SharePoint and Compliance…Oil and Water or Milk and Cookies?
AgendaPermissionso Abouto Security Reduxo Permissionso Authenticationo Content/Access Controlo Complianceo Alphabet Soupo The road to Complianceo Compliance Specificso ReviewSecurityCompliance
Matt BarrettSenior Solutions Engineer - Axceler- 6 years in security, 2 inSharePoint- Worked on the Metasploit project- Security Evangelist- Compliance ExpertTwitter: @mrbarrettLinkedIn: www.linkedin.com/mrb08Obligatory Self Promotion
Axceler Overviewliberating collaboration in the social enterprisethrough visibility and control• - Have been delivering award-winning administration and migrationsoftware since 1994• - 3000 Customers GloballyDramatically improve SharePoint Management• - Innovative products that improve security and scalability• - Making IT more effective and efficient and lower the total cost ofownership• 3000 Customers GloballyFocus on solving specific SharePoint problems• - Coach enterprises on SharePoint best practices• - Give administrators the most innovative tools available• - Deliver “best of breed” offerings
Security ReduxGovernanceHow are you using SharePoint?• Document Repo vs. Core Business• Few select users or everybody?What secure content do youhave?• Where is it?Permissions
Security ReduxGovernanceAuthentication Methods• Windows Authentication• NTLM– Kerberos– Digest– Basic• SP Groups• Claims• SAML tokens• Forms-based– AD DS– LDAPPermissions
Security ReduxGovernanceWhat can be secured?• Sites• Libraries/Lists• Folders• Documents/ItemsPermissions
Security ReduxGovernanceManagement Challenges• Distributed vs. CentralizedPermissions
Security ReduxCentralized?Management Challenges• Distributed vs. Centralized• Who’s responsibility is it?Distributed?
Security ReduxSecurityTypical Best Practices vs.Compliance Best Practices• Visitors• Members• Read only?Compliance
Security ReduxSecurityTypical Best Practices vs.Compliance Best Practices• Sites, Lists, Libraries share mostpermissions• Sensitive data is separated fromnormal data (typically this is allyou need)Compliance
Compliance Changes Things…Plan your work, work your plan
Compliance – Alphabet SoupHIPAAo Sarbanes-Oxley Act (SOXCompliance)o Healthcare Services (HIPAA)o GLBAo California Senate Bill No. 1386o NERC Cyber Security Standardso Financial Services (GLBA)o Visa Cardholder Information SecurityProgramo MasterCard Site Data ProtectionProgramo American Express Data SecurityStandardSOXPCI
Compliance Fact SheetHIPAASOXPCI• 45 states (including CA) havesome form of data breach law• All different, but require protectionof PII (Personally IdentifyableInformation)
What is PII?HIPAASOXPCI• Full Name• National ID number• IP address (in some cases)• License Plate Number• Driver’s License Number• Face, Fingerprints or Handwriting• Credit Card Numbers!!• Date of Birth• Birthplace• Genetic information
Where Does This Come From?NISTNIST (National Institute ofStandards and Technology)• Access Enforcement• Separation of Duties• Least Privilege• Limitign Remote Access• Protecting information at restthrough the use of encryptionSP800-53
Breaches are Costly!HIPAASOXPCI• Sony – 77 million credit numbers(april, 2011), cost $171m to fix• Fortune 50 leader in Aerospace –fined $75m for leaking helicopterpart information• Breaches are on average $6m+*Source: Ponemon institute
Compliance Changes Things…It’s far more expensive to certify thansecure...• Best Advice: Limit your scope!
Step 1: Define Your (forced) ComplianceGoals!SecurityEfficiencyVerify• Security vs. EffeciencyParadox• Trust but Verify
Step 1: Define Your ComplianceGoals!BenchmarksRipplesCompliant?Understand your Benchmarks• What current business processescould potentially be affected?• Optimization ”ripples”• Effeciency theories• Collaboriation? Is it compliant?
Step 1: Define Your ComplianceGoals!BreachesAreSadQuickest is not always best• Take your time• Far cheaper in the long run• Shortcuts lead to breaches• Breaches lead to sad
Step 2: CommitPilotReviewDeployBuilding from Scratch vs.Adaptation• ”You can tailor a framework to aregulation, but you can’t tailor aregulation to a framework”
Step 2: CommitDevBuild Your Pilot• Separate server• No real data• Study!• Gap AnalysisStaging
Step 2: CommitDevBring More Cooks in the Kitchen• Legal• Security Team• Consultants (if necessary)Staging
Step 3: AssimilateTestOnce You’re Sure...• After Gap Analysis• Dev to Staging• Typically single-server• Introduce Pilot Users (try to break it)• Penetration Test• ProductionVerify
Step 4: MaintainServerSharePointUsersCompliance one day doesn’tguarantee compliance the next...• Monitor• Service Packs• User Activity• Confirmation of Permissions• Monitor Regulations• They Change!
Step 4: MaintainServerSharePointUsersEvery new element needs to bevetted• One insecure element makesEVERYTHING insecure
Compliance GeneralitiesCIA Triad• Confidentiality• Integrity• AvailabilityCompliance follows common themes...
Compliance Specifics: HIPAAData must always be encrypted• In transit, at rest• SSLData must never be lost• DR PlanData must only be accessible by authorizedpersonnel• Access Control/Authentication• User Security• Password Policies• New Employee Procedures
Compliance Specifics: HIPAAData must never be tampered with or altered• Audit controls/integrity• Unauthorized modification preventionData should be encrypted if beingstored/archived• Transparent SQL DB encryptionCan be permanenty disposed of when no longerneeded• Remember: Heath records must be stored for 6years• Document retention policies
Compliance Specifics: SOXAll data must be...• Stored• Retained• Secured• AuditedProof of internal controls• Plans• FrameworkDisclosure
Compliance Specifics: PCI“if it touches something that stores or processescredit cards, it falls into the compliance”• Pen Testing• External environment scanning• Gap Analysis (PCI DSS)• Document management system
ConclusionCompliance changes things slightly...• Fines are off the charts• More work• More dilligence
Thank You!Learn more about Axceler Solutions• www.axceler.com• Matthew.email@example.com