Why Security Pros Hate Microsoft SharePoint (and What to Do About It)

Microsoft SharePoint has many fans these days, but Andre Koot isn’t among them.

Koot, information security manager at the Unive Verzekeringen insurance company in the Netherlands, says implementing it is a lot like getting a tooth pulled.

“The concept of SharePoint is okay, but every implementation is hard and miserable,” he says. “SharePoint is the contrary of a Ferrari – great to own, bad to use.”

The business world has enthusiastically embraced SharePoint, a collaboration platform that lets organizations host Web portals to shared workspaces and documents, including wikis and blogs. The problem is that it’s an absolute bear to manage, according to some IT security pros. One of the biggest problems, they say, is configuring it in a secure manner.

That discomfort persists even though third-party vendors like Epok and Captaris have developed security add-ons for SharePoint Server 2007 that close some of the holes.

Complexities they don’t understandBusiness Aspect Pty Ltd. in Australia, tries to help clients get a handle on their risk environment, find the right security strategy and develop procedures around it. Asked about the SharePoint difficulties he has come across, Taylor offered up four examples:

Brendon Taylor, a director and principal consultant for

• 1. The unintentional or unplanned devolving of security administration away from the traditional skilled and knowledgeable user administration groups within IT out to business users or administrators who do not understand the complexities of roles, role group changes and authorization.
• 2. Transactional workflows built into Sharepoint that incorporate the problem above as well as business administrators changing delegations of authority for workflow approvals and the like.
• 3. Admin-level access to sites and generally poor permissions on sites affecting numerous sub-sites.
• 4. The habit of organizations to ignore Sharepoint updates and service packs.

Those problems are consistent with what Burton Group VP and Service Director Gerry Gebel comes across when talking to clients. Part of the problem is that it’s difficult to automate user administration because SharePoint isn’t designed for that kind of provisioning, he says.

“Because of that, most people rely on this loose connection between Active Directory and SharePoint and try to provision accounts and group membership to Active Directory directly,” he says. “But it requires manual intervention to make all of that work well, and that can be painful.”

One of Gebel’s clients had a large population of users in Active Directory and another group in an LDAP directory and wanted to give everyone the same interface experience on SharePoint. But that’s not possible given SharePoint’s current architecture, he says. As a result, users who log into Active Directory use a process that looks much different from how LDAP users are authenticated. Certain SharePoint functions can be degraded in the process.

The desire of organizations to smooth out such difficulties has translated into robust sales for security vendors like Exostar LLC. Vijay Takanti, the company’s senior director, says his customers want a solution to the problem where partners use SharePoint without observing a consistent set of security rules.

“They want to make sure all their partners are using two-factor authentication and they want better labeling for Word documents placed in SharePoint,” Takanti says. “What we do to meet the need is to implement SharePoint as a service in the cloud.”

Where there’s a will (and manpower) there’s a way

Despite all the difficulties, companies can overcome SharePoint’s eccentricities with the right amount of will and workforce, says George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4).

“Any application can be secured at instantiation,” he says. “The problem is that organizations lack the will, people and process elements for the mission. IT and security should be given the expertise necessary to deploy tools properly at the start.”

Once a platform is in place, Johnson says, radically inconsistent missions are put on top of it and people get confused, make mistakes, information is lost or delivered to inappropriate parties, and so on.

“This is not the fault of the tool but rather the governance structure or the lack thereof,” he adds. “IT-based collaboration is very tough as it requires governance from far more.”

For a SharePoint implementation to be successful, he says, IT, security, sponsor and end-user requirements must be brought into alignment.

“These are often either completely overlooked or abandoned once the product is initially deployed,” he says.