SharePoint In The Cloud: Evaluating Impact, Pros, And Cons - SharePoint Saturday Philly

SharePoint In The Cloud
Evaluating Impact, Pros, and Cons

Presented By: Richard Harbridge
#SPSPhilly @RHarbridge


Thanks To Our Sponsors!


SharePoint User Group

• SharePoint
• End Users
• Administrators
• Architects
• Developers
• IT Pros
• Meetings: 2nd Tuesday of the month, Microsoft Malvern, 5:30-8 pm

WEB: www.TriStateSharePoint.org
EMAIL: info@TriStateSharePoint.org
TWITTER: @tristateSP


SharePoint Network
• Are you an independent consultant or remote worker
who deals with SharePoint, Office or Office365?
• Do you sometimes feel cut off from the rest of the
SharePoint world?
• Do you need help with technical or business issues, or
just want the chance to socialize with others?

If so, then the SharePoint Network might be for you!
www.SharePointNetwork.org


Who am I?

Boston
Washington


Our Goal Today…

From Here To Here


What Will We Cover Today?
• Why is SharePoint in the Cloud?
• What is SharePoint in the Cloud?
• What is Office 365?
• Concerns in the Cloud?
• Evaluating Cloud Providers


Why is SharePoint
in the Cloud?


Minimal Entry Cost


Pay Per Use


Shift From CAPEX to OPEX


Providers Leverage Scale for Discounts


The Outcome
Cloud enables on-demand computing
resources to be rapidly provisioned with
minimal management effort.


What to watch out for…
While cloud is for everyone, it is not for
everything (until solutions, usage and
standards mature).


What is SharePoint
in the Cloud?


SharePoint Cloud Models
Trusted Un-trusted
All-in
Hybrid Hybrid
SharePoint 2010 Collaboration Scenarios Exchange 2010
Doc Management

Exchange 2010 Lync 2010
MySites

Lync 2010 Extranet
Extranet
Public Facing Websites Public Facing Websites

Demo/Dev/Test/Prod
Demo/Dev/Test/Prod Demo/Dev/Test

External Identity Provider Single Sign On (ADFS) External Identity Provider

Dedicated/Shared
#SPSPhilly @RHarbridge Dedicated/Shared Dedicated/Shared

SharePoint Extranet
On Premise Hosted Externally Hosted
Environment Environment
You Manage Firewall They Manage Firewall
Exceptions/Access to Exceptions (most cases fully
Environment public facing)/Access to
Environment.
You provision a new identity They provision an identity
store. You manage two store. You still may manage
identity stores. aspects of it based on
business need.
You support the environment They typically support the
infrastructure. environment infrastructure.
You plan for and invest in You pay for what you use
sizable up front costs installing under their planned structures
and configuring the (typically OPEX vs CAPEX).
environment.

Amazon and SharePoint


Azure and SharePoint


What is Office 365?
(Standard/Shared Hosting)


Getting Office 365 (or BPOS)
Dedicated Evaluation Criteria
• Do you have less than 5000 people?

Not for you. 


But You Still Want Dedicated?

• SPLA (Server Provider License
Agreement) – Means hosting
companies can offer competitive
‘dedicated’ hosting scenarios at
lower costs.

This is for you. 

Office 365 Marketing?


What does moving to Office365 mean?

• Single Architecture

• Initial deploy is still required to migrate data to Office 365
• AD clean up and network upgrade is often required
• Hybrid phasing is often prolonged period of discomfort.

• Balance between continuous innovations and minimize change
• Customer controls IT policies but not feature availability

• Understand your internal security and privacy requirements

Office 365 Feature Parity (Before 2013)

Now Available with some caveats…
• No external data search
• No rich client integration
• No profile pages
• No direct connectivity to SQL Azure without a WCF endpoint.

