SharePoint admins are abusing their privileged status to sneak a peak at classified documents according to a poll that shows consistent abuse of security in Microsoft's business collaboration server. A third of IT administrators or somebody they know with admin rights have read documents hosted in Microsoft's collaboration …
the broken part of any secure system.
This is why I would never use cloud based services for any information other than that which I wouldn't mind the local town crier getting hold of.
In the public cloud (e.g. DropBox, UbuntuOne etc) it would be cretinous in the extreme to no encrypt personal/sensitive data.
In corporate systems, one must trust that the procedures are in place and (as Ru rightly points out) all accesses logged.
I struggle to use Sharepoint to get documents that I'm <i>required</i> to view and modify half the time.
Audit trails FTW
Seems like having all powerful user accounts isn't necessarily a good thing. I guess no-one cared enough to allocate finer grained and more appropriate controls.
That aside; generating a nice audit log which the administrators could not interfere with seems like a reasonable thing to do in this case.
I'm surprised 99% didn't say they'd done it because they were fed up of the God awful performance of their corporate SharePoint server. I know rather more about SP than the average punter (including the backend DB stuff) but I still don't know why our IT gurus can't get SP to operate at a decent speed.
...because at every opportunity to optimise or implement something sensibly, the developers of Sharepoint decided to do something stupid. Often very stupid.
There's a reason why they can't get it to run at a decent speed - because it's Sharepoint. Even given a quad code "application" server with 16GB of RAM and a separate 8 core database server, gigabit links and following the MS "Best Practices" the thing still sucks. It's not that the components aren't operating fast enough - the metrics on the DB performance will show very low latency, the IIS configuration will show the thing running very efficiently as well. Combine the two with Sharepoint and some form of space-time-continuum problem happens and you'll swear that somebody's replaced one or both of the component servers with a 286 PC with 4MB RAM.
All this is before the brain dead "security topology" comes into play, which is marginally more on topic of the original article. Normal Windows FS (NTFS) security is nutty enough, and somehow rather than improve on this the Sharepoint developers managed to produce a scheme that was even worse. No wonder that there are so many security issues with Sharepoint such as the one the article highlights - give users an inkling of control over security and you'll spend days unpicking the mess. If the SP admins attempt to administrate security themselves then without very careful planning the workload typically becomes astronomical and to help with they'll often take shortcuts - the hint here, is to delegate SP access to AD groups and prohibit any and all individual rights changes.
> ..because at every opportunity to optimise or implement something sensibly, the developers of Sharepoint decided to do something stupid. Often very stupid.
Well that's part of it, for sure. The lack of a decent hierarchy prior to 2010 was a bit short sighted and some of the queries end up disturbingly complicated.
Security flaws/breaches and the word "Microsoft" is in the first sentence. No surprise!
Lack of security
I'm a contractor at a large UK based company. They have recently migrated/merged several document management systems into SharePoint. It seems that the default level of security is "Off". If I do a SharePoint search for "Contractor Rates" the first hit is a spreadsheet telling me all of the contrator agency rates within the company - pleasantly surprised to find my agency on a very small margin.
We record all user inputs on our large legacy (I prefer the word "classic") mainframe system and keep the data for several years.
Read-only or Read-write, the time, the user, the address, everything.
Can you do this on Sharepoint?
"You can download a copy of the report here (warning: PDF). ®"
I can't seem to access it.
That's because it's held in SharePoint
People are the biggest risk to security.
Interesting article. I wrote a response to this in my blog, here: http://www.akspug.org/blog/Lists/Posts/Post.aspx?ID=5
But I'll sum it up for you:
Some will read this survey and conclude that SharePoint is an inherently insecure system. But that's not really accurate, or fair. SharePoint is as secure as the users allow it to be, and you can say this about any document management solution.
When people have to use a system they find slow or difficult or too stringent, they resort to breaching the system. Yes, they download documents and work on them offsite. They email things that shouldn't be distributed. They create numerous duplicates so it is difficult to determine what the final or official version might be.
In other words, they put the security and integrity of a company's information at risk… and don't feel very guilty about it. After all, they are just trying to get their work done. This isn't about espionage, it's about being able to be successful at your job.
Is Document Management is too hard?
Because of this complexity, many companies completely avoid putting a document management solution in place, except where it is absolutely required by law (or risk of theft of intellectual property).
The result is usually chaos, where people can't find the information they need and are forced to either redo the work or else give up.
SharePoint strikes a balance
SharePoint is meant to be a compromise between the total security of a closed system, and the chaos of an unmanaged system. You can make it easier for employees to work together, by allowing people to automate their information management policies.
You can define a price quote, for example, that automatically expires after 30 days, or group a set of documents together and apply the same workflow to all of them. Things like this improve the process for employees. When these tasks become easier, people are more willing to use the system and comply with the rules, because they are built-in and make sense.
So SharePoint strives to strike a balance. Out of the box, it's not meant to be the end-all and be-all of document security, even if you locked it all the way down and limited access to just a few document owners. You still have to trust those users to follow their own rules. And there is no way to force them… or is there?
One thing the survey does not mention (and I am guessing it's because the security company wants to sell their own products) is that Windows Rights Management Services can plug right in to SharePoint. It's as easy as adding a role to your domain controller. Unlike third party solutions, there is no additional cost for RMS.
When you link SharePoint to RMS, you gain the ability to keep documents inside your own organization. Every time a document is opened or saved or emailed, you can set rules to prevent printing, saving, or forwarding in an email (it also links to Outlook and Exchange). If a document is taken offsite, it is encrypted and will not open unless it can communicate with the RMS server. For organizations serious about their intellectual property, RMS is an essential component.