out-of-the-box compliance and auditing, sp2013 on-prem and online
TRANSCRIPT
Out-of-the-Box Compliance and Auditing in SP2013 On-Prem and OnlineChristian BuckleyCMO at Beezy + Office 365 MVP
Beezy is the premier enterprise collaboration solution for Microsoft Office 365 and SharePoint, extending the feature set and improving the user experience for on-premises, cloud, and hybrid deployments. We are on a mission to transform the way people work, and to help employees be more connected, innovative, and happy. Learn more at www.beezy.net or @FollowBeezy on Twitter.
What we’ll cover…01 | Common SP Management Concerns02 | A Changing Admin Interface
03 | Basic Admin Capabilities
04 | Solving Common Problems
05 | Making the Cloud Transition
Setting Expectations Geared toward new Admins, PMs and BAs
Walkthru of the new SharePoint Online admin console Comparisons between SPO and Central Admin An outline of the top 5 management concerns in SharePoint on prem,
and how to resolve them in SPO Best practices to help you make the cloud transition
Click to edit Master subtitle style01 | Common SP Management
Concerns
The evolution of SharePoint management
SharePoint Growth & Evolution
SharePoint Releases Metadata
Content
Infrastructure maintained solely for customerOn premises or offManaged by the customer, or by a 3rd party hoster
Private Cloud Hybrid Cloud
Multiple infrastructure optionsComponents both on premises and off premisesManagement spread between customer and 3rd party hosters
Infrastructure shared by multiple customersOff premisesManaged by 3rd party on behalf of customers
Public Cloud
More infrastructure optionsMany “flavors” of cloud
http://social.technet.microsoft.com/wiki/contents/articles/4633.what-is-infrastructure-as-a-service.aspx
Build
Buy
In HouseOut Source
Partner Hosted Private Cloud
• Dedicated environment• Externally hosted• Externally or internally
managed• Internally designed
Self Hosted Private Cloud
• Dedicated environment• Internally hosted• Internally managed• Internally designed
Shared or Dedicated Public
Cloud• Shared or dedicated
environment• Externally hosted• Externally managed• Externally designed
Public Dedicated Cloud
• Partially or fully dedicated• Externally hosted• Externally or internally
managed• Minimal customization
Traditional on premises
Build vs. Buy
http://social.technet.microsoft.com/wiki/contents/articles/4633.what-is-infrastructure-as-a-service.aspx
Infrastructure
Platform
Software
Service Delivery
Financial Management
DemandManagement
Business Relationship Management
Service Catalog
Management
Service Lifecycle
ManagementService Level Management
Continuity & Availability
ManagementCapacity
ManagementInformation
Security Management
Operations
Managem
ent
Understanding service delivery roles
What are the 5 most common SharePoint management concerns?
1. Defining (and communicating) policies and procedures
2. Failure to implement any kind of permissions best practices
3. Failure to regularly audit access to content and sites
4. Failure to monitor changes to security settings
5. Failure to empower users and admins
Technical Governance Means… Logins work Data is secure Systems perform well Metadata applied End users can quickly find their content Storage is optimized Content lifecycles in place, regularly reviewed Legal and regulatory requirements being met
Management Readiness How important is governance in your organization today? Do you know who is getting access to what information? Do you know who has access, or who has accessed your environments
and content? Do you have specific compliance requirements or regulations that you
must meet? If there was a security breach, who would be held responsible? Do you regularly run audits on usage, security, or permissions? How do you respond to compliance requirements for audits? What does your governance process look like today?
Summary A move to the cloud could change the way
yourSharePoint environment operates, and how muchcontrol you have as an administrator
A very different admin experience means re-learning how to solve some of the most common SharePoint issues
Click to edit Master subtitle style
02 | A Changing Admin Interface
How to manage within SharePoint On-premises
Out of the Box Admin ToolkitThe Usual Three Suspects
Permissions ManagementReporting & Insight – e.g. usage, growthResponding to Audit requestsClean-up of sites and content
Managing Permissions
Farm Admin is Site Collection AdminAD v SP GroupsBroken InheritanceDirect PermissionsMisuse of “Authenticated Users”Anonymous Access
Auditing Usage in SharePoint
Beware of the large log fileBeware of the “disappearing” log fileReactive v ProactiveBe prepared for lots of mouse clicksBrush up on your Excel skillsBrush up on your SSRS skills
User Activity - Popular Items
Simple.One SharePoint Site.