More Stuff Missing? (Before 2013)
• Project Server
• Power Pivot
• Secure Store Service
• Full Trust Solutions
• Not all Sandbox Solutions work? *

#SPSPhilly @RHarbridge -
* Maurice Prather
http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=331

SharePoint Online Grows up in in the
coming release
Gest BCS
Links Translation
Improvem eDiscovery
Workflow ents
2013 Services
(Direct to
SQL Azure)
deep

exchange online, lync online &
New Cloud link

office subscription
UX app
Hybrid model
Search Power all new
Shell features Quick SkyDrive
+
Records
designed for Preview Pro

Center the Cloud
MDS PowerPiv
Quick ot /
Edit Power Mobile
View apps
Dev
OData Site Site
Project Mailbox
refiners
Online

… and more.


So What is Still Different in 2013?
SharePoint Online Feature Availability -
http://technet.microsoft.com/en-
SharePoint Online us/library/jj819267.aspx SharePoint 2013

Analytics,
BI Excel Services, Power View, PowerPivot
PerformancePoint
Deep refinement,
Search People/Expertise, hover card, enterprise search
enhance relevancy

Developer Cloud app model, Sandbox, CSOM, BCS Full-trust code, BCS+

Admin Tenant-level, PowerShell, IRM, Recycle Bin Central Administration

Cross-site scripting,
Internet Public Website, Design Manager, apps/store
content by search
eDiscovery, Records Center, Site Mailbox, Mobile, Newsfeed, Follow, #, @
ECM / Social
dot dot dot


Hybrid Co-Existence
Scenario Works Out of Box?
SharePoint: Search Yes (Federated)
SharePoint: BCS Yes (WCF Effort Required, No
Profiles and BCS Search)
SharePoint: Other Services No (Though Guidance Coming)
(MMS, Workflow etc)
Exchange Integration Limited (eDiscovery, Site
Mailboxes, Task Synch – Read
Documentation)
Lync Integration Yes (Presence etc)


Configuration Overview (High Level)
Office 365

Reverse Proxy and
Certificate Auth

UAG

Dirsync

MSOL Tools
Identity Provider Dirsync and Tools Servers

2013 MSOL Tools
ADFS Servers
Config Secure Store oAuth Trust
SharePoint Servers

Licensing Matters


Licensing Summary
Name Price (Per User/Month) Details
P – Professional $6.00
and Small Biz P = Limited toLync, SharePoint, Office users.
Exchange,
Apps less than 50 Web
E1 – Enterprise $8.00 Exchange, Lync, SharePoint, Yammer Ent
E2 – Enterprise $14.00 E1 + Office Web Apps
E3 – Enterprise $20.00 E2 + Office Pro Plus, BCS, Excel Services,
InfoPath Services, Visio Services, & Access
Services
E4 – Enterprise $22.00 E3 + Voice Capabilities (VOIP Stuff)
K1 – Kiosk Worker $4.00 Exchange, SharePoint, Office Web Apps
(View Only)
K2 – Kiosk Worker $8.00 Exchange, SharePoint, Office Web Apps

E/K - You can split your users (for cost savings).

Choosing Enterprise

Only Enterprise has SSL (Both have it on sign in process.)

Quick Example
100 Users… Business Wants…
• SharePoint 2010 Enterprise
E3 - $20 per user per month… • Lync 2010
• Exchange 2010
$24,000.00 per year… • Office 2010 Professional

Office 365 E3 Over 3 Years On Premises On Prem Costs (2010):
Year 1 $24,000.00 Year 1 $88,708.00 • $3,500.00 in Services
(Installation/Config)
Year 2 $24,000.00 Year 2 $0.00 • $6,000.00 - Two Servers
Year 3 $24,000.00 Year 3 $0.00 • $79,208.00 – Licensing
Total $72,000.00 Total $88,708.00
Quick Total: $88,708.00
At +4 years = more expensive. Big investment?
Consistent cost? More features/flexibility.
*This is meant as only a simplified example scenario

What About SharePoint Standalone?
Office 365 offers two Standalone plans for SharePoint.

$4.00

$8.00
SP Online P1 Over 3 Years SP Standard On Premises On Prem Costs (2010):
Year 1 $4,800.00 Year 1 $30,849.00 • $2,000.00 in Services
• $6,000.00 - Two Servers
Year 2 $4,800.00 Year 2 $0.00 • $22,849.00 – Max Licensing
Year 3 $4,800.00 Year 3 $0.00
Total $14,400.00
#SPSPhilly @RHarbridge Total $30,849.00 100 Users…

External Users Subscription Licenses
SharePoint Online Partner Access License
The first 10,000 PAL licenses are free. Beyond this there are
negotiated prices/sometimes exceptions are made, etc.

