Burton Group: SharePoint Identity Management and Access
Extract from Burton Group report concerning SharePoint Identity Management and Access:
The success of Microsoft SharePoint has moved it from a department or workgroup collaboration tool to a critical enterprise application. IT administrators can be frustrated when attempting to apply common access and identity management lifecycle controls to this collaboration application because of its inherent limitations. A bevy of third-party tools have emerged to fill the breach, but their usefulness may be limited due to extra cost, operational complexity, and impending enhancements to Microsoft’s core platform capability.
Popularity can be a double-edged sword. Microsoft Office SharePoint Server 2007 has experienced tremendous market acceptance as a collaboration tool across workgroups and departments both within and between enterprises. It turns out that unrestrained deployment of SharePoint is fine until it hosts regulated or sensitive content such as marketing plans, client information, classified documents, or intellectual property. IT departments are now forced to apply the usual identity and access control regimen to SharePoint implementations—not an easy task when SharePoint can be deployed with little to no IT assistance or when SharePoint lacks the inherent management tools for very large and complex deployments.
Market conditions created by SharePoint have spawned a wave of third-party tools to address various aspects of managing SharePoint access requirements. In particular, the entitlement and access management market has recognized a golden opportunity to remedy an acute IT pain point. Vendors in this market segment are developing SharePoint-specific integrations to manage access to SharePoint resources to a very granular level as well as across site collections and farms. Few of these access management vendors, other than BEA Systems (now part of Oracle) and Cisco Systems, are household names—yet. But vendors like Bayshore Networks, BiTKOO, Epok, Jericho Systems, NextLabs, Rohati Systems, and The Dot Net Factory have a very large market opportunity in front of them.
The other large-suite vendors remain mostly on the sidelines for now, leaving the lesser-known vendors to fill a market void. However, Microsoft is not standing still and is expected to announce additional enhancements that will address some of SharePoint’s shortcomings.
In June 2007, Microsoft reported1 that its SharePoint business unit generated more than $800 million in revenue for fiscal year 2007. A Microsoft SharePoint conference attracted more than 5,000 attendees in April 2008. It is no wonder that identity management architects and implementers are beginning to feel intense pressure to control and secure this collaboration platform. SharePoint has moved well beyond the departmental tool to become part of the critical business infrastructure for many enterprises. Acute attention to SharePoint access management is warranted when collaboration content includes sensitive or regulated data that is subject to the enterprise’s compliance regimen. Thus, SharePoint is the latest addition to the growing list of applications that IT must include in their identity management architecture and strategy.
The popularity of SharePoint is a mixed blessing, particularly for IT departments tasked with securing a burgeoning collaboration platform built on layers of Microsoft technology. In this overview, Microsoft Office SharePoint Server (MOSS) 2007 and Windows SharePoint Services (WSS) are collectively referred to as “SharePoint.” . SharePoint relies heavily on the Windows Server platform for directory, Kerberos, and other infrastructure services. In addition, enterprises can choose from a growing list of third-party point solutions to shore up limitations or gaps in SharePoint. (More details about the SharePoint security model and extranet access can be found in Collaboration and Content Strategies MBP document “SharePoint Beyond the Firewall.”
SharePoint has reached mainstream status as a collaboration tool, but the same cannot be said when discussing SharePoint identity management and access control. Industry best practices are yet to be established for many aspects of enterprise deployment of SharePoint. For example, Microsoft recommends that enterprises place a separate SharePoint site instance in the network’s demilitarized zone (DMZ) to host content for extranet access (see Figure 4), but this deployment mode creates a data synchronization challenge between internal and external SharePoint sites and creates issues with authenticating users through the firewall unless a separate directory is also implemented in the DMZ. In addition, some third-party security providers, such as NextLabs and Rohati Systems, prefer a deployment model that doesn’t require an extra SharePoint site in the DMZ. Speaking of third-party tools, Microsoft has launched yet another cottage industry: In this case, vendors are racing to address enterprise requirements for managing access to SharePoint, but access management products in particular have limited field experience in production deployments at this time—a problem only more time and enterprise deployments will address. Even as these vendors rush to fill the gaps in SharePoint identity management and access control, Microsoft has announced or hinted of significant changes ahead for Active Directory Federation Services (ADFS), an advanced claims-based authorization model, and tighter integration of Identity Lifecycle Manager (ILM) with the Office environment.
Needless to say, it will be an interesting time for IT professionals over the next few years as they continue to wrestle with explosive growth of SharePoint sites, limited industry best practices, immature third-party tools, and shifts in Microsoft’s identity management strategy. This overview examines the current situation and provides a description of several third-party identity and access tools.