Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP Best Practices for Security and Governance in SharePoint 2013 Email: [email protected]Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2
29
Embed
Best Practices for Security and Governance in SharePoint 2013
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Antonio MaioProtiviti, Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP
Best Practices for Security and Governance in SharePoint 2013
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
• 2,500+ professionals
• 1,000+ clients
• 70+ offices
• Over 20 countries in the Americas, Europe and Asia-Pacific
Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.
What do we know about Security and Governance?• Security is critical in government and military deployments• It’s a critical consideration in business• Requires good planning• Requires good awareness of SharePoint capabilities• Requires knowledge of what SharePoint cannot do
• Yet… Security and Governance are still often an after thought for many deployments
Information Governance• Governance means setting out the structures, people,
policies, procedures and controls implemented to manage information and support an organization's immediate and future requirements:– Regulatory– Legal– Risk– Administrative– Environmental– Operational
Governance and SharePoint• SharePoint as a platform which offers services to your
organization’s users
• Governance for the SharePoint platform means:• Managing existing services in a predictable way• Deploying new services in a predictable way• Providing a clear set of guidelines for usage and administration
• Achieve Strong Governance for SharePoint:1. Develop a Governance Plan
• Cross functional - Identifies ownership for business and technical teams• Regulatory, risk, legal, admin, environmental, organizational Needs
2. Establish a Governance Team• Include stakeholders from across the organization
SharePoint Deployment• Plan your Deployments and Necessary User Accounts• Use Least Privileged Accounts• Review SharePoint deployment guide before you install
• SharePoint is a web application built on top of SQL Server– Best practice: to use specific user accounts for specific purposes with
least privileges
• Benefits: Separation of Concerns– Multiple points of redundancy– Targeted auditing of account usage– Minimize the risk of compromised accounts
Authentication• Determine that users are who they say they are (via login)
• Configured on each web app• Multiple authentication methods per web app
• SharePoint 2010 Options• Classic Mode Authentication (Integrated Auth, NTLM, Kerberos)• Claims Based Authentication• Forms Based Authentication available - through Claims Based Auth.
– UI configuration options only available in UI upon web app creation– To convert non-claims based web app to claims will require PowerShell
• SharePoint 2013 Options• Claims Based Authentication - default• Classic Mode Deprecated - Configuration UI has been removed
Authorization• Determine if users have access to specific information
objects and which level of access are they granted
• Accomplished through Permissions in SharePoint• Allow you to secure any information object or container• Apply to items, documents, folders, lists, libraries, sites• Do not apply to individual column field values
• Assigning Permissions Includes• The information object or container in question• The user, group or claim that is granted access• The permission level we are granting as part of that access
Standardized Metadata• Implement Standardized Metadata Fields across libraries/lists
• Library or List Level• Site Column Level• Managed Metadata Service (across Site Collection or Farm)
• Ensure users are adding metadata when adding/editing information (mandatory fields)
• Be aware of situations where SharePoint doesn’t request metadata (multi-file upload, explorer view)
• Keep it Simple: Limit sensitivity classification to 3 or 4 labels– Public, Confidential, Restricted, Highly Restricted– Low Business Impact, Moderate Business Impact, High Business Impact– Unclassified, Confidential, Secret, Top Secret
• Educate, Educate, Educate: What does each label mean/impact?
Recap• Develop a SharePoint Governance Plan with Key Stakeholders
• Ignorance is not bliss… it’s problematic!
• Understand the type of information you have• Develop an information architecture• Understand the risks to that information: accidental, insider and external threats• Use Metadata to identify sensitivity• Educate end users on significance of sensitivities – make them part of the solution
• Deploying SharePoint with Appropriate Least Privileged Accounts
• Determine your Authentication and Authorization Needs• Understand how permissions work• Plan for how permissions are given and managed
• Understand SharePoint Security Features• Others: Web App Policies, Anonymous Users, Information Rights Management, Privileged
Users , Event Auditing
Antonio MaioProtiviti, Senior SharePoint Architect & Senior ManagerMicrosoft SharePoint Server MVP