SP Online Over 3 Years SP On Premises
Year 1 $0.00 Year 1 $0.00 (2013)
Year 2 $0.00 Year 2 $0.00
Year 3 $0.00 Year 3 $0.00
Total $0.00 Total $0.00


Understand Additional Costs
Coming soon – Small Business Coming soon – Midmarket Coming soon – Enterprise
Item In-Market - Enterprise
1-50 users 1-250 users 1-500,000+ users

Base tenancy storage allocation 10 GB 10GB 10GB 10GB
Storage per Standard E & P (allocated
to tenant pool) 500 MB/user 500MB/user 500MB/user 500MB/user
SkyDrive Pro
(does not contribute to overall pool) 500 MB/user 7 GB 7 GB 7 GB
Storage per Kiosk Worker 0 0 0 0
Storage per External User 0 0 0 0
Site Collection storage quotas Up to 100 GB Up to 100 GB Up to 100 GB Up to 100 GB
Total max storage per tenant Up to 25 TB Up to 35GB Up to 1.25 TB Up to 25TB
Maximum file upload size 250MB Designing for 2GB Designing for 2GB Designing for 2GB
Site collections (total #)* 300 1 20 3,000
Additional storage $2.50
(per GB per month) $0.20/GB/month $0.20/GB/month $0.20/GB/month
0.20/GB/month*

*Price lowered in the second service update of Office 365 SharePoint Online.


The Outcome
We barely scratched the surface with
SharePoint in the Cloud but have already
seen many ‘trade off’ decision points we
should be aware of.


Without careful planning cloud
providers can cause considerable cost
due to new challenges such as migration
and identity federation.


Concerns
In The Cloud


BPOS to Office 365?
Microsoft is responsible for any changes that happen in its
1. Customers will not have to migratedata; data.
datacenters. Customers will not have to migrate any any
however, customers will be responsible for making sure that
2. client software is have SharePoint 2010
their You need to compliant with the system
requirements. See Office 365 system requirements
compatible client software/systems.
download.microsoft.com/download/A/6/4/A6479925-C7D2-
4C4C-A21B-48BCCF8887A9/FAQ_EN_101010.docx.
3. You have to train users on
the new 2010 interface.
Customers will also be responsible for end-user training and
configuring any new features and capabilities that will be
delivered by Office 365.

http://www.microsoft.com/online/transition-center.aspx

Office 365 – 2013 Upgrade


Identity Options in the Cloud


Unique Development Challenges

How do you deploy a site
structure to #Office365?
• Limited/No PowerShell
• No Console Apps
• No Content Database Copy

Site Templates and Migration
Tools Could Work…

Search Challenges (Before 2013)
No search usage statistics?

Remember!
We
.

A Few Problems After 2013…


Cost Modeling


Security
Can be an issue, but most of the time is not.

The real issue is lack of standards and accountability…

If it’s a bigger and more respectable hosting provider
expect a better level of accountability and security
planning/activity.


Security Program

“We ended up with around 800 preventive, detective and
corrective controls that were physical, administrative and
technical. Then we took the defense-in-depth approach
and put the controls throughout the stack.”
- John Howie, Microsoft

Privacy Program


What is more reliable?


What is the Offline Story?


Service Level Agreements


Support Is Important
As an example Microsoft provides 24/7 support.
Google also provides 24/7 support.

However Google Apps has a rule where only system critical events
that affect more than 50% of users can use their phone support.

Don’t forget that with all cloud based providers – you are also adding
another layer between IT and the business users.

Example Issue:
Can a you put a stop to a providers maintenance schedule so that a
#SPSPhilly @RHarbridge finish a critical deliverable without interruption?
business team can

Termination/Suspension of Service


Other Issues?
• Since the startup costs are lower organizations
can run the risk of not doing enough planning.

• Migrating content can be
extremely difficult depending
on what options are provided
by the ‘cloud provider’.


On Integration


LAN vs WAN


The Outcome
Offloading some management activities
to another provider results in additional
planning and consideration.


