Is SharePoint Going To Die?

I get asked this question a lot, I generally suspect it is because at first glance with SharePoint it takes a fair amount of resources to run a well-architected, organized, and maintained portal for an arbitrary organization, which I think is partially accurate. However, I don’t consider that is a fault of SharePoint as a product, rather I just believe that it is collaborative software as a whole breed being introduced to virgin organizations. As the breed continues to grow and evolve, becoming more of an arm of the enterprise body, I think that is bound to become even more complex and involved, demanding more resources form the organization. Quite honestly, I would not be surprised if larger companies started to dedicate more committed personnel into their communication and collaboration initiatives by the creation of entirely new positions that are responsible for those types of tasks.

Anyways, back to the question. To be honest, it usually just isn’t that one, it is usually a twofold one.

The first question is:

1) If and when do you think SharePoint is going to die?

Shortly followed by the second:

2) What are we going to do if SharePoint dies?

My first answer is I don’t think SharePoint is going anywhere for quite some time. The reasons for this are kind of disjointed, long, and numerous, so I will keep it to what I consider being one of an important three.

I think at the current moment a lot of people are buying into SharePoint as a secondary piece of software; however it is slowly engraining itself into corporations as becoming more of an operating system or some other type of central nexus for Office clients. So whereas you say Some Portal Thing, some might say the Beginning The Web Enablement of Office. You say it’s just a floating piece of software, I say it is a platform bringing important business concepts, and important business initiatives, (i.e. we can just say simply collaboration as an example of this), to a company. I don’t consider it to simply by a tool, I believe it brings more to the table then that. It breeds ideas and concepts, it doesn’t just simply provide some piece of functionality.

Familiarity I also think is a big portion. I think that following its proper deployment, it sort of builds dependencies from users, once people really start to become intertwined in it, taking that functionality away would be nothing but detrimental to a company. While I think this is mainly because of the familiarity talked about in the above, I believe that in a lot of the ways SharePoint tends to force business process creation within a company where they might not have existed previously. Familiarity too also spawns from the administration standpoint. I mean, you get WSS with Server 2003, and you already know Server 2003, so why not expand that knowledge to engrained products?

While these are kind of an abstract reasons, we can also look at it empirically as simply a sunk investment in Office, organizations already have a high familiarity and usage rate of Office versus other client office suites, and therefore it only make sense to harness that experience against more radical technologies that improve the overall information worker experience. I mean, nuff said right?

Lastly, I think that it is becoming much easier to develop (arg) in comparisons to past versions (2003 was torrential even though that was partly the fault of Visual Studio at the time). While the portability of WebParts against the new framework is consistent so movement between CMS framework assuming it is .NET would be minimal, I think that SharePoint handling a lot of the things I normally hate as a developer such as site design, etc. is kind of nice (even though I don’t think this makes up for the lack of a visual design surface in some type of IDE). Because there is some cost associated with developing against SharePoint (since you might be using SPList’s for data storage etc.) and familiarity has been grown while the application is housed in the company portal, this also makes SharePoint a rather permanent addition to a companies IT organization.

There are a bunch of other reasons, I am sure; however these were the big three that I could think of off the top of my head. I think the big thing to consider is either software dies, or it improves. The best mentality to take away from this is a platform, not typically secondary application software, tends to have a high chance of survival, meaning it tends to continue to innovate. We have seen this leaps and bounds between the versions of SharePoint.

As a side note, in my opinion it often makes sense for a lot of organizations to buy into the stack of a company as well, sometimes it is just easier and makes better business sense from an upgrade, maintenance, and support standpoint (I am not saying it is for all organizations since some seem to do fine with a combination of OpenOffice and LifeRay or JBoss Portal).

Anyways, I might expand on this post later, I am tired of writing this now though.

Share

SharePoint Intrusion Detection Policy Template

Introduction – SharePoint Intrusion Detection Policy Intrusion detection plays an important role in implementing and enforcing a SharePoint organizational security policy. As SharePoint grows in complexity, effective security measures must evolve.
Purpose SharePoint-aware intrusion detection provides two important functions in protecting the SharePoint environment:

  • Feedback: Information as to the effectiveness of the IDS and associated components. If a robust and effective IDS is in place, the lack of detected intrusions is an indication that other defenses are working.
  • Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.
Audience The [Organization] SharePoint Intrusion Detection Policy applies to all individuals that are responsible for the installation of new SharePoint resources, the operations of existing SharePoint resources, and individuals charged with SharePoint resources security.
SharePoint Intrusion Detection Policy
  • Operating system, user accounting, and application software audit logging processes should be enabled on all host and server systems for internal customers.
  • Alarm and IDS alert functions of backbone firewalls and other network perimeter access control systems must be enabled, and monitored by the SharePoint administrator.
  • Audit logging of any firewalls and other network perimeter access control that may lead or display business data from the SharePoint environment must be enabled.
  • Audit logs from the perimeter access control systems must be monitored/reviewed daily by the SharePoint administrator.
  • System integrity checks of the firewalls and other network perimeter access control systems must be performed on a routine basis.
    Audit logs for servers and hosts on the internal, protected, network must be reviewed on a weekly basis. The SharePoint administrator will furnish any audit logs as requested by [Organization] management.
  • Host based intrusion tools will be checked on a routine.
  • All trouble reports should be reviewed for symptoms that might indicate intrusive activity.
  • All suspected and/or confirmed instances of successful and/or attempted intrusions into the SharePoint environment must be immediately reported according to the Incident Management Policy.
  • Users shall be trained to report any anomalies in system performance and signs of wrongdoing to the [Organization] Help Desk.
SharePoint Intrusion Detection Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Server Hardening Policy Template

Introduction – SharePoint Server Hardening Policy SharePoint servers are depended upon to deliver business data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the SharePoint servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.
Purpose The purpose of the [Organization] SharePoint Server Hardening Policy is to describe the requirements for installing a new SharePoint server (whether front-end web, job, index, or database) in a secure fashion and maintaining the security integrity of the existing SharePoint servers and application software, both standard as well as purchased components.
Audience The [Organization] Server Hardening Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.
SharePoint Server Hardening Policy
  • A server must not be connected to the [Organization] network until it is in a [Organization] accredited secure state and the network connection is approved by [Organization].
  • The SharePoint Server Hardening Procedure provides the detailed information required to harden a SharePoint server and must be implemented for [Organization] accreditation. Some of the general steps included in the SharePoint Server Hardening Procedure include:Installing the Windows server operating system from an [Organization] approved source
    Applying Microsoft SharePoint and other relevant supplied patches, service packs, and hotfixes.
    Removing unnecessary software, system services, and drivers
    Setting security parameters, file protections and enabling audit logging
    Disabling or changing the password of default accounts
  • [Organization] will monitor security issues, both internal to [Organization] and externally, and will manage the release of security patches on behalf of [Organization].
  • [Organization] SharePoint administrators will test security patches against [Organization] core resources before release where practical.
  • [Organization] may make hardware resources available for testing security patches in the case of special SharePoint applications and update.
  • Security patches must be implemented within the specified timeframe of notification from [Organization].
SharePoint Server Hardening Policy Supporting Information
  • All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
  • The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
  • The [Organization] SharePoint network is owned and controlled by [Organization]. Approval must be obtained from [Organization] before connecting a device that does not comply with published guidelines to the network. [Organization] reserves the right to remove any network device that does not comply with standards or is not considered to be adequately secure.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share