Not so Simple.More than One Site?
The Out of the Box Tools
The Security and Compliance Gap36 percent of SharePoint users are breaching security policies-CMSWire
A survey revealed that 79 percent of the respondent said that they stored sensitive or confidential information on the SharePoint platform - CMSWire
Only 18 percent of enterprises use technical controls to prevent access to sensitive information. Most — 73 percent — rely on written policies or informal understandings with their workforce - CMSWire“60% of organizations have yet to
bring SharePoint into line with existing data compliance policies.” – AIIM
Two-thirds of SharePoint-using companies in a recent survey have admitted to having ‘no active security policy’ in place -Emedia
view SharePoint Governance as critical have a well defined strategy
The SharePoint Governance Gap
0%
10%
20%
30%
40%
50%
60%
70%
80%
67%
26%
- Redmond Magazine Survey, 2013
The End Result?
ManagingSharePoint Online
Impacts of Office 365 In some ways, it simplifies Governance SharePoint and Exchange are primarily
affected Biggest impact Office 365 has is on sizing
limits Data sprawl must be watched more carefully
in Office 365 to avoid hitting capacity limits
Tactical Team Responsibilities Operations team impacts:
Nightly backups DBA role largely eliminated Active Directory role could change No equipment to support
Support team impacts Service Level Agreements
Development team impacts: No more full-trust code
Management Shell SharePoint Online Management Shell is a Windows PowerShell module that you can use to efficiently
manage SharePoint Online users, sites, site collections, and organizations You can find a list of
available cmdlets here (TechNet):
https://technet.microsoft.com/en-us/library/fp161388(v=office.15).aspx
Simple mode Admin experience When you’re in Simple mode in the SharePoint Online admin center,
the left-hand navigation shows only site collections, user profiles, and settings.
Advanced mode
Streamlined Admin tasks Easier to add users, auto assign available licenses, reset passwords,
and manually set passwords (instead of auto generated)
Summary Roles and tools have dramatically changed Farm-level administration is gone, and the
UI has been streamlined for common tasks
Click to edit Master subtitle style
03 | Basic Admin Capabilities
Microsoft System Center 2012 R2 Microsoft System Center is an integrated management platform that helps you manage data center,
client devices, and hybrid cloud IT environments. Using this tool gives you access to the status of your subscribed services, active and resolved service incidents,
and your Message Center communications. System Center supports alerts that are generated when a specific condition, such as a service incident in a
subscribed service, occurs. You can configure these alerts so they trigger email notifications, keeping you in the loop on the status of your environment.
Office 365 Service Communications API The Office 365 Service Communications API enables you to access Office 365
service communications the way you want. This API gives you the ability to create or connect your tools to Office 365 service communications, potentially simplifying how you monitor your environment.
The Service Communications API enables you to monitor the following in your environment: Real-time service health. New and ongoing service incidents and ongoing maintenance
events that impact you can be queried for status updates. Message Center communications. Find Message Center communications that are
applicable to your Office 365 environment. Planned maintenance notification. Advanced notification of planned maintenance
enables you to develop appropriate communications and operational strategies for your organization.
The Service Communications API also supports admins who manage Office 365 environments on behalf of others, for example, partners.
Partner Perspective Microsoft provides management tools and a dashboard, referred
to as the Partner Admin Center, specifically for partners that maintain Office 365 environments for their customers.
This tool supersedes an Office 365 admin center that didn't consolidate all of a partner's customers and was more focused on selling new or additional services.
The new partner admin center has five main functions: To provide a Microsoft service-outage notification service to keep partners a step ahead of
customers. To provide a view into a customer's Office 365 service health status and details. To provide a federated view of all of the partner’s customers for which it has delegated admin
privileges. To enable a partner to create, edit and view service requests on behalf of customers. To allow a partner to perform administrative tasks on behalf of customers.
Partner Perspective A client management tab shows all of a partner's customers along with any alerts next to each
customer's name about their service health. Drilling into the service health tab for each customer shows a granular list of the services a customer uses.