Challenges and concerns are different
for every cloud provider.


Evaluating
Cloud Providers


Questions To Ask
Security
• How do I know if my cloud is secure?
• Who will have access to my sensitive data?
• Do I have full ownership of my data?
• What type of employee / contractor screening you do, before you hire
them?
• How do you detect if an application is being attacked (hacked), and
how is that reported to me and my employees?
• How do you control administrator access to the service?
• What firewalls are in place?
• What anti-virus technology is in place?
• Can I get virtual layer 2 networking and a stateful virtual firewall?
Evaluating Cloud Providers

Questions To Ask
Storage
• Where will my data be stored?
• Will my data be replicated to any other datacenters around the world (If
yes, then which ones)?
• What controls do you have in place to ensure safety for my data while it is
stored in your environment?
• Can you tell me where my data physically resides?
• Data Center Location?
• How many live copies of my data are there?
• What happens to my data if I cancel my service?


Questions To Ask
Identity & Access
• Do you offer single sign-on for your services?
• Can I get flexible role-based access control synchronized with my
enterprise directory?
• Do all of my users have to rely on solely web based tools?
• Can users work offline?
• Do you offer a way for me to run your application locally and how
quickly I can revert to the local installation?


Questions To Ask
Reliability & Support
• What is your Disaster Recovery and Business Continuity strategy?
• How do you back up data?
• What is the retention period and recovery granularity?
• Is your Cloud Computing service SAS70 compliant?
• What measures do you provide to assist compliance and minimize legal
risk?
• Who do I contact for support?
• What types of support do you offer?
• Are there additional support options available to me?


Questions To Ask
Performance
• How fast is the local network?
• What is the storage architecture?
• Usually storage will be the slowest link.
• How can I ensure global consistency across cloud service providers?
• How many locations do you have and how are they connected?
• How many IOPS can I expect at each I/O performance level?
• How does your memory access score on the STREAM benchmark?
• How does your virtualization system score on the SPECvirt benchmark?


Questions To Ask
Flexibility (Part 1)
• Am I able to load my own VMs?
• Am I able to install software?
• What virtualization technology is being used?
• Are there additional abstraction layers?
• Can I dynamically add memory and CPU to a cloud VM while it’s running?
• How can I ensure CPU and memory are guaranteed?
• What access protocols are available?
• RDP, VNC, ICA, Console, SSH…
• Over non standard ports?


Questions To Ask
• What configuration options do I have?
• Can I add memory?
• Can I add storage?
• Can I use public IPs?
• What domain name mapping options do I have?
• Can I have multiple environments per user?
• Can I archive environments?
• What supporting tools are there?
• Active directory integration
• User management

Questions To Ask
• Do you offer on-premise, web-based, or mixed environments?
• Will the solution work with what I have in place today?
• What pricing, licensing, and payment options are available to me?
• What are the client requirements?
• How often do these change?
Example: Must I upgrade my browser to take advantage of new
features?


Questions To Ask
Costs
• Can I get predictable service costs that still allow me to scale when I need
to?
• How can I get the cost benefits of multi-tenancy but still access dedicated
infrastructure when I need it?
• How do you define a processor / virtual core / Compute Unit?
• What are your SLAs and how do you compensate when it is not met?
• During maintenance windows? Planned vs surprises
• What happens when there is over subscription?
• Can I leverage my existing Agreements?


Tools You Can Use


Service Management Index
Carnegie Mellon launched an initiative for standardized risk and benefit
comparisons.

It’s called the Cloud Service Measurement Initiative Consortium (CSMIC)

Service Management Index

Cloud Sleuth Viewers

#SPSPhilly @RHarbridge Global Provider View
Cloud Performance Analyzer

Cloud Harmony Benchmarks


Consensus Assessments Initiative


The Outcome
You now have an arsenal of key
questions/tools you can use to evaluate a
cloud provider effectively.


Trust but verify. Carefully review
policies, terms, conditions, and
agreements.


