SharePoint continues to remain one of the most popular content collaboration platforms (CCP) at the enterprise-level, continuing to grow in adoption year over year. This adoption shows not only growth in the expected area of SharePoint Online, but continued expansion in SharePoint On-Premises as well.
As SharePoint continues to grow, one of the largest areas of concern is around the security of the platform. A well designed, maintained, and governed SharePoint farm is usually a very safe environment, but often the data governance and data access plans are not executed in full, leaving gaps in the overall SharePoint security model.
What are the Challenges?
The SharePoint security model offers a lot of flexibility. Active Directory is the most common source of truth for users in the platform, but frequently you’ll also see users on-premises using Forms-Based Authentication (FBA) to draw from an external source, either a database or an LDAP connection. Alternatively, more users are working with MFA or ADFS or a similar identity provider to function with SAML tokens for identity. Some web applications may mix and match all of the above! Add to this that all providers have the concept of both members/users and groups/roles, and there is a multitude of different ways a user could gain access to a SharePoint environment.
In addition to principals being provided from the identity provider, SharePoint also has its own repository of SharePoint Groups, and if a SharePoint Online (SPO) environment that will also include Office 365 groups. All of these objects can be granted access in SharePoint and many can be embedded within each other. If a governance plan is not being executed appropriately it is very possible to have principal granting run rampant in an environment resulting in not being able to understand the effective access to each user.
Depending on the farm configuration or tenant settings in SPO, external users may be part of the mix. That becomes extremely likely as more and more organizations move to OneDrive for Business for personal content storage and file sharing. Even in a hybrid environment, this becomes a major area for concern.
With all of these identities together from all of these different places, it becomes increasingly complex to manage all of them simultaneously. In addition to that, users have the ability to control their own content in many ways. SharePoint 2013 saw the introduction of the “Share” link that would allow users to share content with effectively any user that could be resolved, or any external user should SharePoint be configured to support that. This introduces the challenge of unique permissions on content which makes things more complicated.
Why are Unique Permissions Difficult?
Great best-practices for SharePoint look a lot like best practices for a file server. Groups/roles should be placed into SharePoint Groups, and those Groups should be granted the permissions directly. This means that the AD Group/Role can be managed for membership and the SharePoint Group can consume the AD Groups and Roles. This works well as long as permissions are inherited and controlled by the IT team or similar. However, as previously mentioned, data owners have the ability to change their own’s content’s permissions whether it be with the Share option or by directly modifying the permissions themselves. This puts organizations in a position where managing the permissions become hard to do at the macro level and become absolutely required at the micro level
What Causes These?
The concerns around security and information governance in the SharePoint platform is almost always due to some combination of the following three reasons:
- Lack of education
- Lack of visibility to execute
- Lack of governance control
Lack of education of the end-user becomes a common concern. If an internal governance plan prevents the ability for unique permissions to be granted to objects, it may restrict the usage of the platform and encourage collaboration elsewhere. This means users may be in a position to control their own security models, but if they don’t understand what they are doing they can cause damage.
Take this example: a Human Resources site collection is open to all authenticated users in the environment to grant access to important information. One document library has unique permissions locked down only to the HR team. A user with excessive permissions may choose to click on the “Delete Unique Permissions” button in the ribbon of that library. Suddenly, all users have access to content that should be limited only to HR! This is something that could be resolved by appropriate education, or potentially having very granular permissions associated with the security rights of owners of content in the environment.
As for execution, SharePoint is exceptionally good at showing permissions available at the site collection scope, though getting a federated view at a lower scope becomes complicated. There are multiple clicks necessary within the interface to be able to get as granular as individual libraries, folders, and documents. When looking at thousands of users and potentially millions of files, this becomes too large a scope to be able to tackle with native controls as there becomes a complete visibility loss of security. Admins frequently need to rely on custom PowerShell scripting or a third-party vendors (such as STEALTHbits) to provide that federated view into content across the entirety of the farm, or to the hybrid environment.
Lastly, the lack of ability to execute on controls becomes challenging. All SharePoint admins want SharePoint to be used and to grow adoption. Being too restrictive on permissions reduces what users can do and makes the platform undesirable. Being unrestricted on permissions turns SharePoint into the wild west, generating massive risks of data breach or loss of alignment to any required regulatory compliance methods. There’s a sweet spot that admins have to manage with fine-grained permissions, they need to do it in bulk, and they need to do it in response to potentially toxic conditions in the environment. Another major area for PowerShell scripting or third-party vendor solutions.
All in all, SharePoint security presents challenges above-and-beyond what is expected from a traditional file system. However, with appropriate visibility to the security, a solid governance plan, and great technical controls in place, SharePoint will remain a business critical platform with a minimal security risk.
Learn about how STEALTHbits addresses SharePoint Auditing and Reporting here!