SharePoint gods peek into colleagues' info – poll
Security is for other people
SharePoint admins are abusing their privileged status to sneak a peak at classified documents according to a poll that shows consistent abuse of security in Microsoft's business collaboration server.
A third of IT administrators or somebody they know with admin rights have read documents hosted in Microsoft's collaboration server that they are not meant to read.
Most popular documents eyeballed were those containing the details of their fellow employees, 34 per cent, followed by salary – 23 per cent – and 30 per cent said "other."
Ironically, the poll found the jury almost split on whether the authors of documents themselves could be trusted to control the security privilege settings on their work.
IT admins are firmly in control of setting access rights within SharePoint; 69 per cent set the permission levels that say who reads what, by individual or by group.
The data comes from a Cryptzone SharePoint security survey of 100 individuals running or using SharePoint systems, which has just been released. Respondents worked for a range of companies of varying size.
The poll reveals a consistently healthy disregard for the security supposedly afforded to company documents by SharePoint. Forty-five per cent of respondents said they'd copied sensitive information to the drive of a local PC or to a USB stick; 43 per cent did it because of the need to work from home; while 55 per cent said they'd done it because the docs were needed by somebody who didn't have access to SharePoint.
Ninety-two per cent of admins said they realised their actions made the material less secure while 30 per cent said they weren't bothered because taking the information had helped them get their job done. ®
You can download a copy of the report here (warning: PDF). ®
Lack of security
I'm a contractor at a large UK based company. They have recently migrated/merged several document management systems into SharePoint. It seems that the default level of security is "Off". If I do a SharePoint search for "Contractor Rates" the first hit is a spreadsheet telling me all of the contrator agency rates within the company - pleasantly surprised to find my agency on a very small margin.
...because at every opportunity to optimise or implement something sensibly, the developers of Sharepoint decided to do something stupid. Often very stupid.
There's a reason why they can't get it to run at a decent speed - because it's Sharepoint. Even given a quad code "application" server with 16GB of RAM and a separate 8 core database server, gigabit links and following the MS "Best Practices" the thing still sucks. It's not that the components aren't operating fast enough - the metrics on the DB performance will show very low latency, the IIS configuration will show the thing running very efficiently as well. Combine the two with Sharepoint and some form of space-time-continuum problem happens and you'll swear that somebody's replaced one or both of the component servers with a 286 PC with 4MB RAM.
All this is before the brain dead "security topology" comes into play, which is marginally more on topic of the original article. Normal Windows FS (NTFS) security is nutty enough, and somehow rather than improve on this the Sharepoint developers managed to produce a scheme that was even worse. No wonder that there are so many security issues with Sharepoint such as the one the article highlights - give users an inkling of control over security and you'll spend days unpicking the mess. If the SP admins attempt to administrate security themselves then without very careful planning the workload typically becomes astronomical and to help with they'll often take shortcuts - the hint here, is to delegate SP access to AD groups and prohibit any and all individual rights changes.
That's because it's held in SharePoint