Friday, October 02, 2015

Should a Business Extranet Application Run on a Cloud Service?

business extranet application
Because we make an extranet-enabling add-in for on-premise SharePoint, we are getting this question more and more.  People are wanting to know why they should even consider running their extranet applications on-premise any more when “everything is moving to the Cloud”?

(Aside: our definition of a business extranet application is an application that is designed for secure and private collaboration between a business and a business partner such as a customer, vendor etc.  On-premise SharePoint has long been an excellent and popular platform for this type of application when securely published to the Internet using Forms-based Authentication.)

Of course, when we get asked this question, the Cloud service most are considering is Office 365.  Nevertheless, our response to this question is the same regardless of which Cloud service an on-premise solution is being compared to.  The answer would be roughly the same if it is Dropbox, Box, Salesforce, etc.

Here is how we respond when this question comes up about a SharePoint on-premise extranet with our ExCM add-on versus an Office 365 extranet:

Microsoft is certainly working hard to try to make Office 365 the way people will want to go in the future for both Intranets and extranets. However, currently there are quite a few features that a SharePoint on-premise with ExCM solution offers that are not available yet in Office 365's external sharing set of features. We do not have an exhaustive list prepared, but we do have a blog post that goes through a few very important ones:

With that said, we also think that Microsoft is devoting developers to add a lot of extranet-specific features to Office 365 that will eventually close the gap between it and SharePoint on-premises with ExCM.

So, when that day comes, why would anyone want to use SharePoint on-premises with ExCM for their extranet solution when they can just sign-up for an Office 365 subscription and use the external-sharing feature?

Here are some things that we think are worth considering that will always give an on-premise SharePoint extranet distinct advantages over Office 365 external sharing:

1. Office 365 customers will never have the degree of control over the external user accounts that they have with SharePoint on-premises and ExCM.

With SharePoint on-premises and ExCM, the customer completely owns and controls the external user account directory (in the on-premises extranet directory SQL server database). That means that if you don't want an external user to ever have access to any of your content anymore, you are absolutely guaranteed you can make sure this happens by simply removing their account from the database (using the ExCM interface, of course).  One click and the external user no longer has access to anything on your extranet!

With Office 365, Microsoft completely owns and controls the external user account directory. It is actually Azure AD with its millions of user accounts in it. The fact that all user accounts (internal and external) are stored in Azure AD is a double-edged sword, in our opinion.   It is both good and bad in an extranet scenario.

Once a user has an Azure AD record (either because they are an Office 365 subscriber or they have previously accepted an external sharing invitation from another Office 365 subscriber), there is no way for you to control that record. Yes, you can "un-share" your content with that external user, but that presumes you can find everything that you previously shared with them and can then undo the sharing.
We don't know how well the Office 365 features currently help you with the “un-share” scenario, but it is certainly not as easy or sure-fired as with SharePoint on-premises and ExCM where you can just go in and remove the external user's account from the directory and prevent them from ever again logging in to your extranet.

Microsoft will never be able to allow an approach like this with Office 365 because the external user's Azure AD account is likely used for lots of different purposes within the Microsoft ecosystem besides your company's external sharing with it.

So, remember: with an on-premise SharePoint FBA extranet, your company owns the external user account store; with Office 365, your company has absolutely no control over the external user accounts in Azure AD.

2. With Office 365 as your extranet platform you are introducing a third-party (Microsoft, in this case) into the business process of sharing confidential content with your business partners. With SharePoint on-premises and ExCM, it is guaranteed to be just you and your business partner - always.  A third-party is never involved in any way because you have 100% control because it all runs in your data center under your total control.

We would make the case that extranet content is usually even more sensitive and has higher security requirements than Intranet content. Many of our ExCM customers are using it to share sensitive, private information with their customers. For example, we have many law firms that use ExCM to share legal documents with clients. By using SharePoint on-premises and ExCM it should be 100% clear to the client and the law firm that the shared content is kept completely private between the two parties. That's because the law firm has 100% control over all aspects of the system and data.

Microsoft has said that they have implemented air-tight controls in Office 365 so that there is no way that any Microsoft employee would ever see or alter any of a subscriber's content. Let's assume that is right and that it is 100% air-tight. There are still plenty of other ways data\content could be breached.  What if a breach occurs? Now the law firm has to explain to their client that the content they were sharing is actually maintained somewhere in Microsoft's vast network of data centers and the law firm really doesn't have absolute, total control over it, but the third-party has given assurances that there is no way they could ever breach the data themselves.  Nevertheless, somehow a breach has occurred.

Will the client believe this about the Cloud service provider (Microsoft)? Even if they do, how will it make the law firm look to the client? Will the client believe that the law firm has done everything they could possibly do to protect the confidential content? If I were the client, I would probably be thinking "why didn't the firm take Microsoft out of the equation in the first place and just host this confidential content on-premises instead of in Office 365?  Its not like the firm doesn’t have enough money to host it themselves!"  If I was the client I might start thinking about moving my legal business to another firm!

So back to the question in the title, should you run your company’s extranet application on a Cloud service such as Office 365 rather than on-premises with SharePoint and ExCM?  Maybe, but you and your company should first think hard about the long-term business implications of the control that you will be giving up.  You should ask the question, “if there is a data breach, how will our business partners react when they find out that the confidential content they have been sharing with us is actually maintained in a third-party’s system?”  Do we want to risk the business relationship when we could host the extranet application on-premise with excellent administrative features and usability?

Post a Comment