In my first post, I explained the biggest problems of SharePoint security model and how it creates risks. With so much change, so much growth, so many new threats - perhaps SharePoint's security model could use a rethink?
Microsoft Tahoe - Where it all began
Back in 2000, an internal project at Microsoft called 'Tahoe' began publicising a new product they had been working on. Tahoe was a new technology that enabled small work teams to perform simple document sharing, collaboration and content searching through a web browser.
By the time it was released, the marketing department had come up with the name 'SharePoint Portal Server'. The market didn't receive the new product particularly positively!
Debra Logan, a research analyst at Gartner said, "SharePoint Portal is just document management based around one Exchange server. It is better than a shared file system, but big deal."
Ashim Pal, programme director for analyst Meta Group, said, "It is lightweight document management for the masses. There will be a mass migration to… [another technology] in the next 24-36 months, so users should be careful not to over commit to any development around SharePoint."
Computing Magazine UK actually used phrases like "too lightweight", "too basic" and "will soon be redundant"!
A typical SharePoint Portal 2001 home page
Looking at the information management powerhouse that SharePoint / Office 365 has become today, and as one of many people who have built a good career on top of it - its hard to resist a wry little smile ;) I don't know many people who would today describe SharePoint as "too basic"!
SharePoint Portal Server 2001 Security
The examples in Microsoft's documentation for SharePoint Workspaces reveals the thinking at the time. This was not a technology designed for serious deployments. They really didn't envisage more than a dozen or so people using them! It didn't use a proper database, it didn't support clustered server farms.
It was really just a small scale, browser-based extension for Windows Server and Exchange that let people share and search across a few documents.
With SharePoint Portal Server 2001, users could be granted one of three 'roles' to content in SharePoint Workspaces:
Permissions to content were granted either to groups of people in Windows or Exchange, or to individual users. It was very manual and unsophisticated, but it worked.
Permissions in SharePoint Today
Fast forward to today with SharePoint 2013 and SharePoint Online / Office 365. First lets substitute a few equivalent terms:
Something obvious jumps straight out. The model hasn't changed!! In 15 years, there has been no evolution the security model at all - the concepts and basic ideas line up exactly.
Security in SharePoint is still managed in the same basic way as it was on day one: we manually compile lists of people, and grant them permissions to stuff.
Some of the most notorious information security breaches in recent years have involved information stolen from SharePoint systems. Not hacked by clever anarchists in dark rooms, but simply downloaded by disenfranchised trusted staff with access to far more information than they needed in order to do their jobs.
But still, SharePoint offers the exact same ideas for securing content as it always has!
So, in light of all this change, all this growth, all these new threats - perhaps, the security model in SharePoint could use a bit of a rethink.
We've outgrown it.
In my next post, I'll dive deeper into how SharePoint's security model tends to cause huge problems for an organization, and some of the practical things we can do to minimize them.
Thanks for reading :)
CEO and Principal Architect at Torsion Information Security