SharePoint and Compliance…Oil and Water or Milk and Cookies?
AgendaPermissionso Abouto Security Reduxo Permissionso Authenticationo Content/Access Controlo Complianceo Alphabet Soupo ...
Matt BarrettSenior Solutions Engineer - Axceler- 6 years in security, 2 inSharePoint- Worked on the Metasploit project- Se...
Axceler Overviewliberating collaboration in the social enterprisethrough visibility and control• - Have been delivering aw...
Security ReduxGovernanceHow are you using SharePoint?• Document Repo vs. Core Business• Few select users or everybody?What...
Security ReduxGovernanceAuthentication Methods• Windows Authentication• NTLM– Kerberos– Digest– Basic• SP Groups• Claims• ...
Security ReduxGovernanceWhat can be secured?• Sites• Libraries/Lists• Folders• Documents/ItemsPermissions
Security ReduxGovernanceManagement Challenges• Distributed vs. CentralizedPermissions
Security ReduxCentralized?Management Challenges• Distributed vs. Centralized• Who’s responsibility is it?Distributed?
Security ReduxSecurityTypical Best Practices vs.Compliance Best Practices• Visitors• Members• Read only?Compliance
Security ReduxSecurityTypical Best Practices vs.Compliance Best Practices• Sites, Lists, Libraries share mostpermissions• ...
Compliance Changes Things…Plan your work, work your plan
Compliance – Alphabet SoupHIPAAo Sarbanes-Oxley Act (SOXCompliance)o Healthcare Services (HIPAA)o GLBAo California Senate ...
Compliance Fact SheetHIPAASOXPCI• 45 states (including CA) havesome form of data breach law• All different, but require pr...
What is PII?HIPAASOXPCI• Full Name• National ID number• IP address (in some cases)• License Plate Number• Driver’s License...
Where Does This Come From?NISTNIST (National Institute ofStandards and Technology)• Access Enforcement• Separation of Duti...
Breaches are Costly!HIPAASOXPCI• Sony – 77 million credit numbers(april, 2011), cost $171m to fix• Fortune 50 leader in Ae...
Compliance Changes Things…It’s far more expensive to certify thansecure...• Best Advice: Limit your scope!
Step 1: Define Your (forced) ComplianceGoals!SecurityEfficiencyVerify• Security vs. EffeciencyParadox• Trust but Verify
Step 1: Define Your ComplianceGoals!BenchmarksRipplesCompliant?Understand your Benchmarks• What current business processes...
Step 1: Define Your ComplianceGoals!BreachesAreSadQuickest is not always best• Take your time• Far cheaper in the long run...
Step 2: CommitPilotReviewDeployBuilding from Scratch vs.Adaptation• ”You can tailor a framework to aregulation, but you ca...
Step 2: CommitDevBuild Your Pilot• Separate server• No real data• Study!• Gap AnalysisStaging
Step 2: CommitDevBring More Cooks in the Kitchen• Legal• Security Team• Consultants (if necessary)Staging
Step 3: Assimilate
Step 3: AssimilateTestOnce You’re Sure...• After Gap Analysis• Dev to Staging• Typically single-server• Introduce Pilot Us...
Step 4: MaintainServerSharePointUsersCompliance one day doesn’tguarantee compliance the next...• Monitor• Service Packs• U...
Step 4: MaintainServerSharePointUsersEvery new element needs to bevetted• One insecure element makesEVERYTHING insecure
Compliance GeneralitiesCIA Triad• Confidentiality• Integrity• AvailabilityCompliance follows common themes...
Compliance Specifics: HIPAAData must always be encrypted• In transit, at rest• SSLData must never be lost• DR PlanData mus...
Compliance Specifics: HIPAAData must never be tampered with or altered• Audit controls/integrity• Unauthorized modificatio...
Compliance Specifics: SOXAll data must be...• Stored• Retained• Secured• AuditedProof of internal controls• Plans• Framewo...
Compliance Specifics: PCI“if it touches something that stores or processescredit cards, it falls into the compliance”• Pen...
ConclusionCompliance changes things slightly...• Fines are off the charts• More work• More dilligence
Thank You!Learn more about Axceler Solutions• www.axceler.com• Matthew.barrett@axceler.com
Upcoming SlideShare
Loading in …5
×

SharePointlandia 2013: SharePoint and Compliance

645 views

Published on

How does security compliance translate into the sharepoint world? Presentation outlines security basics, specific compliance requirements, and real-time application of that compliance to sharepoint.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
645
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SharePointlandia 2013: SharePoint and Compliance

