IT Security is a top of mind issue these days. Be it questions about what the NSA might be doing with our private communications, or concerns about the recent hacking and data theft reported by retailers like Target and Neiman Marcus, everyone feels a bit safer when we know that our data is secure. This applies to our personal data, of course, but it also applies in the work we do as SharePoint Consultants in Atlanta and beyond. So let’s take a look at methods you can use to make your SharePoint environment more secure.
A solid solution for a publicly facing online system is to employ a two-step (or multi-step) authentication to the sign in procedure. As it sounds, it adds an additional step or steps to see if the user really is who they claim to be. Beyond the standard username/password combo, it might also include a secure IT Key Fob (Simi-random number generator), an SMS text message, security questions with specific answers, or a verification email with system generated verification links.
The pro to this is that it can certainly enhance security – much the way a dead-bolt can enhance the security of a standard door lock mechanism. The con is that many of your users hate these extra steps because all they really want to do is log in and get access to what they need. We all hate delays and stumbling blocks – even when it means better security.
The fact of the matter is that for most of the IT space, these extra steps are a necessary evil. As we’ve seen with Target’s security breach, there is a big PR disaster waiting for any company that doesn’t embrace best security practices. This is why we see companies like Amazon, Facebook, Dropbox, Paypal and more relying on multi-step security. You might be able to gain basic access to an Amazon account which will allow you to view customized buying suggestions, but if you try to access your account information from an unknown computer, you will likely need to provide additional credentials to view that more privileged information.
Now we know why we may have to deal with two-step security, which begs the question of how to implement it in SharePoint. At present, SharePoint 2013 doesn’t provide this functionality natively, but it is possible to build such by leveraging the web services so tightly connected to SharePoint. It is beyond the scope of this post to detail how to do that, but we can give you a general idea of where and how to start.
Use Windows Azure
SharePoint 2013 can be hosted on Microsoft’s Windows Azure infrastructure. Windows Azure provides a two-step authentication method which is tied to active directory. This is as close as SharePoint Developers can come to an approved methodology of implementing this type of authentication, at least at present. However this is going to be best implemented with Windows Azure being a part of the development from the beginning. It can be very challenging to work this in otherwise.
Custom Claims Provider
This method is more time-intensive for the developer, but it can also be more customizable, so you’ll need to judge if that aspect is worth the extra work. Essentially you’ll need to connect to a claims provider for the authentication, and then once SharePoint is connected to the claims provider, the claims provider could require additional authentication of the user before opening things to them. It can be seen as an outer locked door that lets you into an apartment building, but you’ll need a second set of keys to get into any specific apartment.
Again, we need to emphasize – this method means more work for the developer.
Third Party Tools
When faced with a problem that isn’t included in the box, you can count on an enterprising person or company to develop a solution. Such is the case with two-step security. The fine folks over at Comodo have produced such a product, The Comodo Two Factor Authentication Solution. It isn’t for us to endorse their solutions, but we are simply pointing to it as an example of what you try if you don’t have the cycles to develop your own unique system.
So what do you think? Have your clients embraced security over ease of access? What solutions have you tried to balance security with simplicity? Let us know in the comments section below.