SharePointlandia 2013: SharePoint and Compliance
-
Upload
matthew-r-barrett -
Category
Technology
-
view
410 -
download
1
description
Transcript of SharePointlandia 2013: SharePoint and Compliance
![Page 1: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/1.jpg)
SharePoint and Compliance…
Oil and Water or Milk and Cookies?
![Page 2: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/2.jpg)
Agenda
Permissions
o Abouto Security Reduxo Permissionso Authenticationo Content/Access Control
o Complianceo Alphabet Soupo The road to Complianceo Compliance Specifics
o Review
Security
Compliance
![Page 3: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/3.jpg)
Matt BarrettSenior Solutions Engineer - Axceler
- 6 years in security, 2 in SharePoint - Worked on the Metasploit project - Security Evangelist - Compliance Expert
Twitter: @mrbarrettLinkedIn: www.linkedin.com/mrb08
Obligatory Self Promotion
![Page 4: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/4.jpg)
Axceler Overview
liberating collaboration in the social enterprise through visibility and control• - Have been delivering award-winning administration and
migration software since 1994
• - 3000 Customers Globally
Dramatically improve SharePoint Management
• - Innovative products that improve security and scalability• - Making IT more effective and efficient and lower the total
cost of ownership• 3000 Customers Globally
Focus on solving specific SharePoint problems• - Coach enterprises on SharePoint best practices• - Give administrators the most innovative tools available• - Deliver “best of breed” offerings
![Page 5: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/5.jpg)
Security Redux
Governance
How are you using SharePoint?• Document Repo vs. Core Business• Few select users or everybody?
What secure content do you have? • Where is it?
Permissions
![Page 6: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/6.jpg)
Security Redux
Governance
Authentication Methods• Windows Authentication• NTLM
– Kerberos– Digest– Basic
• SP Groups• Claims• SAML tokens• Forms-based
– AD DS– LDAP
Permissions
![Page 7: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/7.jpg)
Security Redux
Governance
What can be secured?• Sites• Libraries/Lists• Folders• Documents/Items
Permissions
![Page 8: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/8.jpg)
Security Redux
Governance
Management Challenges• Distributed vs. Centralized
Permissions
![Page 9: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/9.jpg)
Security Redux
Centralized?
Management Challenges• Distributed vs. Centralized• Who’s responsibility is it?
Distributed?
![Page 10: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/10.jpg)
Security Redux
Security
Typical Best Practices vs. Compliance Best Practices• Visitors• Members• Read only?
Compliance
![Page 11: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/11.jpg)
Security Redux
Security
Typical Best Practices vs. Compliance Best Practices• Sites, Lists, Libraries share
most permissions• Sensitive data is separated
from normal data (typically this is all you need)
Compliance
![Page 12: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/12.jpg)
Compliance Changes Things…
Plan your work, work your plan
![Page 13: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/13.jpg)
Compliance – Alphabet Soup
HIPAA
o Sarbanes-Oxley Act (SOX Compliance)
o Healthcare Services (HIPAA)o GLBAo California Senate Bill No. 1386o NERC Cyber Security Standardso Financial Services (GLBA)o Visa Cardholder Information
Security Programo MasterCard Site Data Protection
Programo American Express Data Security
Standard
SOX
PCI
![Page 14: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/14.jpg)
Compliance Fact Sheet
HIPAA
SOX
PCI
• 45 states (including CA) have some form of data breach law
• All different, but require protection of PII (Personally Identifyable Information)
![Page 15: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/15.jpg)
What is PII?
HIPAA
SOX
PCI
• Full Name• National ID number• IP address (in some cases)• License Plate Number• Driver’s License Number• Face, Fingerprints or
Handwriting• Credit Card Numbers!!• Date of Birth• Birthplace• Genetic information
![Page 16: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/16.jpg)
Where Does This Come From?
NIST
NIST (National Institute of Standards and Technology)• Access Enforcement• Separation of Duties• Least Privilege• Limitign Remote Access• Protecting information at rest
through the use of encryption
SP800-53
![Page 17: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/17.jpg)
Breaches are Costly!
