Every once in a while I’ll be out at a local infosec meetup and the subject of SharePoint will come up. Many in the group immediately start bashing SharePoint’s security. Others are on the border but follow suit out of peer pressure, leaving the ones that don’t know with the impression that SharePoint is horribly insecure. The thing that I think is missing in a lot of these conversations is anyone actually clarifying what version of SharePoint they are talking about. Yes, older versions were very insecure and Microsoft still has a lot of work ahead of them to overcome this stigma … but the simple fact is that the more recent versions of SharePoint are very secure with just a little bit of configuration.
I blame Net-Security’s article “Securing SharePoint” for motivating me to write the post. In this article Jamie Bodley-Scott discusses the failing of SharePoint and goes on to describe a three-dimensional framework to secure it.
Rather than ignoring what’s happening, organizations need to recognize the increasing porosity of the perimeter and that, for some, it may not even exist.
Today, security tends to be focused on users and their location. For example, what a user can access when in the relatively safe confines of the office will be different from what he can see when connecting remotely in the evening working from home, or the device being used. By the same token, where the information is stored can determine who has access – we return to our previous example of a file that one user could see but another couldn’t.
While historically that model worked, in today’s collaborative environment it is impractical. If a document is confidential then, no matter where it is located, the information it contains remains sensitive and should be secured. As our dutiful employees previously demonstrated, by moving the file to a shared directory the veil is lifted!
To prevent this a third dimension needs to be added:
User + Location + Context = The Full Picture
Organizations must add true user based rights AND supplement it with context based information to introduce a control model required for today’s collaborative environment.
Although I like Jamie’s layered approach, the article veers in a different direction than I thought he was going to take. I was hoping he would address the details of how to lock down SharePoint from a configuration perspective. One statistic in the article does help my cause some though. “In a recent survey, conducted amongst 100 SharePoint users, 34% confessed they never really thought about the security implications of SharePoint.” I think this is probably true for most IT systems. In this case many admins just load up SharePoint and as soon as it is usable they push it out there for everyone to use. Unfortunately, security isn’t considered until that spreadsheet of salaries and raises gets discovered using the built-in search feature.
SharePoint has a tremendous advantage … it’s historically very easy to setup. One reason for this was that everything was “on by default,” which probably contributed to that lost spreadsheet. Microsoft once again chose usability over security to simplify its setup and use. Older versions are the worst culprits … very easy to setup but wide open for anyone to access anything. As SharePoint has evolved along with Microsoft’s Trustworthy Computing initiative, its security has greatly improved and the out-of-the-box setup is fairly secure. Further with a few tweaks (including default deny access and allowing exceptions as needed), newer versions of SharePoint can become quite a locked down collaboration system.
So my overall philosophy is to install the more recent versions of SharePoint, perform the necessary tweaks to lock it down, and deploy.
What do you think … is SharePoint secure? This evenings post pic is from StackOverflow.com.