Torsion Information Security Blog

Exploring the business and technical implications of information security.

Microsoft Tahoe and the Evolution of SharePoint Security

With so much change, so much growth, so many new threats – perhaps SharePoint’s security model could use a rethink.

Microsoft Tahoe – Where it all began

Back in 2000, an internal project at Microsoft called ‘Tahoe’ began publicising a new product they had been working on. Tahoe was a new technology that enabled small work teams to perform simple document sharing, collaboration and content searching through a web browser.

By the time it was released, the marketing department had come up with the name ‘SharePoint Portal Server’. The market didn’t receive the new product particularly positively!

Debra Logan, a research analyst at Gartner said, “SharePoint Portal is just document management based around one Exchange server. It is better than a shared file system, but big deal.”

Ashim Pal, programme director for analyst Meta Group, said, “It is lightweight document management for the masses. There will be a mass migration to… [another technology] in the next 24-36 months, so users should be careful not to over commit to any development around SharePoint.”

Computing Magazine UK actually used phrases like “too lightweight”, “too basic” and “will soon be redundant”!


A typical SharePoint Portal 2001 home page.

Looking at the information management powerhouse that SharePoint / Office 365 has become today, and as one of many people who have built a good career on top of it – its hard to resist a wry little smile 😉 I don’t know many people who would today describe SharePoint as “too basic”!

SharePoint Portal Server 2001 Security

The examples in Microsoft’s documentation for SharePoint Workspaces reveals the thinking at the time. This was not a technology designed for serious deployments. They really didn’t envisage more than a dozen or so people using them! It didn’t use a proper database, it didn’t support clustered server farms.

It was really just a small scale, browser-based extension for Windows Server and Exchange that let people share and search across a few documents.

With SharePoint Portal Server 2001, users could be granted one of three ‘roles’ to content in SharePoint Workspaces:

  • ‘Coordinator’ was for administrators and information owners,
  • ‘Author’ allowed the user to add and update documents, and
  • ‘Reader’ allowed read-only access through navigation or search.

Permissions to content were granted either to groups of people in Windows or Exchange, or to individual users. It was very manual and unsophisticated, but it worked.

Permissions in SharePoint Today

Fast forward to today with SharePoint 2016 and SharePoint Online / Office 365. First lets substitute a few equivalent terms:

SharePoint 2001 terminology SharePoint 2016 / Office 365 equivalent terminology
‘Workspace’ ‘Site’ / ‘Team Site’
‘Role’ ‘Group’
‘Coordinator Role’ ‘Site Owners Group’
‘Author Role’ ‘Site Contributors Group’
‘Reader Role’ ‘Site Visitors Group’

Something obvious jumps straight out. The model hasn’t changed!! In 15 years, there has been no evolution the security model at all – the concepts and basic ideas line up exactly.

Security in SharePoint is still managed in the same basic way as it was on day one: we manually compile lists of people, and grant them permissions to stuff.

  • Even though SharePoint systems have gone from dozens of users to hundreds of thousands.
  • The volumes of data have gone from a few folders to terabytes of mission-critical sensitive content.
  • The intensity, relentlessness and consequences of the security threat have gone from fairly minimal to extreme.
  • The role of SharePoint has gone from being “not much better than a file share”, to being central to the operations of millions of organisations around the world.
  • And the internet and the interconnectedness of networks became absolutely ubiquitous

Some of the most notorious information security breaches in recent years have involved information stolen from SharePoint systems. Not hacked by clever anarchists in dark rooms, but simply downloaded by disenfranchised trusted staff with access to far more information than they needed in order to do their jobs.

But still, SharePoint offers the exact same ideas for securing content as it always has!

So, in light of all this change, all this growth, all these new threats – perhaps, the security model in SharePoint could use a bit of a rethink.

We’ve outgrown it.

 

Thanks for reading!

Peter