How does security compliance translate into the sharepoint world? Presentation outlines security basics, specific compliance requirements, and real-time application of that compliance to sharepoint.
2. Agenda
Permissions
o About
o Security Redux
o Permissions
o Authentication
o Content/Access Control
o Compliance
o Alphabet Soup
o The road to Compliance
o Compliance Specifics
o Review
Security
Complianc
e
3. Matt Barrett
Senior Solutions Engineer - Axceler
- 6 years in security, 2 in
SharePoint
- Worked on the Metasploit project
- Security Evangelist
- Compliance Expert
Twitter: @mrbarrett
LinkedIn: www.linkedin.com/mrb08
Obligatory Self Promotion
4. Axceler Overview
liberating collaboration in the social enterprise
through visibility and control
• - Have been delivering award-winning administration and migration
software since 1994
• - 3000 Customers Globally
Dramatically improve SharePoint Management
• - Innovative products that improve security and scalability
• - Making IT more effective and efficient and lower the total cost of
ownership
• 3000 Customers Globally
Focus on solving specific SharePoint problems
• - Coach enterprises on SharePoint best practices
• - Give administrators the most innovative tools available
• - Deliver “best of breed” offerings
5. Security Redux
Governance
How are you using SharePoint?
• Document Repo vs. Core Business
• Few select users or everybody?
What secure content do you
have?
• Where is it?
Permissions
11. Security Redux
Security
Typical Best Practices vs.
Compliance Best Practices
• Sites, Lists, Libraries share most
permissions
• Sensitive data is separated from
normal data (typically this is all
you need)
Compliance
13. Compliance – Alphabet Soup
HIPAA
o Sarbanes-Oxley Act (SOX
Compliance)
o Healthcare Services (HIPAA)
o GLBA
o California Senate Bill No. 1386
o NERC Cyber Security Standards
o Financial Services (GLBA)
o Visa Cardholder Information Security
Program
o MasterCard Site Data Protection
Program
o American Express Data Security
Standard
SOX
PCI
14. Compliance Fact Sheet
HIPAA
SOX
PCI
• 45 states (including CA) have
some form of data breach law
• All different, but require protection
of PII (Personally Identifyable
Information)
15. What is PII?
HIPAA
SOX
PCI
• Full Name
• National ID number
• IP address (in some cases)
• License Plate Number
• Driver’s License Number
• Face, Fingerprints or Handwriting
• Credit Card Numbers!!
• Date of Birth
• Birthplace
• Genetic information
16. Where Does This Come From?
NIST
NIST (National Institute of
Standards and Technology)
• Access Enforcement
• Separation of Duties
• Least Privilege
• Limitign Remote Access
• Protecting information at rest
through the use of encryption
SP800-53
17. Breaches are Costly!
HIPAA
SOX
PCI
• Sony – 77 million credit numbers
(april, 2011), cost $171m to fix
• Fortune 50 leader in Aerospace –
fined $75m for leaking helicopter
part information
• Breaches are on average $6m+*
Source: Ponemon institute
19. Step 1: Define Your (forced) Compliance
Goals!
Security
Efficiency
Verify
• Security vs. Effeciency
Paradox
• Trust but Verify
20. Step 1: Define Your Compliance
Goals!
Benchmarks
Ripples
Compliant?
Understand your Benchmarks
• What current business processes
could potentially be affected?
• Optimization ”ripples”
• Effeciency theories
• Collaboriation? Is it compliant?
21. Step 1: Define Your Compliance
Goals!
Breaches
Are
Sad
Quickest is not always best
• Take your time
• Far cheaper in the long run
• Shortcuts lead to breaches
• Breaches lead to sad
26. Step 3: Assimilate
Test
Once You’re Sure...
• After Gap Analysis
• Dev to Staging
• Typically single-server
• Introduce Pilot Users (try to break it)
• Penetration Test
• Production
Verify
27. Step 4: Maintain
Server
SharePoint
Users
Compliance one day doesn’t
guarantee compliance the next...
• Monitor
• Service Packs
• User Activity
• Confirmation of Permissions
• Monitor Regulations
• They Change!
30. Compliance Specifics: HIPAA
Data must always be encrypted
• In transit, at rest
• SSL
Data must never be lost
• DR Plan
Data must only be accessible by authorized
personnel
• Access Control/Authentication
• User Security
• Password Policies
• New Employee Procedures
31. Compliance Specifics: HIPAA
Data must never be tampered with or altered
• Audit controls/integrity
• Unauthorized modification prevention
Data should be encrypted if being
stored/archived
• Transparent SQL DB encryption
Can be permanenty disposed of when no longer
needed
• Remember: Heath records must be stored for 6
years
• Document retention policies
32. Compliance Specifics: SOX
All data must be...
• Stored
• Retained
• Secured
• Audited
Proof of internal controls
• Plans
• Framework
Disclosure
33. Compliance Specifics: PCI
“if it touches something that stores or processes
credit cards, it falls into the compliance”
• Pen Testing
• External environment scanning
• Gap Analysis (PCI DSS)
• Document management system