SharePoint Online - NYS Forum Home · 11/13/2019 · Exchange Online, SharePoint Online, OneDrive...
Transcript of SharePoint Online - NYS Forum Home · 11/13/2019 · Exchange Online, SharePoint Online, OneDrive...
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
SharePoint Online
DLP, IRM, SPO Groups/AD Groups,
Governance, Best Practices, Information
Security, Audit Logs and ShareGate
O365 CoP – November 2019
2
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data
Loss
Prevention
November 13, 2019 3
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention ~ Overview
Identify sensitive information across many locations, such as
Exchange Online, SharePoint Online, OneDrive for Business,
and Microsoft Teams.
Prevent the accidental sharing of sensitive information.
Monitor and protect sensitive information in the desktop
versions of Excel, PowerPoint, and Word.
November 13, 2019 4
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention ~ Overview
Help users learn how to stay compliant without interrupting their
workflow.
View DLP reports showing content that matches your agency’s
DLP policies.
November 13, 2019 5
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Policy Templates
A preconfigured DLP policy template can help you detect specific types of sensitive information:
• U.S. Personally Identifiable Information (PII)• Health Insurance Portability and Accountability (HIPAA)• U.S. Financial Data• U.S. Federal Trade Commission Consumer Rules• U.S. Gramm-Leach-Bliley Act (GLBA)• U.S. Patriot Act• U.S. State Breach Notification Laws• U.S. State Social Security Number Confidentiality Laws
November 13, 2019 6
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 7
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 8
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 9
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 10
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 11
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 12
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 13
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 14
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 15
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 16
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention Example PII
November 13, 2019 17
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
DLP – Data Loss Prevention
Any Questions on Data Loss Prevention?
18
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
IRM – Information
Rights
Management
November 13, 2019 19
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
IRM – Information Rights Management ~ Overview
Information Rights Management (IRM) enables you to limit the actions that users can take on files that have been downloaded from SharePoint Online lists or libraries. IRM encrypts the downloaded files and limits the set of users and programs that are allowed to decrypt these files. IRM can also limit the rights of the users who are allowed to read files, so that they cannot take actions such as print copies of the files or copy text from them.
You can use IRM on lists or libraries to limit the dissemination of sensitive content.
November 13, 2019 20
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
How IRM can help protect content
IRM helps to protect restricted content in the following ways:• Helps to prevent an authorized viewer from copying, modifying, printing, faxing, or
copying and pasting the content for unauthorized use• Helps to prevent an authorized viewer from copying the content by using the Print
Screen feature in Microsoft Windows• Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail
after it is downloaded from the server• Restricts access to content to a specified period of time, after which users must confirm
their credentials and download the content again• Helps to enforce corporate policies that govern the use and dissemination of content
within your organization
November 13, 2019 21
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
How IRM cannot help protect content
IRM cannot protect restricted content from the following:• Erasure, theft, capture, or transmission by malicious programs such as Trojan horses,
keystroke loggers, and certain types of spyware• Loss or corruption because of the actions of computer viruses• Manual copying or retyping of content from the display on a screen• Digital or film photography of content that is displayed on a screen• Copying through the use of third-party screen-capture programs• Copying of content metadata (column values) through the use of third-party screen-
capture programs or copy-and-paste action
November 13, 2019 22
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
How to establish IRM for a Document Library
IRM is set for the NYS SharePoint Online tenant
Users can enforce IRM for a particular Document Library or List by performing the following:(To apply IRM to a list or library, you must have administrator permissions for that list or library)
• Get to Site Contents• Identify the document library or list, and select Settings by clicking the three vertical dots• Once the settings page opens – select “Information Rights Management”• When the “Information Rights Management Settings” page opens, select “More Options”
November 13, 2019 23
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
How to establish IRM for a Document Library
November 13, 2019 24
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
IRM – Information Rights Management
Any Questions on Information Rights
Management?
25
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups –
SharePoint Online
and Azure AD
November 13, 2019 26
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – SharePoint Online & Azure AD ~ Overview
November 13, 2019 27
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – SharePoint Online & Azure AD ~ Overview
From Microsoft’s Documentation:
“Office 365 Groups is the cross-application membership service in Office 365. At the basic level, an Office 365 Group is an object in Azure Active Directory with a list of members and a loose coupling to related workloads including a SharePoint team site, shared Exchange mailbox resources, Planner, Power BI and OneNote. You can add or remove people to the group just as you would any other group-based security object in Active Directory.”
November 13, 2019 28
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – SharePoint Online & Azure AD ~ Overview
Types of Groups:• Office 365 groups are used for collaboration between users.• Distribution groups are used for sending notifications to a group of people.• Security groups are used for granting access to SharePoint resources.• Mail-enabled security groups are used for granting access to SharePoint resources, and
emailing notifications to those users.• Shared mailboxes are used when multiple people need access to the same mailbox, such
as a company information or support email address.
November 13, 2019 29
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – Office 365 Groups
• Office 365 groups are used for collaboration between users, both inside and outside your company. With each Office 365 group, members get a group email and shared workspace for conversations, files, and calendar events, and a Planner.
• Office 365 groups can be configured for dynamic membership in Azure Active Directory, allowing group members to be added or removed automatically based on user attributes such as department, location, title, etc. (Requires Azure AD P1 licensing.)