  1. 1. SharePoint and Compliance…Oil and Water or Milk and Cookies?
  2. 2. AgendaPermissionso Abouto Security Reduxo Permissionso Authenticationo Content/Access Controlo Complianceo Alphabet Soupo The road to Complianceo Compliance Specificso ReviewSecurityCompliance
  3. 3. Matt BarrettSenior Solutions Engineer - Axceler- 6 years in security, 2 inSharePoint- Worked on the Metasploit project- Security Evangelist- Compliance ExpertTwitter: @mrbarrettLinkedIn: www.linkedin.com/mrb08Obligatory Self Promotion
  4. 4. Axceler Overviewliberating collaboration in the social enterprisethrough visibility and control• - Have been delivering award-winning administration and migrationsoftware since 1994• - 3000 Customers GloballyDramatically improve SharePoint Management• - Innovative products that improve security and scalability• - Making IT more effective and efficient and lower the total cost ofownership• 3000 Customers GloballyFocus on solving specific SharePoint problems• - Coach enterprises on SharePoint best practices• - Give administrators the most innovative tools available• - Deliver “best of breed” offerings
  5. 5. Security ReduxGovernanceHow are you using SharePoint?• Document Repo vs. Core Business• Few select users or everybody?What secure content do youhave?• Where is it?Permissions
  6. 6. Security ReduxGovernanceAuthentication Methods• Windows Authentication• NTLM– Kerberos– Digest– Basic• SP Groups• Claims• SAML tokens• Forms-based– AD DS– LDAPPermissions
  7. 7. Security ReduxGovernanceWhat can be secured?• Sites• Libraries/Lists• Folders• Documents/ItemsPermissions
  8. 8. Security ReduxGovernanceManagement Challenges• Distributed vs. CentralizedPermissions
  9. 9. Security ReduxCentralized?Management Challenges• Distributed vs. Centralized• Who’s responsibility is it?Distributed?
  10. 10. Security ReduxSecurityTypical Best Practices vs.Compliance Best Practices• Visitors• Members• Read only?Compliance
  11. 11. Security ReduxSecurityTypical Best Practices vs.Compliance Best Practices• Sites, Lists, Libraries share mostpermissions• Sensitive data is separated fromnormal data (typically this is allyou need)Compliance
  12. 12. Compliance Changes Things…Plan your work, work your plan
  13. 13. Compliance – Alphabet SoupHIPAAo Sarbanes-Oxley Act (SOXCompliance)o Healthcare Services (HIPAA)o GLBAo California Senate Bill No. 1386o NERC Cyber Security Standardso Financial Services (GLBA)o Visa Cardholder Information SecurityProgramo MasterCard Site Data ProtectionProgramo American Express Data SecurityStandardSOXPCI
  14. 14. Compliance Fact SheetHIPAASOXPCI• 45 states (including CA) havesome form of data breach law• All different, but require protectionof PII (Personally IdentifyableInformation)
  15. 15. What is PII?HIPAASOXPCI• Full Name• National ID number• IP address (in some cases)• License Plate Number• Driver’s License Number• Face, Fingerprints or Handwriting• Credit Card Numbers!!• Date of Birth• Birthplace• Genetic information
  16. 16. Where Does This Come From?NISTNIST (National Institute ofStandards and Technology)• Access Enforcement• Separation of Duties• Least Privilege• Limitign Remote Access• Protecting information at restthrough the use of encryptionSP800-53
  17. 17. Breaches are Costly!HIPAASOXPCI• Sony – 77 million credit numbers(april, 2011), cost $171m to fix• Fortune 50 leader in Aerospace –fined $75m for leaking helicopterpart information• Breaches are on average $6m+*Source: Ponemon institute
  18. 18. Compliance Changes Things…It’s far more expensive to certify thansecure...• Best Advice: Limit your scope!
  19. 19. Step 1: Define Your (forced) ComplianceGoals!SecurityEfficiencyVerify• Security vs. EffeciencyParadox• Trust but Verify
  20. 20. Step 1: Define Your ComplianceGoals!BenchmarksRipplesCompliant?Understand your Benchmarks• What current business processescould potentially be affected?• Optimization ”ripples”• Effeciency theories• Collaboriation? Is it compliant?
  21. 21. Step 1: Define Your ComplianceGoals!BreachesAreSadQuickest is not always best• Take your time• Far cheaper in the long run• Shortcuts lead to breaches• Breaches lead to sad
  22. 22. Step 2: CommitPilotReviewDeployBuilding from Scratch vs.Adaptation• ”You can tailor a framework to aregulation, but you can’t tailor aregulation to a framework”
  23. 23. Step 2: CommitDevBuild Your Pilot• Separate server• No real data• Study!• Gap AnalysisStaging
  24. 24. Step 2: CommitDevBring More Cooks in the Kitchen• Legal• Security Team• Consultants (if necessary)Staging
  25. 25. Step 3: Assimilate
  26. 26. Step 3: AssimilateTestOnce You’re Sure...• After Gap Analysis• Dev to Staging• Typically single-server• Introduce Pilot Users (try to break it)• Penetration Test• ProductionVerify
  27. 27. Step 4: MaintainServerSharePointUsersCompliance one day doesn’tguarantee compliance the next...• Monitor• Service Packs• User Activity• Confirmation of Permissions• Monitor Regulations• They Change!
  28. 28. Step 4: MaintainServerSharePointUsersEvery new element needs to bevetted• One insecure element makesEVERYTHING insecure
  29. 29. Compliance GeneralitiesCIA Triad• Confidentiality• Integrity• AvailabilityCompliance follows common themes...
  30. 30. Compliance Specifics: HIPAAData must always be encrypted• In transit, at rest• SSLData must never be lost• DR PlanData must only be accessible by authorizedpersonnel• Access Control/Authentication• User Security• Password Policies• New Employee Procedures
  31. 31. Compliance Specifics: HIPAAData must never be tampered with or altered• Audit controls/integrity• Unauthorized modification preventionData should be encrypted if beingstored/archived• Transparent SQL DB encryptionCan be permanenty disposed of when no longerneeded• Remember: Heath records must be stored for 6years• Document retention policies
  32. 32. Compliance Specifics: SOXAll data must be...• Stored• Retained• Secured• AuditedProof of internal controls• Plans• FrameworkDisclosure
  33. 33. Compliance Specifics: PCI“if it touches something that stores or processescredit cards, it falls into the compliance”• Pen Testing• External environment scanning• Gap Analysis (PCI DSS)• Document management system
  34. 34. ConclusionCompliance changes things slightly...• Fines are off the charts• More work• More dilligence
  35. 35. Thank You!Learn more about Axceler Solutions• www.axceler.com• Matthew.barrett@axceler.com

×