Each service has a green checkmark for the day if all is well, or one of a number of symbols if all isn't well. Trouble signals include service interruption, service degradation, restoring service, extended recovery, investigating, service restored or additional information.
O365 Message Center Remember to check the Message Center regularly to stay in
the loop and up to date with what is going on in your Office 365 environment.
Notifications on any potential issues with your environment, changes to your service, and other communications from Microsoft will come through the Message Center.
Control top navigation
External collaboration settings Office 365 provides a single console from which you can manage
external collaboration. By enabling these settings, you can give your users the ability to share access to their SharePoint
sites and documents and Exchange calendars, so they can collaborate more easily with people in external organizations.
By enabling the Lync collaboration setting, you can give your users the ability to communicate with people outside of your organization.
Boundaries and Limitations Find the boundaries and limitations based on your Office 365 plan:
Storage per user (contributes to total storage base of tenant) Additional storage (per GB per month); no minimum purchase Storage base per tenant Site collection storage limit Site collections (#) per tenant Sub-sites Personal site storage Public Website storage default File upload limit File attachment size limit Sync limits Maximum number of users per tenant Number of external user invitees
Managing your App catalog The app catalog is how you make apps available to your
organization. It’s a SharePoint library that contains all of the apps you have for
your org. The Office clients point to this library, so if you want to give your
users access to a new app for Office, just add the manifest file to the library, and the app will automatically show up.
Also true for SharePoint apps. Just add the app package to library and it will appear for everyone.
Since the app catalog is a SharePoint library you can easily manage who gets access to what app, and quickly make updates when needed.
Security, compliance, and privacy With Office 365, Microsoft thinks about security,
compliance, and privacy as having two equally important dimensions: Service-level capabilities that include technical features, operational procedures, and policies
that are enabled by default for customers using the service. Customer controls that include features that enable businesses to customize the Office 365
environment based on the specific needs of their organization. See the Office 365 Trust Center (http://trust.office365.com)
information portal for more information
Searching for Sensitive Data Data Loss Prevention (DLP) for SharePoint Online and OneDrive for Business is now built
into your existing Enterprise Search. It allows you to search for sensitive content in your existing eDiscovery Center.
Search on 51 built-in sensitive information types across both SharePoint Online and OneDrive for Business.
Export the results or download a copy of the query results, or save the query so that you can conduct in-depth research on the query results. Once saved, you can inspect the documents, check for false positives, and further hone or expand the query if needed. Document location is included, as well as the original file structure from SharePoint, so that all paths are preserved in the downloaded copy.
Use DLP in SharePoint Online to identify sensitive data stored on sites (TechNet)
https://technet.microsoft.com/library/dn798914.aspx
Creating information management policies Create a policy to use on multiple content types within a site collection. Create a policy for a site content type. Create a policy for a list or library. (location-based retention policy)
Audit log events Opened and downloaded documents, viewed items in lists, or viewed item properties
(This event is not available for SharePoint Online sites) Edited items Checked out and checked in items Items that have been moved and copied to other location in the site collection Deleted and restored items Changes to content types and columns Search queries Changes to user accounts and permissions Changed audit settings and deleted audit log events Workflow events Custom events
Available audit reports Content modifications. Reports changes to content, such as modifying, deleting,
and checking documents in and out. Content type and list modifications. Reports additions, edits, and deletions to content types. Content viewing. Reports users who have viewed content on a site. In SharePoint Online, this
report will be blank as these events are not captured during auditing. Deletion. Reports what content has been deleted. Run a custom report. You can specify the filters for a custom report, such as limiting the report
to a specific set of events, to items in a particular list, to a particular date range, or to events performed by particular users.
Expiration and Disposition. Reports all events related to how content is removed when it expires.
Policy modifications. Reports on events that change the information management policies on the site collection.
Auditing settings. Reports changes to the auditing settings. Security settings. Reports changes to security settings, such as user/group events, and role
and rights events.
Summary The administration experience in
SharePointOnline has been dramatically streamlined
Customers should map their existing management practices and governance policies and procedures to the new admin experience, and mitigate any changes/reductions in capability
Click to edit Master subtitle style
04 | Solving Common Problems
How can I solve the 5 most common SharePoint management concerns?
