SharePoint Session 1 - How to Manage Security and Data Access Across Multiple SharePoint Locations

• Ron Charity• roncharity@gmail.com• 416-300-6033

Read me

•Session 1 - How to Manage Security and Data Access Across Multiple SharePoint Locations•This VTS is scheduled for September 24th.•45 minutes in duration•Target Audience: This webinar is aimed at the

architect, governance team, records managers and administrators of the SharePoint Service. The webinar will provide the audience with a farm architecture, SharePoint settings, recommendations for third party tools and operational activities designed to help manage security.

BIO

Ron CharityA published Technologist with 20 + years in infrastructure and application consulting.Experience working in the US, Canada, Australia and Europe. Has worked with SharePoint technologies since 2000.Currently he is responsible for a large global SharePoint environment consisting of several farms that service 140 countries.Plays guitar in a band, rides a Harley Nightster, owns a Superbird and enjoys travel especially beaches.

Objectives

• What are you managing to?• Who you require on the team• Developing a master plan • Building the case to obtain funding• Maintaining momentum and measuring

progress• Technology, operational, policy and process• Training and awareness programs• Wrapping it all together with governance

Agenda

• Common risks• Compliance , Audits and how they help• Security policy and Control plan• Quality Assurance• Technology • Operational activities• Training and awareness• Governance• Where to get started• Who should be on the team

Before we get started…

• There are many ways to approach this topic• Depends on your role, work in regulated

industry, have been audited, level of funding…• I will cover a top down approach but also be

specific about what you can do to help get things under control

• If you’ve been audited and have risks your in a good place believe it or not

• If you have been audited and or don’t have a diligent security officer and no funding…well…

http://www.google.ca/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=PSkK8M0Xs15IkM&tbnid=yN_1kFQM_4SXxM:&ved=0CAUQjRw&url=http://artist-3d.com/free_3d_models/dnm/model_disp.php?uid=3267&ei=7YwSUeW1CsOG2gXB7oDgCQ&bvm=bv.41934586,d.b2I&psig=AFQjCNFaaMyrOHsqQgUrkoDG_ZbWc1IyqQ&ust=1360256601394432

What are you managing to?

•In a regulated industry? Finance, energy?•If you have been audited? Self Audit?•If you have not, using the theme of de-risk•Having a control plan•Key areas that auditors find holes are–People – internal threat management–Site security and High risk content in sites–Documentation, documentation etc…–disaster recovery, security policy and quality

assurance.

Common risks

•Site permissions are not associated with AD security – no governance •Encryption of data and across wire•Search can expose documents you didn’t know were exposed•Abandoned/unused sites, owners change•Shear size of environments – impossible for admins to keep up•Architecture doesn’t support data privacy or compliance

Security and Control Plan

•Security policy is generally owned by the security office and product specific.•Data classification guidelines•A control plan is the departments plan for implement the security controls with the policy.•Security policy must be a key factor in your architecture and operational activities.•Security must sign off on your designs• If they don’t you open to audit risk

Security and Control Plan

•The policy is auditable and you (your team) and department will be audited and measured based on it.•As you implement your security policy and manage with a control plan, you must be documenting as well so there is traceability. •Action plans•QA sign offs•Operational transition sign offs

Quality assurance

•Generally perform functional, performance and security testing•Quality checkpoint•QA adds structure and de-risk•Staffed with experienced staff•Documented process, policy and reports•Tools for load testing•Environments that mimic production as close as possible

Data Custodians

•LOBs own the data and therefore must have a stake in the game•Custodians must be assigned to make sure data is secure•LOB are appointed by Management•Have a clearly defined mandate and activities•A custodian network must be established•Ongoing mentoring and training established

Data Custodians

•Primary and secondary custodians in place•Place ownership and site collection or site level•Succession plan must be in place as people move on•Security Control plan must enforce the need for this to motivate business – audit fear•Establish monitoring and internal audits to make sure they are doing their job

