Is MOSS really a secure web-ready CMS?

Saturday, June 6th, 2009

While I’ve not been doing a massive amount of SharePoint development in recent months, my company has decided to focus the internal technology team on a sizable web-site project. Since “time to market” was a key factor, it seemed sensible to pick an off-the-shelf content management system to drive the site. Initially we began evaluating enterprise solutions. MOSS had been selected as the CMS of choice due to a suggested perception that it was a secure and tested product.

In the Intranet world, there is some truth in the statement that SharePoint provides good security. On a company network, you can authenticate logins through a number of methods (Kerberous, LDAP) browsing the web for MOSS security brings all manner of techniques for securing SharePoint behind the firewall. However, on the web we are pretty much forced into using form based authentication in conjunction with the DotNet membership API, as with any other (DotNet) CMS. Sure, we also have the groups/roles/user permissions architecture coupled with the audience targeting on page content and the security that you get with the search engine – but we can find that out of the box on more web targeted products. The licensing required to put SharePoint on the web as a CMS is costly, and as a CMS the interface is often arguably less intuitive than the competition.

Don’t get me wrong. Exposing SharePoint over the web to leverage line of business data can be extremely useful. But for typical CMS needs, we wondered what MOSS really brought to the table. On paper it didn’t seem like enough to justify the huge time costs involved in adapting it to meet our requirements. We began evaluating it against the likes of sitecore, community server, DotNetNuke and many other leaner web-ready products and found ourselves settling on a middle-weight platform that matched our functional requirements very closely. The jury is still out on MOSS as a super secure platform for CMS, maybe you have a different oppinion?

I think the EMS/CMS Worlds are closing fast. SharePoint 2010 is touted to include vastly improved social networking solutions. I wonder what kind of security implications this relationship between behind the firewall data and the company Internet offering will have? Even in a form content staging/workflow environment will employees be able to handle the sheer power of drag-and-dropping data from the Intranet to the corporate web-site?

Tags: Security
Posted in Uncategorized | No Comments »