate SharePoint, and what to do about it

by Bill Brenner
Be the first to comment | 5I like it!
Tags: collaboration, Microsoft, SharePoint, SharePoint Server 2007
More »
on this topic
October 13, 2008, 08:23 AM —  CSO — 

Microsoft SharePoint has many fans these days, but Andre Koot isn't among them.

Koot, information security manager at the Unive Verzekeringen insurance company in the Netherlands, says implementing it is a lot like getting a tooth pulled.

"The concept of SharePoint is okay, but every implementation is hard and miserable," he says. "SharePoint is the contrary of a Ferrari - great to own, bad to use."

The business world has enthusiastically embraced SharePoint, a collaboration platform that lets organizations host Web portals to shared workspaces and documents, including wikis and blogs. The problem is that it's an absolute bear to manage, according to some IT security pros. One of the biggest problems, they say, is configuring it in a secure manner.

That discomfort persists even though third-party vendors like Epok and Captaris have developed security add-ons for SharePoint Server 2007 that close some of the holes.

Complexities they don't understand Brendon Taylor, a director and principal consultant for Business Aspect Pty Ltd. in Australia, tries to help clients get a handle on their risk environment, find the right security strategy and develop procedures around it. Asked about the SharePoint difficulties he has come across, Taylor offered up four examples:

  • 1. The unintentional or unplanned devolving of security administration away from the traditional skilled and knowledgeable user administration groups within IT out to business users or administrators who do not understand the complexities of roles, role group changes and authorization.
  • 2. Transactional workflows built into Sharepoint that incorporate the problem above as well as business administrators changing delegations of authority for workflow approvals and the like.
  • 3. Admin-level access to sites and generally poor permissions on sites affecting numerous sub-sites.
  • 4. The habit of organizations to ignore Sharepoint updates and service packs.

Those problems are consistent with what Burton Group VP and Service Director Gerry Gebel comes across when talking to clients. Part of the problem is that it's difficult to automate user administration because SharePoint isn't designed for that kind of provisioning, he says.

"Because of that, most people rely on this loose connection between Active Directory and SharePoint and try to provision accounts and group membership to Active Directory directly," he says. "But it requires manual intervention to make all of that work well, and that can be painful."

One of Gebel's clients had a large population of users in Active Directory and another group in an LDAP directory and wanted to give everyone the same interface experience on SharePoint. But that's not possible given SharePoint's current architecture, he says. As a result, users who log into Active Directory use a process that looks much different from how LDAP users are authenticated. Certain SharePoint functions can be degraded in the process.

The desire of organizations to smooth out such difficulties has translated into robust sales for security vendors like Exostar LLC. Vijay Takanti, the company's senior director, says his customers want a solution to the problem where partners use SharePoint without observing a consistent set of security rules.

"They want to make sure all their partners are using two-factor authentication and they want better labeling for Word documents placed in SharePoint," Takanti says. "What we do to meet the need is to implement SharePoint as a service in the cloud."

Where there's a will (and manpower) there's a way Despite all the difficulties, companies can overcome SharePoint's eccentricities with the right amount of will and workforce, says George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4).

"Any application can be secured at instantiation," he says. "The problem is that organizations lack the will, people and process elements for the mission. IT and security should be given the expertise necessary to deploy tools properly at the start."

Once a platform is in place, Johnson says, radically inconsistent missions are put on top of it and people get confused, make mistakes, information is lost or delivered to inappropriate parties, and so on.

"This is not the fault of the tool but rather the governance structure or the lack thereof," he adds. "IT-based collaboration is very tough as it requires governance from far more."

For a SharePoint implementation to be successful, he says, IT, security, sponsor and end-user requirements must be brought into alignment.

"These are often either completely overlooked or abandoned once the product is initially deployed," he says.

» posted by ITworld staff

CSO

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Build your tech library with our book giveaways.

Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne

The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace