Information Governance for Microsoft SharePoint - White Paper
Upcoming SlideShare
Loading in...5

Information Governance for Microsoft SharePoint - White Paper



Protecting data, streamlining compliance, gaining visibility, and managing information life cycle.

Protecting data, streamlining compliance, gaining visibility, and managing information life cycle.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Information Governance for Microsoft SharePoint - White Paper Information Governance for Microsoft SharePoint - White Paper Document Transcript

  • Introduction “If not stored, protected, harnessed and metered effectively, information is wasted, weakens in value, or can pose many risks. In- formation governance has become a business Get Ready for SharePoint imperative, and company leaders’ ability to apply equal rigor to managing all components Ease of use, simple administration, and powerful collaboration capa- of information across the business informa- bilities have driven rapid adoption of Microsoft SharePoint. Compa- tion supply chain will affect business perfor- nies find that once they make SharePoint available, the number of mance, partners and prospects.”1 Sites grows quickly. Many companies report having more Share- Point Sites than employees. The explosive nature of SharePoint can Toby Bell, Debra Logan, and Ted Friedman catch Data Owners and Information Managers off guard, especially Analysts, Gartner, Inc. when it comes to ensuring that sensitive information is protected and use of SharePoint supports company goals. SharePoint was designed to operate as an “adhocracy,”2 empowering the end user by focusing on collabo- ration, innovation, and results. This is fine until you start to use SharePoint to manage sensitive intellec- tual property, automate regulated business processes, or manage corporate records. Some common challenges include: • Protecting intellectual property (IP) managed in SharePoint • Sharing sensitive information externally with customers and partners • Controlling access across SharePoint sites to support company policy or regulatory requirements • Detecting and preventing SharePoint from being used as an alternative to company-mandated systems or other “official” applications • Auditing thousands of independent sites for compliance • Ensuring that information managed in SharePoint is subject to records management Balancing Ad-Hoc Collaboration and Governance Given these challenges, one can understand why some would want to clamp down on SharePoint use by setting up bureaucratic hurdles to its adoption. However, when governance is applied with a heavy hand companies sacrifice the innovation, creativity, and efficiency that SharePoint’s ad-hoc model promotes. Striking the right balance between ad-hoc collaboration and governance is the key. Applying a Proactive Approach to Reduce SharePoint Costs The groundswell around SharePoint is reminiscent of earlier game-changing technologies such as e-mail, public instant messaging, and mobile devices. As we have seen in the past, once these technologies were widely deployed it became extremely costly to govern them. For example, after 15 years of corporate e-mail many companies are still wrestling with e-mail governance even after having purchased and deployed multiple products such as e-mail security gateways, e-mail compliance, e-mail discovery, and e-mail surveillance products on top of their e-mail infrastructure. Taking a reactive approach to e-mail governance was a costly strategy. To avoid the same mistake leaders need to apply a proactive approach to SharePoint governance, which can be more easily deployed at lower cost while the SharePoint infra- structure is relatively new. 1. “Key Issues for Establishing Information Governance Policies, Processes and Organization” by Gartner, Inc., Toby Bell, Debra Logan, Ted Friedman. February 29, 2008 2. Adhocracy refers to “any form of organization that cuts across normal bureaucratic lines to capture opportunities, solve problems, and get results.” Robert H. Waterman, Jr. in Adhocracy (ISBN 0-393-31084-1) 1
  • Information Governance Objectives Information Governance is the set of policies and procedures that ensure that corporate information is protected, being used effectively, and being handled in compliance with company or regulatory require- ments. The four most common Information Governance objectives for SharePoint deployments include: Policy-Driven Authorization to Applications and Data (Entitlements) Each SharePoint site is an administration island. This makes it impossible to implement company-, divi- sion-, or organization-level authorization decisions. We need policy that can apply across sites and servers to address cases where access needs to be tightly controlled to ensure compliance and confidentiality, or to avoid conflict of interest. Protection for Intellectual Property More and more company IP is being managed in SharePoint, including design documents, sales tools, technical documentation, pricing, marketing plans, budgets, company strategy, and even customer data. While SharePoint provides permissions and information policies, the use of these is at the discretion of end users or individual site administrators, and they do not consistently protect the sensitive data once the user has accessed it or downloaded it from the server. To protect IP we want the ability to: • Prevent leakage of IP beyond people that “need to know” • Limit the access of external partners, customers, or contractors who collaborate via SharePoint • Prevent data loss caused by inappropriate handing of IP, such as copying to unencrypted laptops or USB drives, uploading to public websites, or accidentally distributing (by e-mail, IM, FTP, etc.) to outsiders Case Study: Intellectual Property Protection for SharePoint An engineer downloads a highly confidential CAD drawing to her desktop for review. She inadver- tently copies the drawing to a public file server, exposing the IP to everyone in the company. Another employee takes the file from the public share and sends it to a friend who works for a competitor. With the Solution, the downloaded document maintains its access control so even users with access to the public share cannot access the file. Policy can also be used to prevent use of external e-mail, IM, USB, and other distribution channels Reduced Cost of SharePoint Audits As the amount of data managed in SharePoint increases, so does the requirement to audit SharePoint for Sarbanes-Oxley, PCI, legal inquiry, or other compliance requirements. Even if the company has a policy of not using SharePoint for regulated business processes, there are no effective controls to prevent users from using SharePoint as an alternative to official systems or applications. To reduce the cost of audits, we look to: • Prevent the use of SharePoint for specified regulated processes or data • Centralize the administration of access rights to streamline audit reporting • Audit end-user activity to provide evidence of effective controls or investigate incidents 2
  • Visibility and Management of Information Lifecycle SharePoint has historically been used as a collaboration system, rather than a system of record. With Microsoft Office SharePoint Server (MOSS) 2007, Microsoft added functionality to allow SharePoint to address enterprise content management requirements, extending its relevance across the information lifecycle from conception, to work in progress, to record management. However, these improvements did not include centralized audit and reporting functionality. Moreover, we need additional visibility into the information lifecycle activity and the ability to change entitlements based on lifecycle state. Case Study: LifeCycle Management A company uses SharePoint to manage its sales proposal process. SharePoint is used both to col- laborate on the development of proposals and to manage finalized proposal documents. With the current tools, the VP of Sales has no visibility into this process and is concerned that Sales Proposal documents are not being managed properly as corporate records. With the Solution, the VP of Sales can view reports that detail how many proposals are initiated, created, and finalized in SharePoint, and by whom. She can also set policy to ensure that complete proposals are subject to company records management procedures.SharePoint Information Governance Solution A Comprehensive Solution The Compliant Enterprise Information Governance Solution for Microsoft SharePoint consists of four ap- plications that extend Microsoft SharePoint Services or Microsoft Office SharePoint Server (MOSS) to help companies achieve their Information Governance objectives. The four applications include: Entitlement Management Centrally-managed, policy-based access control across SharePoint sites and servers enhances the native security model of SharePoint, by enabling fine-grained authorization to both SharePoint applications and data. For example, the use of SharePoint administrative applications for changing permissions, roles, or groups, or access to individual documents or list items, can be controlled based on column values. Case Study: SharePoint Entitlements A SharePoint Administrator in IT provisions a departmental site for the Engineering organization and assigns a Site Administrator. Months later, there are 150 individual sub-sites, each with their own administrator and permission settings. When an employee transfers out of the engineering department there is no simple way to revoke his access to engineering data. With the Solution, a company policy limiting access to Engineering employees can be created at the top-level site regardless of what individual site administrators do. Access can be automatically taken away when an employee changes roles or departments. In addition, any changes to access permissions performed by site administrators are logged for audit purposes. 3
  • Intellectual Property Protection Consistent protection of IP managed in SharePoint on both the server and client limits access to IP based on organization, team, or project association and prevents loss or leakage of IP over e-mail, IM, duplica- tion, FTP, removable media, and other channels. SharePoint Audit Automated audit of user activity and prebuilt reports provide insight into policy violations, user activity, and access rights, and reduce the effort associated with internal or external audit for compliance. Case Study: SharePoint Audit A Financial Accountant creates a SharePoint site to manage financial spreadsheets used for period end reporting. As the site Administrator he grants access to other members of Finance. Across time team members change roles, in some cases creating violations to Segregation of Duty requirements. Audi- tors demand evidence of changes to access permissions and spreadsheet activity. With the Solution, policy can be used to control access to the site based on role, rather than requiring a site administrator to make manual changes. All access changes and spreadsheet activity is recorded and reports are automatically generated for Auditors. Information Lifecycle Policy Reporting and policy-driven controls provide visibility and management of the SharePoint information lifecycle, and let you view information lifecycle activity by department or business process and apply the appropriate controls to data based on its lifecycle state. This application integrates with SharePoint record management functionality to ensure proper information management. Four Applications on One Enterprise Platform All applications are delivered by Compliant Enterprise, allowing companies to deploy either a single solution or all four on one platform. Because the applications are delivered on Compliant Enterprise, customers can also leverage other Compliant Enterprise solutions for file servers or custom applications on servers and clients. Compliant Enterprise is an extensible Enterprise Entitlement Management system, built on the OASIS eXtensible Access Control Markup Language (XACML) standard, which allows enterprises to configure, administer, enforce, review, and audit fine-grained access policies and authorizations across applications. Compliant Enterprise is the only Entitlement Management system that supports fine-grained policy deci- sions and enforcement on servers, desktops, laptops, and mobile devices, both online and offline.Solution Components Server and Client Side Policy Enforcement SharePoint Server Policy Adapter The Adapter integrates natively with SharePoint Services or MOSS 2007 to enforce fine-grained authori- zation policy across all SharePoint objects, including site collections, sites and sub-sites, lists, document libraries, list items, documents, announcements, calendars, tasks, and more. 4