Thank You
Organizers, Sponsors and You for Making this Possible.
Questions? Ideas? Feedback? Contact me:
 Twitter: @RHarbridge
 Blog: http://www.RHarbridge.com
 Email: Richard@RHarbridge.com
 Resources:
700+ SharePoint IA Slides at.. PracticalIntranet.com
130+ SharePoint Standards at.. SPStandards.com
80+ Downloadable Presentations.. SlideShare.com/RHarbridge


Appendix/Resources


Main SharePoint Online marketing site:
http://sharepoint.microsoft.com/en-us/SharePoint-Online/Pages/default.aspx
Primary Office 365 marketing site:
http://www.office365.com
Trials, 100-200 level customer-facing info
Contains info about BPOS suite and SPO
30-Day trial
SharePoint Online developer resource center (MSDN):
http://go.microsoft.com/fwlink/?LinkId=203983
SharePoint Online Administration resource center (TechNet):
http://technet.microsoft.com/sharepoint/gg144571.aspx
‘Help and How-to’ for SharePoint Online (Office.com):
http://office.microsoft.com/redir/FX102052854.aspx


Microsoft Privacy Guidelines for Developing Software Products and Services
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16048

Cloud Computing Security Considerations paper (by Microsoft) can be found here:
http://go.microsoft.com/?linkid=9708479

Office 365: Addressing Cloud Computing Security Considerations
http://download.microsoft.com/download%2F2%2F2%2F0%2F220AE513-4A01-4D95-
9275-11E71215A0C2%2FCloudSecurityConsiderations_MicrosoftOffice365.pdf

Pain Point:
http://community.office365.com/en-us/f/148/t/3388.aspx


Sign Up For Office365 Developer Site (2013)
http://msdn.microsoft.com/en-us/library/fp179924%28v=office.15%29.aspx

Office and SharePoint App Development:
http://msdn.microsoft.com/en-us/library/jj220038%28v=office.15%29.aspx

Available on TechNet - http://aka.ms/oht1dx
On-premises -> SPO configuration steps
Additional details for non-SharePoint steps
Identity provider and SSO
DirSync
MSOL Sign-In Assistant
MSOL Module for Windows PowerShell


Evolution?

Elasticity is not cloud computing…

Cloud = Hosting (Not New)


Transitioning to the Cloud

•
•
•
•
•

SharePoint 2013 Features


SharePoint – Intranet - Feature Tiering


Reverse Proxy and Authentication*
When using hybrid features o365 sends requests from Office 365

sites in the cloud to your on-prem farm
You need to establish a reverse proxy for these calls to
be channeled through to secure the process
Those requests can be authenticated at the reverse UAG

proxy before they are forwarded to SharePoint
SharePoint supports using a certificate for Dirsync and Tools Servers

authenticating to the reverse proxy server when ADFS Servers

sending a request SharePoint Servers


Reverse Proxy Requirements
Office 365

A reverse proxy used for hybrid must support the
following requirements:
2 network cards - one connected to the Internet and the other to
the internal company network UAG

Route inbound SSL traffic to the on-premises SharePoint farm
without rewriting packet headers
Support SSL termination
Dirsync and Tools Servers

We currently support two reverse proxy servers:
ADFS Servers
Microsoft - Forefront Unified Access Gateway (UAG)
SharePoint Servers
F5 - Big IP
We plan to add more as they are tested for compatibility


Reverse Proxy Configuration

These are the high level steps for configuring UAG for Office 365

hybrid:
Configure the network in UAG using the Getting Started Wizard
Add an HTTPS trunk
Install an SSL certificate for the endpoint; it must: UAG

Support the names for both the public HTTPS trunk and
SharePoint site
Use 2048 bit length encryption; shorter lengths WILL NOT WORK!
Add the PFX in the UAG’s local certificate store
Publish the SharePoint site collection; use the SharePoint Server ADFS Servers

2010 Web type SharePoint Servers

See your Reverse Proxy s/w documentation for full
details


Identity Provider
Office 365

In order to have a single-sign on experience, you need
a federated identity provider like ADFS
This requires the following:
2 or more load balanced ADFS servers UAG

An SSL certificate for the ADFS site
A proxy device, like the ADFS proxy server
For details on planning and implementation options see Dirsync and Tools Servers

http://technet.microsoft.com/en-us/library/jj151794 ADFS Servers

All users must have a UPN of a registered domain (i.e. SharePoint Servers

“.local” or similar suffixes will not work)


