There is an increasing number of security tools which support Microsoft Sharepoint. That is an indicator of Microsoft’s success in this market – but it is as well an indicator for security issues around Sharepoint. The problem is that these security issues are conceptual issues. They are about securing information on different levels – the information objects like documents or list entries themselves, the higher level lists, forms, and other elements in a Sharepoint environment, and the portal level itself.

Microsoft has decided to use an ACL-based approach. ACLs can be applied on different levels, with some pre-defined roles for users. There is also a very tight relationship to Active Directory for the authentication of users.

But, obviously, the built-in features aren’t sufficient. From our perspective, there are two reasons for that situation:

  • The ACL controls aren’t very easy to use – and it is pretty tough to control and monitor them. Especially, it is at least very difficult to provide and ensure consistent access controls at all levels.
  • For a tool which provides flexible opportunities to end users to share information, flexible access controls are relevant. But how to deal with them? And how to enforce business policies?

It appears that, like in other areas, ACL-based approaches for access control are failing. The best solution probably is Information Rights Management, e.g. the assignment of access rights to every “information object”. But perfect solutions for IRM are still far away, despite some interesting offerings from vendors like Adobe, Microsoft, or Oracle.

Thus, a market for vendors which add an additional security layer to Sharepoint environments is emerging. Two of these vendors are RSA Security, an EMC company, and Rohati Systems, a start-up company. And they are only two amongst several vendors.

The approaches of RSA and Rohati are pretty different. While RSA enhances the approach of Web Access Management to an integrated entitlement management which allows the enforcement of policies at an agent which sits on top of Sharepoint, Rohati tries to address the problem at the network level.

Rohati uses appliances which analyze network traffic at all layers, up to layer 7. The appliance understands Sharepoint URLs and is able to analyze them. Based on this, Rohati can implement rules which deal with information access, deletion, and other actions in Sharepoint.

RSA, in contrast, uses a software-only approach which is mainly focused on externalizing authorization decisions out of applications. In contrast to some other vendors which focus mainly on newly developed applications, RSA supports as well standard platforms.

Both approaches are, from our perspective, interesting enhancements for securing Sharepoint environments, because they provide a consistent control layer for Sharepoint. But they can only deal with the symptoms. The real problem, e.g. the insufficient security model of Sharepoint (and virtually any other platform of that type) isn’t solved.

Our recommendation for users of Sharepoint environments is to as define clear strategies and guidelines for using the Sharepoint-internal security controls as well as adding an additional layer of security control to Sharepoint. Otherwise, Sharepoint might become the major leakage point for information. Rohati and RSA are two of several vendors which provide additional security to Sharepoint. Even while none of these approaches is perfect, they add least help to improve security in Sharepoint environments.