35
SharePoint and Compliance… Oil and Water or Milk and Cookies?
| Date post: | 26-Jan-2015 |
| Category: |
Technology |
| Upload: | matthew-r-barrett |
| View: | 406 times |
| Download: | 1 times |
SharePoint and Compliance…
Oil and Water or Milk and Cookies?
Agenda
Permissions
o Abouto Security Reduxo Permissionso Authenticationo Content/Access Control
o Complianceo Alphabet Soupo The road to Complianceo Compliance Specifics
o Review
Security
Compliance
Matt BarrettSenior Solutions Engineer - Axceler
- 6 years in security, 2 in SharePoint - Worked on the Metasploit project - Security Evangelist - Compliance Expert
Twitter: @mrbarrettLinkedIn: www.linkedin.com/mrb08
Obligatory Self Promotion
Axceler Overview
liberating collaboration in the social enterprise through visibility and control• - Have been delivering award-winning administration and
migration software since 1994
• - 3000 Customers Globally
Dramatically improve SharePoint Management
• - Innovative products that improve security and scalability• - Making IT more effective and efficient and lower the total
cost of ownership• 3000 Customers Globally
Focus on solving specific SharePoint problems• - Coach enterprises on SharePoint best practices• - Give administrators the most innovative tools available• - Deliver “best of breed” offerings
Security Redux
Governance
How are you using SharePoint?• Document Repo vs. Core Business• Few select users or everybody?
What secure content do you have? • Where is it?
Permissions
Security Redux
Governance
Authentication Methods• Windows Authentication• NTLM
– Kerberos– Digest– Basic
• SP Groups• Claims• SAML tokens• Forms-based
– AD DS– LDAP
Permissions
Security Redux
Governance
What can be secured?• Sites• Libraries/Lists• Folders• Documents/Items
Permissions
Security Redux
Governance
Management Challenges• Distributed vs. Centralized
Permissions
Security Redux
Centralized?
Management Challenges• Distributed vs. Centralized• Who’s responsibility is it?
Distributed?
Security Redux
Security
Typical Best Practices vs. Compliance Best Practices• Visitors• Members• Read only?
Compliance
Security Redux
Security
Typical Best Practices vs. Compliance Best Practices• Sites, Lists, Libraries share
most permissions• Sensitive data is separated
from normal data (typically this is all you need)
Compliance
Compliance Changes Things…
Plan your work, work your plan
Compliance – Alphabet Soup
HIPAA
o Sarbanes-Oxley Act (SOX Compliance)
o Healthcare Services (HIPAA)o GLBAo California Senate Bill No. 1386o NERC Cyber Security Standardso Financial Services (GLBA)o Visa Cardholder Information
Security Programo MasterCard Site Data Protection
Programo American Express Data Security
Standard
SOX
PCI
Compliance Fact Sheet
HIPAA
SOX
PCI
• 45 states (including CA) have some form of data breach law
• All different, but require protection of PII (Personally Identifyable Information)
What is PII?
HIPAA
SOX
PCI
• Full Name• National ID number• IP address (in some cases)• License Plate Number• Driver’s License Number• Face, Fingerprints or
Handwriting• Credit Card Numbers!!• Date of Birth• Birthplace• Genetic information
Where Does This Come From?
NIST
NIST (National Institute of Standards and Technology)• Access Enforcement• Separation of Duties• Least Privilege• Limitign Remote Access• Protecting information at rest
through the use of encryption
SP800-53
Breaches are Costly!
HIPAA
SOX
PCI
• Sony – 77 million credit numbers (april, 2011), cost $171m to fix
• Fortune 50 leader in Aerospace – fined $75m for leaking helicopter part information
• Breaches are on average $6m+*
Source: Ponemon institute
Compliance Changes Things…
It’s far more expensive to certify than secure...• Best Advice: Limit your scope!
Step 1: Define Your (forced) Compliance Goals!
Security
Efficiency
Verify
• Security vs. Effeciency Paradox
• Trust but Verify
Step 1: Define Your Compliance Goals!
Benchmarks
Ripples
Compliant?
Understand your Benchmarks• What current business
processes could potentially be affected?
• Optimization ”ripples”• Effeciency theories
• Collaboriation? Is it compliant?
Step 1: Define Your Compliance Goals!
Breaches
Are
Sad
Quickest is not always best• Take your time• Far cheaper in the long run• Shortcuts lead to breaches• Breaches lead to sad
Step 2: Commit
Pilot
Review
Deploy
Building from Scratch vs. Adaptation• ”You can tailor a framework to
a regulation, but you can’t tailor a regulation to a framework”
Step 2: Commit
Dev
Build Your Pilot• Separate server• No real data• Study!• Gap Analysis
Staging
Step 2: Commit
Dev
Bring More Cooks in the Kitchen• Legal• Security Team• Consultants (if necessary)
Staging
Step 3: Assimilate
Step 3: Assimilate
Test
Once You’re Sure...• After Gap Analysis• Dev to Staging• Typically single-server• Introduce Pilot Users (try to break it)• Penetration Test
• Production
Verify
Step 4: Maintain
Server
SharePoint
Users
Compliance one day doesn’t guarantee compliance the next...• Monitor• Service Packs• User Activity• Confirmation of Permissions• Monitor Regulations
• They Change!
Step 4: Maintain
Server
SharePoint
Users
Every new element needs to be vetted• One insecure element makes
EVERYTHING insecure
Compliance Generalities
CIA Triad• Confidentiality• Integrity• Availability
Compliance follows common themes...
Compliance Specifics: HIPAA
Data must always be encrypted• In transit, at rest• SSL
Data must never be lost• DR Plan
Data must only be accessible by authorized personnel• Access Control/Authentication• User Security• Password Policies• New Employee Procedures
Compliance Specifics: HIPAA
Data must never be tampered with or altered• Audit controls/integrity• Unauthorized modification prevention
Data should be encrypted if being stored/archived• Transparent SQL DB encryption
Can be permanenty disposed of when no longer needed• Remember: Heath records must be stored
for 6 years• Document retention policies
Compliance Specifics: SOX
All data must be...• Stored• Retained• Secured• Audited
Proof of internal controls• Plans• Framework
Disclosure
Compliance Specifics: PCI
“if it touches something that stores or processes credit cards, it falls into the compliance”• Pen Testing• External environment scanning• Gap Analysis (PCI DSS)• Document management system
Conclusion
Compliance changes things slightly...• Fines are off the charts• More work• More dilligence