MSOL Tools

You will need tools from MS Online (MSOL) in order to
Office 365
complete the next set of tasks:
Microsoft Online Services Sign-In Assistant
Microsoft Online Services Module for Windows
PowerShell (MSOL PS)
UAG
The Directory Synchronization Tool (dirsync)
NOTE: This cannot be installed on a domain controller
You will need to run these on a SharePoint server to Dirsync and Tools Servers

configure trust with ACS ADFS Servers

Setting up dirsync and SSO trust is typically done on its SharePoint Servers

own server


SSO with o365
Office 365

Install the MSOL PS snap-in to a local server; can be the
same server being used for dirsync
Set up a federation trust between o365 and ADFS using
MSOL PS
Use the Connect-MsolService cmdlet to authenticate and connect to o365 UAG

Use the New-MsolFederatedDomain to start the process to establish the trust
Update DNS as instructed by the cmdlet
Or alternatively: Dirsync and Tools Servers
Use the Office 365 Admin web page to create a new domain trust – follow the
instructions in the domains section ADFS Servers
Use MSOL PS to run the Convert-MsolDomainToFederated cmdlet
For more info see http://technet.microsoft.com/en- SharePoint Servers

us/library/jj151794


DirSync with o365
Office 365

UAG


• Grant accounts licenses to SharePoint, etc. ADFS Servers

• Log out then login as an Active Directory user using your Identity Provider (i.e.
SharePoint Servers
ADFS)
http://technet.microsoft.com/en-
us/library/hh967642.aspx


SharePoint Configuration Tasks

These things need to be configured in SharePoint to support
hybrid:
New SharePoint STS Token Signing Certificate
Configure a trust between SharePoint on-prem and ACS
Configure Secure Store
Configure UPA
Try out Search or BCS!


New SharePoint STS Token Signing Certificate

You need to replace the default token signing certificate for the
SharePoint STS because Access Control Service (ACS) will not trust it
You can replace it with:
A certificate issued by a public certificate authority like Verisign, GoDaddy, Thawte, etc.
– RECOMMENDED
A new self-signed certificate that you can create in the IIS Manager
Domain-issued certificates DO NOT WORK
Use the Set-SPSecurityTokenServiceConfig with the –
ImportSigningCertificate flag to change the token signing certificate


Configure Trust Between SharePoint and ACS

Previously you created a federated trust for users to sign into o365
Now you need to create an OAuth trust for applications to exchange
data between o365 and on-prem
Using MSOL PowerShell (on prem):
Create an AppPrincipal using New-MsolServicePrincipalCredential
Create a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxy
Complete the trust using New-SPTrustedSecurityTokenIssuer
Complete detailed instructions are available in the documentation
described at the end of this session


Configure Secure Store
The Secure Store Service is used to create an application that stores
the certificate used to authenticate with the UAG HTTPS trunk
In o365 create a new Secure Store Service target application
Save the Target Application ID name because you will use that when
configuring a result source
In the credentials field configure it as a Certificate Password
Click the Set button for the Credentials
Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the
password fields blank
Complete detailed instructions are available in the documentation
described at the end of this session


Configure UPA
It’s critically important that you:
Have a UPA up and running
Have it populated with current data from Active Directory
We use the UPA on the local farm to determine what rights a user has –
what claims they have, what groups they belong to, etc.
With a hybrid solution, anything that you grant rights to needs to be in the
profile system
E.g., if you augment claims on-prem and use a custom claims provider to grant
rights to content using those claims, an o365 user would not see that data
because those custom claims are not added when you login to o365
More details at
http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-
rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-need-
to-know.aspx


BCS Hybrid Scenario


SharePoint In The Cloud: Evaluating Impact, Pros, And Cons - SharePoint Saturday Philly

More Related Content

What's hot

Similar to SharePoint In The Cloud: Evaluating Impact, Pros, And Cons - SharePoint Saturday Philly

More from Richard Harbridge

Recently uploaded

SharePoint In The Cloud: Evaluating Impact, Pros, And Cons - SharePoint Saturday Philly

Editor's Notes