Optimizing Information Security

IS 301

Mark FerrazSolutionsMark

Houston, TX

www.solutionsmark.com mark@solutionsmark.com

President, SolutionsMark. Mark is an Senior Information Architect and Developer specializing in Information Management, Collaboration Tools, and Knowledge Management systems for medium to large enterprises. Mark has over ten years of experience designing, managing, and implementing complex technology projects involving application implementation, supporting infrastructure, custom development, and integration. Most recently Mark has been working with the team at Chevron as the Technical Development Lead for one of the largest SharePoint deployments to date.

Tom WisnowskiMicrosoft

Phoenix, AR

www.microsoft.com tom.wisnowski@microsoft.com

Tom Wisnowski is a senior consultant with Microsoft Consulting Services specializing in Enterprise Architecture and Strategy, Information Worker Solutions, BI and analysis solutions, Enterprise Application Integration and Custom Application Development. Tom has utilized his range of expertise on numerous enterprise engagements during his 10 year career in IT and continues to play pivotal roles in solution delivery including architect, strategist, team lead and technology specialist. Tom is a Microsoft Certified Solution Developer, Microsoft Certified System Engineer, Microsoft Certified Database Administrator and holds a Bachelor's degree in computer science.

Session DiscussionSession Discussion

What is Information Security

Clarity on how information security relates to SharePoint implementation

Direction when and what elements of SharePoint help you Secure information appropriately

Confidence to direct and implement SharePoint Security

*

ConfidentialityConfidentiality

Value

Industrially sensitive

Proprietary

Concerns matter of security

Risk

Private

Shared with the expectation of privacy or confidentiality

Losing Control of Information can be disastrous!

The information must be managed and secured commensurate to its Risk and Value.

*

Information Classification

Schema

2. Public

3. Internal

4. Confidential

5. Secret

Considerations Storage Transmission Disposal

D e f in it io n h e r e

Information ClassificationInformation Classification

All information has an owner

All information is classified as confidential by default

Owner Responsibilities: Updating the classification Declaring who is allowed access to the information Securing the information, or for seeing that it is properly

secured by the administrator

Best Practices Best Practices

Design Look to existing standards within your organization or the marketplace

Keep it simple (classification and implementation)

Implementation Use site content types and site columns at the root of each site

collection to implement information classification

Could be duplicated automatically using features

Content TypeContent Type

Site ColumnSite Column

UserUserCreated Created LibraryLibrary

Information Information Classification in ActionClassification in Action

IntegrityIntegrity

Proper information integrity involves ensuring that data cannot be added, deleted, or changed without proper authorization.

The enforcement of integrity within information systems is generally provided via access control and permissions.

SharePoint GroupsSharePoint Groups vs vs

Active Directory GroupsActive Directory Groups

The Million Dollar Question The Million Dollar Question

SharePoint Groups vs Active Directory GroupsSharePoint Groups vs Active Directory Groups

SharePoint Groups

Native to SharePoint and setup within a site

Membership can be displayed and/or managed

Will not scale across site collections

Active Directory Groups

Provide additional manageability and scalability

Membership cannot be displayed and/or managed

Restricts specific functionality

IT DEPENDS

SharePoint GroupsSharePoint Groups

Default GroupsDefault Groups

Web Application Policy Web Application Policy

Common Audience / Usage CombinationsCommon Audience / Usage Combinations

Usage Audience Security

Team Collaboration

Workspaces

Member

Equal viewers/contributorsSharePoint Groups

Publishing SiteWide

Many viewers, few contributorsActive Directory Groups

Records CenterManaged

Controlled, role-specific accessBoth

InheritanceInheritance

InheritanceInheritance

We b Ap p lic a t io n We b Ap p lic a t io n

://< -H t t p w e b://< -H t t p w e b. .a p p lic a t io n f a b r ik a m c o. .a p p lic a t io n f a b r ik a m c o

/m /mWeb Application Security PolicyWeb Application Security Policy

S it e C o lle c t io n S it e C o lle c t io n

/ - - /< >/o r S it e C o lle c t io n/ - - /< >/o r S it e C o lle c t io nTop Site Security PermissionsTop Site Security Permissions

-S u b S it e-S u b S it e

/< >S u b S it e/< >S u b S it eSub Site Security PermissionsSub Site Security Permissions

Best PracticesBest Practices

Select your security approach based on: Audience Usage

Use SharePoint Groups to control member/contributor access when ever possible

Avoid break inheritance Use web application policy where appropriate

AuthenticityAuthenticity

Validity of user activity and information in the system is critical to ensuring authenticity.

Includes all information and communications into and out of the system, including both process and user identification.

Options are configured at the Farm and Web Application Level

Best PracticesBest Practices

Use separate service accounts for each service/application pool

Separate dedicated clearing house for external data

Use Windows Integrated Authentication for internal users and services

Thank you for attending!Thank you for attending!

Please be sure to fill out your session evaluation!

Thank you for attending!Thank you for attending!Please be sure to fill out your session Please be sure to fill out your session

evaluation!evaluation!

Post conference DVD with all slide decks

Sponsored bySponsored by