The risk of customizing SharePoint

300.000 organizations world-wide customize SharePoint to make the platform an even better fit for their needs. What they don’t realize is that customizations can leak their confidential data. But does that mean you should completely stop customizing SharePoint?

SharePoint, for everything

Over the years Microsoft SharePoint became known as the organizational swiss army knife. Organizations use SharePoint for virtually everything. Project teams use SharePoint to collaborate. Marketing and communication departments build highly-branded portals where they share the latest corporate news and announcements. Organizations use SharePoint as an application platform to host business-critical solutions. The list goes on and on.

And while SharePoint offers rich capabilities out of the box, it’s by customizing it, that organizations truly benefit from SharePoint’s full potential.

A brief history of customizing SharePoint

Originally SharePoint was a server product that organizations hosted on their premises. Only later, with the announcement of BPOS and later Office 365, customers could subscribe to SharePoint hosted by Microsoft.

When organizations were hosting SharePoint themselves, they could deploy customizations to their servers. But this is not an option in the cloud. In Office 365, multiple organizations use the same SharePoint server. If one of them would deploy assemblies to the server, these assemblies could degrade the performance for other customers and even potentially access their confidential data. This is not acceptable.

At the same time, JavaScript became more powerful. Microsoft started to support this shift by providing APIs that developers and power users use to communicate with SharePoint and interact with its data. It was no longer necessary to deploy customizations to SharePoint servers. Using JavaScript, anyone who could edit a page could customize SharePoint for their organization.

Not surprisingly, building customizations using JavaScript became very popular among SharePoint users all over the world. With hundreds of thousands of free and ready to use libraries available on the internet, in a matter of minutes, developers and power users today can deliver very compelling solutions. And they can do it even without involving the IT organization.

However, what they don’t realize is that using JavaScript in SharePoint exposes their environment – and therefore their data – to severe risks.

The risk of JavaScript customizations

Using SharePoint’s powerful APIs developers can do everything from retrieving data stored in lists to searching for confidential documents and downloading complete documents. It’s also possible to change user permissions using SharePoint APIs, giving all employees access to confidential data in the organization.

SharePoint customizations built using JavaScript run unrestricted under the identity of the current user. Whatever the current user can do, these scripts can do, too. When an administrator or the CEO visit a page, scripts on that page can access all the confidential data stored in SharePoint on their behalf and freely send it to third-party services on the internet.

The risk is real! There is not a single organization out there that uses SharePoint and doesn’t use jQuery or other script hosted on the internet. In many cases, they have no idea what’s inside the script they are loading on their corporate pages and who has the access to update these scripts. The hundreds of thousands of dollars spent on security are pointless because of this. A convenient weather widget, live traffic report or a fancy organization chart web part can without any effort bypass all advanced security, multi-factor authentication, enterprise-grade firewalls and threat detection systems and leak confidential data, just like that.

Trust, but verify

Organizations using SharePoint should acknowledge the fact that their confidential data is at risk. Every SharePoint tenant is customized. If you think yours isn’t, you might not even know about it. Remember anyone who can edit a page could add a piece of JavaScript from the internet.

Through the recent investments in SharePoint customization capabilities, Microsoft gives the control back to administrators. Still, as long as organizations don’t review the scripts they are using in their solutions, they could be leaking confidential information without even knowing about it.

Regaining control over the security of your confidential data stored in SharePoint is a tedious process, but you can’t afford to not do it. The reputation of your organization and its success are at stake. The longer you wait, the bigger the risk.

Rencore’s Governance and Risk Prevention solutions help you minimize risks by continuously analyzing and monitoring your customizations. Find out how to take back control of your organization’s customizations today!

Request demo

About the author

Waldek is a Microsoft Office Development MVP and Product Owner Customization Governance at Rencore. He reinforces our product development adding loads of business experience from working as a SharePoint consultant for more than 10 years. Waldek is passionate about what he does and shares his enthusiasm through his blog and as a regular speaker at conferences and community events all over Europe. Recently, Waldek joined the SharePoint Patterns and Practices (PnP) Core Team to help developers make better use of the SharePoint and Office 365 platforms.