Ferraz Itp368 Optmizing Information Security


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Ferraz Itp368 Optmizing Information Security

    1. 1. Optimizing Information Security IS 301
    2. 2. Mark Ferraz <ul><ul><li>SolutionsMark </li></ul></ul><ul><ul><li>Houston, TX </li></ul></ul><ul><ul><li>www.solutionsmark.com mark@solutionsmark.com </li></ul></ul><ul><ul><li>President, SolutionsMark. Mark is an Senior Information Architect and Developer specializing in Information Management, Collaboration Tools, and Knowledge Management systems for medium to large enterprises. Mark has over ten years of experience designing, managing, and implementing complex technology projects involving application implementation, supporting infrastructure, custom development, and integration. Most recently Mark has been working with the team at Chevron as the Technical Development Lead for one of the largest SharePoint deployments to date. </li></ul></ul>
    3. 3. Tom Wisnowski <ul><ul><li>Microsoft </li></ul></ul><ul><ul><li>Phoenix, AR </li></ul></ul><ul><ul><li>www.microsoft.com [email_address] </li></ul></ul><ul><ul><li>Tom Wisnowski is a senior consultant with Microsoft Consulting Services specializing in Enterprise Architecture and Strategy, Information Worker Solutions, BI and analysis solutions, Enterprise Application Integration and Custom Application Development. Tom has utilized his range of expertise on numerous enterprise engagements during his 10 year career in IT and continues to play pivotal roles in solution delivery including architect, strategist, team lead and technology specialist. Tom is a Microsoft Certified Solution Developer, Microsoft Certified System Engineer, Microsoft Certified Database Administrator and holds a Bachelor's degree in computer science. </li></ul></ul>
    4. 4. Session Discussion <ul><li>What is Information Security </li></ul><ul><li>Clarity on how information security relates to SharePoint implementation </li></ul><ul><li>Direction when and what elements of SharePoint help you Secure information appropriately </li></ul><ul><li>Confidence to direct and implement SharePoint Security </li></ul>
    5. 5. *
    6. 7. Confidentiality <ul><li>Value </li></ul><ul><li>Industrially sensitive </li></ul><ul><li>Proprietary </li></ul><ul><li>Concerns matter of security </li></ul><ul><li>Risk </li></ul><ul><li>Private </li></ul><ul><li>Shared with the expectation of privacy or confidentiality </li></ul>Losing Control of Information can be disastrous! The information must be managed and secured commensurate to its Risk and Value. *
    7. 8. Information Classification <ul><li>Schema </li></ul><ul><li>Public </li></ul><ul><li>Internal </li></ul><ul><li>Confidential </li></ul><ul><li>Secret </li></ul><ul><ul><li>Considerations </li></ul></ul><ul><ul><li>Storage </li></ul></ul><ul><ul><li>Transmission </li></ul></ul><ul><ul><li>Disposal </li></ul></ul>Definition here
    8. 9. Information Classification <ul><li>All information has an owner </li></ul><ul><li>All information is classified as confidential by default </li></ul><ul><li>Owner Responsibilities: </li></ul><ul><ul><li>Updating the classification </li></ul></ul><ul><ul><li>Declaring who is allowed access to the information </li></ul></ul><ul><ul><li>Securing the information, or for seeing that it is properly secured by the administrator </li></ul></ul>
    9. 10. Best Practices <ul><li>Design </li></ul><ul><ul><li>Look to existing standards within your organization or the marketplace </li></ul></ul><ul><ul><li>Keep it simple (classification and implementation) </li></ul></ul><ul><li>Implementation </li></ul><ul><ul><li>Use site content types and site columns at the root of each site collection to implement information classification </li></ul></ul><ul><ul><li>Could be duplicated automatically using features </li></ul></ul>
    10. 11. Content Type
    11. 12. Site Column
    12. 13. User Created Library
    13. 14. <ul><li>Information Classification in Action </li></ul>
    14. 16. Integrity <ul><li>Proper information integrity involves ensuring that data cannot be added, deleted, or changed without proper authorization. </li></ul><ul><li>The enforcement of integrity within information systems is generally provided via access control and permissions. </li></ul>
    15. 17. SharePoint Groups vs Active Directory Groups The Million Dollar Question
    16. 18. SharePoint Groups vs Active Directory Groups <ul><li>SharePoint Groups </li></ul><ul><li>Native to SharePoint and setup within a site </li></ul><ul><li>Membership can be displayed and/or managed </li></ul><ul><li>Will not scale across site collections </li></ul><ul><li>Active Directory Groups </li></ul><ul><li>Provide additional manageability and scalability </li></ul><ul><li>Membership cannot be displayed and/or managed </li></ul><ul><li>Restricts specific functionality </li></ul>IT DEPENDS
    17. 19. SharePoint Groups
    18. 20. Default Groups
    19. 21. Web Application Policy
    20. 22. Common Audience / Usage Combinations Usage Audience Security Team Collaboration Workspaces Member Equal viewers/contributors SharePoint Groups Publishing Site Wide Many viewers, few contributors Active Directory Groups Records Center Managed Controlled, role-specific access Both
    21. 23. Inheritance
    22. 24. Inheritance Web Application Http://<web-application.fabrikam.com/ Web Application Security Policy Site Collection / -or- /<Site Collection>/ Top Site Security Permissions Sub-Site /<Sub Site> Sub Site Security Permissions
    23. 25. Best Practices <ul><li>Select your security approach based on: </li></ul><ul><ul><li>Audience </li></ul></ul><ul><ul><li>Usage </li></ul></ul><ul><li>Use SharePoint Groups to control member/contributor access when ever possible </li></ul><ul><li>Avoid break inheritance </li></ul><ul><li>Use web application policy where appropriate </li></ul>
    24. 27. Authenticity <ul><li>Validity of user activity and information in the system is critical to ensuring authenticity. </li></ul><ul><li>Includes all information and communications into and out of the system, including both process and user identification. </li></ul><ul><li>Options are configured at the Farm and Web Application Level </li></ul>
    25. 28. Best Practices <ul><li>Use separate service accounts for each service/application pool </li></ul><ul><li>Separate dedicated clearing house for external data </li></ul><ul><li>Use Windows Integrated Authentication for internal users and services </li></ul>
    26. 30. Thank you for attending! Please be sure to fill out your session evaluation!
    27. 31. Thank you for attending! Please be sure to fill out your session evaluation! <ul><li>Post conference DVD with all slide decks </li></ul>Sponsored by