Sunday, June 28, 2015

Analyze loopholes in SharePoint Security Framework

Annotated References
Dokic, D., Zrakic, M. D., Bogdanovic, Z., & Labus, A. (2015). Application of SharePoint Portal Technologies in public enterprises. Revija za univerzalno odli─Źnost [Journal of Universal Excellence], 4(1), A11-A25. Retrieved from http://www.fos.unm.si/media/pdf/RUO/2015-4-1/Application_of_sharepoint_portal_technologies_in_public_enterprises.pdf
This paper deals with application of portal technologies for enhanced content management, document management, and collaboration within public enterprises. The goal is to achieve efficient exchange of information on all hierarchical levels, as well as mechanisms of reporting and performance measurements, such as business intelligence and key performance indicators, taking into account concepts of scalability, availability, ubiquity and pervasiveness. A case study of application within the public enterprise Post of Serbia is used to achieve the goal. The results of analysis show that application of Information and Communication Technologies (ICT) necessarily leads to transformation of business processes that are based on flow of paper documents. In addition, application of ICT leads to standardization, changes in organization structure, and change management.

 SharePoint as an ICT needs major organizational level contribution from participants and there is no unified approach available as of date, which could be implemented to streamline process, in order for a smooth transition. When it comes to surface that this transformation is way too expensive than expected and relatively unsecure, generally it’s too late. There should be a formal study published, to identify these risk factors.

Jali, M. Z., Furnell, S. M., & Dowland, P. S. (2010). Assessing image-based authentication techniques in a web-based environment. Information Management & Computer Security, 18(1), 43-53. doi:10.1108/09685221011035250
The authors analyzed usability of two image-based authentication methods when used in the web-based environment - clicking secret points within a single image (click-based) and remembering a set of images in the correct sequence (choice-based). For direct comparison of usability same set of forty participants (thirty-three males and seven females) were given paper and web based tasks and based on user feedback, these two techniques were evaluated. The results suggest that click based authentication is more secure and choice-based authentication has better scores in terms of usability. Although participants rated the choice-based method as weak, it was still their preferred alternative for replacing passwords. This result suggests that participants preferred "convenience", albeit with an awareness of the "security" risks.

With SharePoint 2013 claim based authentication, it might be possible to insert multiple security layers enveloped under same set of services. Username and password combination along with click-based/choice-based user verification is something we need today. It’s worth a million dollar to conduct usability & technical feasibility study of suggested approach.

Nastase, P., & Eni, L. C. (2015). Developing an online collaborative system within the domain of financial auditing. Amfiteatru Economic, 17(39), 823-835. Retrieved from http://econpapers.repec.org/article/aesamfeco/v_3a39_3ay_3a2015_3ai_3a17_3ap_3a823.htm
The paper discusses technical design for online availability of audit records using SharePoint. The online audit records here means information required by both financial auditors and the employees of the Chamber of Financial Auditors of Romania. This technical design evaluation involved feasibility study and later implementation using Microsoft SQL Server 2008 R2, SharePoint Server 2010, SharePoint Designer 2010 and various implementation features: external content types, external lists, business data web parts etc. Two research methods highlighted in this paper are: the first one is empiric, based on formulating a questionnaire and the interpretation of the results, while the second is the analysis of the implementation process by using a step-by-step approach. The online audit database stores information about the results of previous audits, the opinions issued as result of audits, the results of online electronic inspections, audit firms, audited entities, risks identified etc. The conclusion was that the online database, which is updated through Internet, is feasible to implement in SharePoint, for multiple audit stakeholders including financial auditors who can sell their financial audit services benefiting from the transparency that the system provides.


This article, even though elaborates well the technical design and feasibility of SharePoint and related tools for reporting purposes and signifies use cases where business connectivity services may be leveraged. One of the most important concerns is untouched here: dynamic nature of reports (if required) based on business rules for multiple users using same platform. This must be addressed in a separate paper, considering the fact that when a solution is implemented it must cater future needs and at the same time this flexibility should not open new security loopholes.

No comments:

Post a Comment