November 13, 2019 30
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – Distribution Groups
• Distribution groups are used for sending notifications to a group of people. When thinking of a Distribution Group, they function like a Distribution List
• Distribution groups are best for situations where you need to broadcast information to a set group of people, such as "People in Swan Street" or "Everyone at ITS."
November 13, 2019 31
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – Security Groups
• Security groups are used for granting access to Office 365 resources, such as SharePoint. They can make administration easier because you need only administer the group rather than adding users to each resource individually.
• Security groups can be configured for dynamic membership in Azure Active Directory, allowing group members or devices to be added or removed automatically based on user attributes such as department, location, or title; or device attributes such as operating system version. (Note, this requires Azure AD P1 licenses for members of the SG.)
November 13, 2019 32
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – Mail-Enabled Security Groups
• Mail-enabled security groups function the same as regular security groups, except that they cannot be dynamically managed through Azure Active Directory and cannot contain devices.
• They include the ability to send mail to all the members of the group.
November 13, 2019 33
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – Shared Mailboxes
• Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.
• Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that.
November 13, 2019 34
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – SharePoint Online & Azure AD
Any Questions on SharePoint Online or Azure
AD Groups?
35
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
SharePoint Online
Governance
November 13, 2019 36
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Governance – SharePoint Online ~ Overview
SharePoint Online Governance Consists of:
• A governance plan
• Individuals tasked with insuring that the governance plan is
adhered to. The individuals form a group that creates,
modifies and publishes the plan as necessary.
• Communication with users and administrators to ensure that
they are aware of the plan and methods to implement the
plan.
November 13, 2019 37
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Governance – SharePoint Online ~ Overview
SharePoint Online Governance Plan Example
• Overview
• Site Architecture (Communication, Team, Hub)
• Security / Groups / External Sharing
• Navigation
• Site Design
• Metadata Usage
• Information Protection (DLP, IRM, Versioning, Check In/Out)
• Information Removal
• User Onboarding and Removal
• Understanding Help/Support Options
November 13, 2019 38
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Groups – SharePoint Online Governance
Any Questions on SharePoint Online
Governance?
39
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
SharePoint Online
Best Practices
November 13, 2019 40
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Best Practices – SharePoint Online
Assign permissions using Groups – administration of
permissions is greatly simplified.
Give groups/user only the permissions that they really need.
Consider implementing DLP and IRM for all site collections in
your agency that may possibly contain sensitive information.
November 13, 2019 41
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Best Practices – SharePoint Online
Changing inheritance of a site, list, document library or page
should only be done with the greatest of caution.
Know who the site-collection admins or site owners are. Those
individual should be your first line of contact for any issues.
Use versioning on all document libraries. There can be up to
500 versions of a document available.
November 13, 2019 42
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Best Practices – SharePoint Online ~ Versioning
There are 3 options for document library versioning:
1. Create major versions2. Create major and minor (draft) versions3. No versioning – (not recommended)
With major and minor versions, draft item security permissions are provided. Thereare 2 options as to who can see draft versions:
1. Only users who can edit items (recommended)2. Only users who can approve items, and the author of the item
November 13, 2019 43
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Best Practices – SharePoint Online
Turn off sharing when a new site is created.
November 13, 2019 44
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Best Practices – SharePoint Online
Any Questions on SharePoint Online Best
Practices?
Any success stories to share regarding SPO
Best Practices?
45
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
SharePoint Online
Information
Security
November 13, 2019 46
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Information Security – SharePoint Online
Microsoft 365 GCC (“Best for FedRAMP moderate, supports CJIS and IRS 1075 standards and DISA Level 2 Security Requirements Guidelines.”). To learn more, we refer to:
https://www.microsoft.com/en-US/microsoft-365/government
https://www.microsoft.com/en-us/trust-center
https://www.microsoft.com/en-us/TrustCenter/Compliance/complianceofferings
November 13, 2019 47
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Information Security – SharePoint Online
November 13, 2019 48
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Information Security – SharePoint Online
Any Questions on SharePoint Online
Information Security?
49
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
SharePoint Online
Audit Logs
November 13, 2019 50
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Audit Logs – SharePoint Online
All SharePoint Online activities are monitored via
the O365 Unified Audit Log (UAL). The UAL applies
to:
• Site Collections / Sites (sub-sites)
• OneDrive
• NYS SPO tenant
November 13, 2019 51
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Audit Logs – SharePoint Online
Microsoft documentation can be found at:
"Search the audit log in the Security & Compliance Center"
Link: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
November 13, 2019 52
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Audit Logs – SharePoint Online
The Unified Audit Log can provide:
• User activity in SharePoint Online and OneDrive for Business
• Admin activity in SharePoint Online
SharePoint Online activity should appear in the UAL within 30 minutes.
November 13, 2019 53
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
Audit Logs – SharePoint Online
Any Questions on SharePoint Online Audit
Logs?
54
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
SharePoint Online
ShareGate
November 13, 2019 55
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
ShareGate – SharePoint Online
November 13, 2019 56
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
ShareGate – SharePoint Online
November 13, 2019 57
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
ShareGate – SharePoint Online
November 13, 2019 58
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.
ShareGate – SharePoint Online
Any Questions on ShareGate?
59
Confidential, Deliberative, Intra- or Inter-Agency, Non-final Communication, FOIL Exempt Draft.