1. Defining (and communicating) policies and procedures
Always start with non-technical elements Develop a security policy Implement a training plan for end users Develop a strategy for ensuring
users know what content is confidential
2. Failure to implement any kind of permissions best practices
Apply permissions using Least Privileged principles Don’t give users Direct Access Embrace SharePoint Groups and/or Active Directory Groups Ensure Appropriate Use of the Authenticated Users Group Clean up Orphan Users Use Broken Inheritance Responsibly Revoke permissions quickly
3. Failure to regularly audit access to content and sites
Are we adhering to Compliance or Governance requirements?
Who has been accessing specific content? How often are specific sites being accessed? What features of SharePoint are being used? Are we managing the volume of log data?
4. Failure to monitor changes to security settings
SharePoint security requirements change over time Ensure users are continuing to adhere to security policies Prevent users from causing havoc We need to plan how we will stay on top of changes
5. Failure to empower users and admins
Find your responsible business content owners Enable and Equip them to manage access to their content Ensure management access is limited to those with
appropriate permissions Segment your administration responsibilities –
Power Users, business owners
Summary How you accomplish the most common
admin tasks in SharePoint has changed in SPO
Admins should run through common tasks, identify where there may be functional/procedural gaps, and mitigate within planning
Click to edit Master subtitle style
05 | Making the Cloud Transition
Adjusting to Office 365 updates ‘Big Picture’ of management considerations What governance should look like
Module Overview
Preparing for the inevitabletransition toward the cloud
Keeping up to date with the Office 365 Roadmap
Adjusting to Office 365 Updates No access to Correlation errors or backend. No ability to troubleshoot. If you receive an error, the logs don’t
provide much help because it can take Microsoft days or weeks to come
back with a correlation ID, if they do at all. The continual updates to the site can also cause strange errors. For
example, for a couple of weeks you couldn’t save a template of a site. This was caused by some code changes the developers had made on the server which obviously needed to be rolled back or fixed, but requires the entire O365 environment to be hot-fixed.
Adjusting to Office 365 Updates You may have to use different management
tools. Moving to Office 365 means giving up some
level of control. For example, you won't have any control over the patch management process, software upgrades, and other similar administrative tasks.
Management considerations for hybrid
Location / facilities
Need space and maintenance planning
Most likely provided
Software licenses and
support
Licensing costs, but also upgrades and ongoing support
Included in vendor-hosted solutions
Hardware and maintenance
Need to purchase, support and maintain, and upgrade as platform matures
Included in vendor-hosted solutions
Onsite support, personnel skills
Administrative, developer, and end user skills and training
Still requires administrative and possibly dev skills, end user training
On Premises Cloud Hybrid
Need space and maintenance planning
Licensing costs, but also upgrades and ongoing support
Need to purchase, support and maintain, and upgrade as platform matures
Administrative, developer, and end user skills and training
Level of customization Full control
Limited to none in SaaS, some control over PaaS, full control over IaaS
Limited ability to integrate depending on SaaS, PaaS, or IaaS
Governance, auditing, security,
compliance
Many limitations OTB, but very robust tools from partners
Limited
Very complex across on prem and cloud components, very manual
Disaster Recovery and
Business Continuity
Needs to be planned, limited features OTB
Defined in SLAs
Upgrades and migration
Some OTB capabilities, 3rd party for tighter control and predictability
Microsoft recommends 3rd party tools
On Premises Cloud Hybrid
Very complex across on prem and cloud components, very manual
Some OTB capabilities, 3rd party for tighter control and predictability
Identify requirements
Map requirements to SharePoint functionality
Make the difficult decisions
Ongoing operations management
Business Need Service
Planning Best Practices
Best Practices Focus on the user experience Make governance a priority Know your KPIs and legal/regulatory constraints First define what policies, procedures, and metrics are
needed to manage your environment, and then look at what is possible across your various tools and platforms
Clarify and document your permissions, information architecture, templates, content types, taxonomy -- and ownership of each
Summary Moving to the cloud is more than moving
content Think of how your SharePoint Online
administration fits into the Office 365 management continuum
Governance is critical to the long-term success of your environment, and spans more than just SharePoint
Christian BuckleyChief Marketing Officerand Office 365 MVP
[email protected]@buckleyplanet/IN/ChristianBuckley
Thank you!