Technology

•Tools will be required to automate, report and track – manual efforts wont be effective•You get what you pay for…•There are a few key technologies you will require to be successful•Govern site provisioning•Automated security penetration testing tools•Automated security policy enforcement and

reporting tools•Content auditing and reporting tools

Technology

•Why do you need these tools?•Automation required (Manually cant keep up)•Enforcing settings and policy (Globally)•Reporting on content and security setting

inconsistencies•Global setting changes (fast and consistent)

•These tools must be noted in your control plan•The reports must be generated for traceability

purposes•Used in action plans to de-rick and control

Technology

• integrate your EDRM tool•Most if not all integrate in some manner•Provides site admins and users with a simple way to move records to EDRM tool•Generally the EDRM tool issues are with site provisioning, training and awareness•Also consider using SharePoint as EDRM but its not certified the last I checked

Technology

•There are a few key technologies you will require to be successful•Content auditing•Setting audits•Security penetration testing•SharePoint administration tools

•For SharePoint its all about automation and consistent repeatability•These tools must be noted in your control plan

Technology

•Design based on SLA, EDRM policy. Security policy, Regional policy and Administrative islands•Farms can be Regional, Purpose built or political islands•Network Bandwidth and latency can be addressed with WAN Accelerators•Governance will help you get executive support, funding and align the stakeholders so you get action

Operations

•Data security activities must be practiced daily•Activities must be assigned to name staff•Operational activities and individual responsibilities must map to the control plan•Schedules must be in place and communicated•Running security penetration tests•Site usage and content compliance tests•Site security compliance tests•Report generated must be actioned and traceable

Operations

•Management tools can help•Take corrective action for site–usage violations–Content violations–site security violations

•Logging and alerting on compliance and intrusion detection–Named staff–Process for logging, escalation and actioning

Training and awareness

•You didn’t tell me 7 times…•Training must be ongoing and sites monitored•Establish a mentoring network and tools such as a site•As a colleague once said….you didn’t tell me 7 times…•There MUST be a HR enforced training program for security specific to SharePoint

Governance

• Don’t under estimate push back• Expect funding and organizational resistance• IT with business objectives alignment• Executives must have clear visibility to risks

and your control plan• Governance is a key tool that will help– Team awareness regarding risks– Decision traceability– Control plan well understood

Mgmt / Architects - Where do I start?

• Recently audited?– If not work with administrator, security and

records management to assess risks• What resources are required to address risks?– Is it money? Time? Executive approvals?

• How much time will it take to fix?– Work with architect and administrator.– Whiteboard top priorities– Estimate resources, duration and costs– Develop action plan

Administrator - Where do I start?

• Recently audited?– Follow recommendations in audit– Develop a plan with your management– Build case for improvements

• If not then– Assess your environment and document risks• Follow Microsoft security guides and gut instinct

– Run reports on the sites– Work with security and records manager– Present risks to management and develop plan

Best Practices

•Use governance•Following security policy•Following records management policy•Designing your environment based on the policy•Being able to demonstrate you followed the policy – sign off checkpoints•Using Third-party tools to report on SharePoint and user compliance

Additional Reading

• Audit manuals – ISO 17799:2005• Records Mgmt – Contact your Records Manager• AIIM – www.aiim.org • CAO - http://

www.csoonline.com/article/739249/5-implementation-principles-for-a-global-information-security-strategy

• SharePoint Security fundamentals - http://technet.microsoft.com/en-us/magazine/ff625837.aspx

• Plan for - http://technet.microsoft.com/en-us/library/hh377941.aspx

• AvePoint webinar - https://www.avepoint.com/on-demand-form/?url=http://www.avepoint.com/assets/movie/webinar/

• Axceler webinar - http://axceler.com/resources/webinars/

Q&A

• Questions?• Ideas or suggestions you want to

share?• Text chat or contact me at– roncharity@gmail.com – ca.linkedin.com/in/ronjcharity/– www.facebook.com/ron.charity