Home » Data Protection » Network Security

In Depth

Why Security Pros Hate Microsoft SharePoint (and What to Do About It)

Microsoft's SharePoint collaboration platform is all the rage in today's business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops

By Bill Brenner, Senior Editor

October 07, 2008 — CSO —

Microsoft SharePoint has many fans these days, but Andre Koot isn't among them.

Koot, information security manager at the Unive Verzekeringen insurance company in the Netherlands, says implementing it is a lot like getting a tooth pulled.

"The concept of SharePoint is okay, but every implementation is hard and miserable," he says. "SharePoint is the contrary of a Ferrari - great to own, bad to use."

The business world has enthusiastically embraced SharePoint, a collaboration platform that lets organizations host Web portals to shared workspaces and documents, including wikis and blogs. The problem is that it's an absolute bear to manage, according to some IT security pros. One of the biggest problems, they say, is configuring it in a secure manner.

That discomfort persists even though third-party vendors like Epok and Captaris have developed security add-ons for SharePoint Server 2007 that close some of the holes.

Complexities they don't understand
Brendon Taylor, a director and principal consultant for Business Aspect Pty Ltd. in Australia, tries to help clients get a handle on their risk environment, find the right security strategy and develop procedures around it. Asked about the SharePoint difficulties he has come across, Taylor offered up four examples:

1. The unintentional or unplanned devolving of security administration away from the traditional skilled and knowledgeable user administration groups within IT out to business users or administrators who do not understand the complexities of roles, role group changes and authorization.
2. Transactional workflows built into Sharepoint that incorporate the problem above as well as business administrators changing delegations of authority for workflow approvals and the like.
3. Admin-level access to sites and generally poor permissions on sites affecting numerous sub-sites.
4. The habit of organizations to ignore Sharepoint updates and service packs.

Those problems are consistent with what Burton Group VP and Service Director Gerry Gebel comes across when talking to clients. Part of the problem is that it's difficult to automate user administration because SharePoint isn't designed for that kind of provisioning, he says.

"Because of that, most people rely on this loose connection between Active Directory and SharePoint and try to provision accounts and group membership to Active Directory directly," he says. "But it requires manual intervention to make all of that work well, and that can be painful."

One of Gebel's clients had a large population of users in Active Directory and another group in an LDAP directory and wanted to give everyone the same interface experience on SharePoint. But that's not possible given SharePoint's current architecture, he says. As a result, users who log into Active Directory use a process that looks much different from how LDAP users are authenticated. Certain SharePoint functions can be degraded in the process.