Why some security pros hate SharePoint

CSO - Microsoft SharePoint has many fans these days, but Andre Koot isn't among them.

Koot, information security manager at Unive Verzekeringen, an insurance company in the Netherlands, says implementing it is a lot like getting a tooth pulled.

"The concept of SharePoint is OK, but every implementation is hard and miserable," he says. "SharePoint is the contrary of a Ferrari -- great to own, bad to use."

The business world has enthusiastically embraced SharePoint, a collaboration platform that lets organizations host Web portals to shared workspaces and documents, including wikis and blogs. The problem is that it's an absolute bear to manage from a security perspective, some say. One of the biggest problems, they say, is configuring it in a secure manner.

That discomfort persists even though third-party vendors such as Epok Inc. and Captaris Inc. have developed security add-ons for SharePoint Server 2007 that close some of the holes.

Complexities they don't understand

Brendon Taylor, a director and principal consultant at Business Aspect Pty. Ltd. in Queensland, Australia, tries to help clients get a handle on their risk environment, find the right security strategy and develop procedures around it. Asked about the SharePoint difficulties he has come across, Taylor offered up the following four examples:

1. The unintentional or unplanned movement of security administration away from the traditional skilled and knowledgeable user administration groups within IT out to business users or administrators who do not understand the complexities of roles, role group changes and authorization.
   
   
2. Transactional workflows built into SharePoint that incorporate the problem above, as well as business administrators changing delegations of authority for workflow approvals and the like.
   
   
3. Administrative-level access to sites and generally poor permissions on sites affecting numerous subsites.
   
   
4. The habit of organizations to ignore SharePoint updates and service packs.

Those problems are consistent with what Burton Group Inc. vice president and service director Gerry Gebel comes across when talking to clients. Part of the problem is that it's difficult to automate user administration because SharePoint isn't designed for that kind of provisioning, he says.

"Because of that, most people rely on this loose connection between Active Directory and SharePoint, and [they] try to provision accounts and group membership to Active Directory directly," he says. "But it requires manual intervention to make all of that work well, and that can be painful."

One of Gebel's clients had a large population of users in Active Directory and another group in an LDAP directory and wanted to give everyone the same interface experience on SharePoint. But that's not possible given SharePoint's current architecture, he says. As a result, users who log into Active Directory use a process that looks much different from how LDAP users are authenticated. Certain SharePoint functions can be degraded in the process.