  • SharePoint Entitlement Client Optional client software enforces policy and tracks activity on Share- Point data after it is downloaded from the server. The same policy in effect on the server is applied to SharePoint data on desktops and laptops, even when disconnected from the network. The Entitlement Client works with NextLabs Enter- prise DLP to prevent data loss over e-mail, IM, USB, web upload, or other channels. The approach eliminates the deployment and management complexity of SharePoint informa- tion policies since it does not require additional encryption key manage- ment infrastructure. Server and Client Side Policy Enforcement Out of the Box Reporting SharePoint Information Governance Reporting Module A pre-built set of reports designed to provide Data Owners or Information Managers visibility and audit for SharePoint. The module provides prebuilt charting and reporting to show information lifecycle activ- ity by site, organization, department, business process, resource, or user. Audit is simplified with policy reports that summarize policy violations and access rights. Report Server Report Server provides a central repository for enterprise-wide SharePoint auditing. All activities logged by the Policy Enforcement software are collected in a central data warehouse to provide a single compre- hensive source for investigation and analysis. Reporter The Web-based reporting application enables analysts to generate charts and reports show- ing SharePoint access rights, access attempts, authorization decisions, end-user activity, and trend analysis. Standards Based Policy Management Policy Studio Policy Studio is a graphical application for SharePoint policy management across sites and servers. It is an easy-to-use, drag-and-drop policy management tool for editing, deploying, and managing policies. Policy Studio speeds up policy development and increases productivity.SharePoint Information Governance Reporting 5
  • Central Policy Server The XACML-based Policy Server is an open, standards-based policy repository and management server that centralizes SharePoint governance policy and system management as the policy administration point (PAP). It is built with a scalable distributed architecture that easily integrates into existing IT infrastructure, including Active Directory and SharePoint for discovery. Distributed Policy Controller The Policy Controller is a distributed, cross-platform policy decision point (PDP) that provides real-time policy evaluation on servers and endpoints. The distributed architecture of the Policy Controller and the optimized deployment technology makes Compliant Enterprise the most scalable entitlement manage- ment system available, with support for hundreds of thousands of enforcement points.Solution Benefits By adopting the Information Governance for SharePoint applications, companies can achieve balance between ad-hoc collaboration and governance. Some of the benefits provided by the solution include: • Centralized entitlement management that ensures consistent authorization to SharePoint applica- tions and data aligned with company policy • Reduced risk of intellectual property disclosure caused by external data leaks or internal confidenti- ality breaches • Visibility into information lifecycle activity that enables information to be properly controlled from its inception to its end-of-life • Reduced cost of audit and quick response to legal inquiries across SharePoint servers • More rapid deployment of SharePoint, by eliminating governance and compliance hurtlesLearn More We invite you to learn more about SharePoint Information Governance solutions: View our online demonstration of the solution at: Participate in the SharePoint Information Risk Assesment Program at: Request an evaluation session with our team at: Our team of SharePoint Information Governance experts will help you to evaluate your needs, clarify key objectives, and recommend the fastest path towards meeting your solution requirements. Or call us at 650-577-9101 for more information. 6
  • ABOUT NEXTLABS NextLabs®, Inc. is the leading provider of policy-driven information risk management software for Global 5000 enterprises. Our software offers a cohesive solution for improving compliance and mitigating information risk by preventing internal and external data loss, eliminating conflict-of-interest activity, and ensuring proper access to applications and data. Our flagship products, Enterprise DLP™ and Compliant Enterprise®, combine identity-driven policy with fine-grained access control and data loss prevention technology to protect data and enforce entitlements. By reducing the risk of data loss and unauthorized access to applications and data, organizations can ensure public confidence, demonstrate compliance, and maintain competitive advantage. NextLabs’ partnerships with industry leaders such as IBM, SAP, Microsoft, Adobe, and PTC bring to market industry-focused solutions that combine industry best practices with turnkey applications, to meet customers’ governance, risk, and compli- ance requirements. NextLabs is a Microsoft Gold Certified Partner. NextLabs maintains a growing portfolio of twenty-five pending patents covering four core areas: fine-grained and contextual access control, user and workflow remediation, real- time policy enforcement, and the implementation and deployment of extensible and universal policies. NextLabs, Inc. 2 Waters Park Drive, Suite 250 San Mateo, CA 94403 USA 650-577-9101 © 2012 NextLabs, Inc. All Rights reserved. THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROVIDED ”AS IS” WITHOUT ANY EXPRESS REPRESENTATIONS OR WARRANTIES. IN AD- DITION, NEXTLABS, INC. DISCLAIMS ALL IMPLIED REP-RESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS. This document contains proprietary information of NextLabs, Inc. or under license from third parties. No part of this document may be repro- duced in any form or by any means or transferred to any third party without the prior written consent of NextLabs, Inc. NextLabs, Compliant Enterprise, Enterprise DLP, and ACPL are trademarks or registered trademarks of NextLabs, Inc. in the United States. All other trademarks or registered trademarks are the property of their respective owners. 2 Waters Park Drive, Suite 250  San Mateo, CA  94403 USA  t: 650-577-9101  f: 650-577-9102 