HIPAA
SOX
PCI
• Sony – 77 million credit numbers (april, 2011), cost $171m to fix
• Fortune 50 leader in Aerospace – fined $75m for leaking helicopter part information
• Breaches are on average $6m+*
Source: Ponemon institute
![Page 18: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/18.jpg)
Compliance Changes Things…
It’s far more expensive to certify than secure...• Best Advice: Limit your scope!
![Page 19: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/19.jpg)
Step 1: Define Your (forced) Compliance Goals!
Security
Efficiency
Verify
• Security vs. Effeciency Paradox
• Trust but Verify
![Page 20: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/20.jpg)
Step 1: Define Your Compliance Goals!
Benchmarks
Ripples
Compliant?
Understand your Benchmarks• What current business
processes could potentially be affected?
• Optimization ”ripples”• Effeciency theories
• Collaboriation? Is it compliant?
![Page 21: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/21.jpg)
Step 1: Define Your Compliance Goals!
Breaches
Are
Sad
Quickest is not always best• Take your time• Far cheaper in the long run• Shortcuts lead to breaches• Breaches lead to sad
![Page 22: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/22.jpg)
Step 2: Commit
Pilot
Review
Deploy
Building from Scratch vs. Adaptation• ”You can tailor a framework to
a regulation, but you can’t tailor a regulation to a framework”
![Page 23: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/23.jpg)
Step 2: Commit
Dev
Build Your Pilot• Separate server• No real data• Study!• Gap Analysis
Staging
![Page 24: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/24.jpg)
Step 2: Commit
Dev
Bring More Cooks in the Kitchen• Legal• Security Team• Consultants (if necessary)
Staging
![Page 25: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/25.jpg)
Step 3: Assimilate
![Page 26: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/26.jpg)
Step 3: Assimilate
Test
Once You’re Sure...• After Gap Analysis• Dev to Staging• Typically single-server• Introduce Pilot Users (try to break it)• Penetration Test
• Production
Verify
![Page 27: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/27.jpg)
Step 4: Maintain
Server
SharePoint
Users
Compliance one day doesn’t guarantee compliance the next...• Monitor• Service Packs• User Activity• Confirmation of Permissions• Monitor Regulations
• They Change!
![Page 28: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/28.jpg)
Step 4: Maintain
Server
SharePoint
Users
Every new element needs to be vetted• One insecure element makes
EVERYTHING insecure
![Page 29: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/29.jpg)
Compliance Generalities
CIA Triad• Confidentiality• Integrity• Availability
Compliance follows common themes...
![Page 30: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/30.jpg)
Compliance Specifics: HIPAA
Data must always be encrypted• In transit, at rest• SSL
Data must never be lost• DR Plan
Data must only be accessible by authorized personnel• Access Control/Authentication• User Security• Password Policies• New Employee Procedures
![Page 31: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/31.jpg)
Compliance Specifics: HIPAA
Data must never be tampered with or altered• Audit controls/integrity• Unauthorized modification prevention
Data should be encrypted if being stored/archived• Transparent SQL DB encryption
Can be permanenty disposed of when no longer needed• Remember: Heath records must be stored
for 6 years• Document retention policies
![Page 32: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/32.jpg)
Compliance Specifics: SOX
All data must be...• Stored• Retained• Secured• Audited
Proof of internal controls• Plans• Framework
Disclosure
![Page 33: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/33.jpg)
Compliance Specifics: PCI
“if it touches something that stores or processes credit cards, it falls into the compliance”• Pen Testing• External environment scanning• Gap Analysis (PCI DSS)• Document management system
![Page 34: SharePointlandia 2013: SharePoint and Compliance](https://reader036.fdocuments.net/reader036/viewer/2022062511/54c544df4a7959b7108b4712/html5/thumbnails/34.jpg)
Conclusion
Compliance changes things slightly...• Fines are off the charts• More work• More dilligence