General Business Secure Information Sharing in SharePoint 2010 Antonio Maio Senior Product Manager, Titus Inc.

General Business Agenda Sharing Information vs. Securing Information Information Security Risks in SharePoint 1.Uploading to the Wrong Location Where do I put this?! 2.Sensitive Content What’s that?! 3.Unauthorized Editing and Data LossWiki-what?! Security Strategies to deal with them Real World Experiences Checklist/Considerations: Secure Information Sharing Strategy 2

General Business Sharing Information vs. Security Information Balancing Information Sharing & Security is Challenging for Everyone Militaries and Governments Working to Achieve This… Relates Directly to National Security Ex. Recommendation from the 9/11 Commission to U.S. Government (Rec. #34, page /11 Commission Report) 3 Corporations and Business Working to Achieve This… Relates to Business Productivity

General Business Information Security Risks in SharePoint SharePoint is not Insecure As the amount of content in SharePoint grows… Management Consistency Take advantage of SharePoint 2010 Security Features Use 3 rd Party Security Add-On’s 4

General Business Information Security Risk #1 –Upload Content Users Uploading Content to Incorrect Libraries “Where do I put this thing?” Users don’t know where to upload documents Multiple document libraries look like the correct location Correct location is buried under sites and sub-sites User doesn’t care or is inexperienced Result Inherited Permissions from the site or library – Incorrectly Set Sensitive content ends up available to the masses For regulated industries, this can be a major issue – Ex. ITAR 5

General Business Security Strategy – Content Organizer Content Organizer in SharePoint 2010 Automatically route documents to the correct libraries and folders Documents can come from… Save As to library from within Office app Upload to library or to ‘Drop Off Library’ Automatically added to library via Web Service Send To within SharePoint Limit the number of items in a document library or folder 6

General Business Security Strategy – Content Organizer 7 Select Site Settings, then click Manage Site Features

General Business Security Strategy – Content Organizer 8 Activate Content Organizer

General Business Security Strategy – Content Organizer 9 Configure Settings and Rules… separately Things to do first: Create libraries and folders that you want documents to be routed to Content types must be associated with documents that are to be routed

General Business Security Strategy – Content Organizer 10 Content Organizer Settings Redirect Users to the Drop Off Library Sending to Another Site Folder Partitioning Duplicate Submissions Preserve Context Rule Managers Submission Points

General Business Security Strategy – Content Organizer 11 Content Organizer Rules Name Status & Priority Content Type Conditions Target Location

General Business Security Strategy – Using the Content Organizer 12 Using the Drop Off Library…

General Business Information Security Risk #2 – Sensitive Content Sensitive Content in SharePoint is fine… with proper controls Uploading Sensitive Content Can Violate Corporate Policy or Compliance Standards PCI DSS, HIPAA, ITAR, SEC Disclosure Rules Users Unaware of what Information is Sensitive and How to Handle It Easy to Upload to Wrong Library Easy to download a document, change it, re-upload 13

General Business Security Strategy – Classification & Visual Security Labels Classify Documents with Metadata Native SharePoint columns and metadata Managed metadata keeps metadata values standard and consistent Automatically Apply Visual Markings based on Metadata Raise Awareness within the organization What information is sensitive How should sensitive information be handled Educate users on information security policy 14

General Business Security Strategy – Classification & Visual Security Labels Classify Documents with Metadata Columns 15

General Business Security Strategy – Classification & Visual Security Labels Classify Documents with Metadata Columns 16

General Business Security Strategy – Classification & Visual Security Labels Managed Metadata Service – Term Store Management 17

General Business Security Strategy – Classification & Visual Security Labels Manage Metadata Terms Centrally for the Site Collection 18

General Business Security Strategy – Classification & Visual Security Labels Militaries and Governments take this very seriously Have had classification standards for decades Distinguish between Classified and Unclassified Information Defense & Aerospace have Serious Challenges with Regulations Strict compliance standards to follow Commercial Enterprises are starting to take this seriously Recent data breaches – they now see the risks and the costs Documents, s & SharePoint 19

General Business Security Strategy – Classification & Visual Security Labels Ex. ITT Faces $100 Million Fine for ITAR Violations 20

General Business Security Strategy – Classification & Visual Security Labels Seek out 3 rd Party Tools Headers & Footers Watermarks Time and date stamping Upon upload and bulk marking Consider file formats: MS Office and PDF documents 21 Raising Awareness and Educating Users about Sensitive Documents

General Business Security Strategy – Classification & Visual Security Labels SharePoint Security Goes Part of the Way Metadata Columns Managed Metadata Service Develop Yourself or Seek out 3 rd Party Tools to Complete the Solution Classify your documents with Metadata Apply Visual Markings to Documents Automate to Ensure Consistency Ensure Changes in Policy are Applied Across the Org 22

General Business Information Security Risk #3 – Unauthorized Editing/Data Loss Unauthorized Editing of Documents Easy to download a document, change it, re-upload it SharePoint Versioning helps - admins and content owners need to know to revert back to a previous version Data Loss Sensitive Information Incorrectly Inheriting Permissions from Parent Library or Folders Data exposed to incorrect groups/teams internally Data sent outside the organization 23

General Business Security Strategy – PDFs & Visual Markings on Download Unauthorized Editing - Automatically Convert to PDF SharePoint 2010 has some native capabilities Word Automation Services can convert MS Word docs Code must be written Consider all document types in play MS Excel, PowerPoint, Visio, etc… Should be automatic – convert and re-convert Keep PDFs up to date Choose from Numerous 3 rd Party Tools 24

General Business Consider 3 rd Party tools that mark PDF files upon Download 25 Current User Date and Timestamp Security Strategy – Classification & Visual Security Labels

General Business Data Loss – 2 kinds of Leaks Inadvertent Disclosure (accidental) Unauthorized Disclosure (Intentional) Use Inheritance, Permissions and Metadata Sensitive content incorrectly inheriting permissions from parent library or folders Important to understand how inheritance and permissions work 26 Security Strategy – Item-Level Permissions

General Business Security Strategies – Inheritance & Permissions Inheritance Permissions established for the “parent” level in a site will replicate to its children Example: give a user ‘full control’ permission to a site gives the user “full control” to every library & list in the site Permissions can also be granted at levels: Sub-site List/Library Item 27

General Business Security Strategies - Inheritance & Permissions Inheritance can be broken and unique permissions granted to “Child” items Once broken, any changes at the parent level will no longer propagate to the child items Permission inheritance must be broken from the parent level before custom permissions can be applied 28

General Business Security Strategies - Inheritance & Permissions Permissions management and inheritance is very flexible Its also very manual …and very difficult to scale as SharePoint repositories grow 29

General Business Security Strategies – Item-Level Permissions Use Item-Level Permissions for Sensitive Content Use where appropriate Be aware of SharePoint limitations – performance can be impacted If possible, Automate Item-Level Permissions Ensures permissions continue to be set as content grows Ensures permissions are set consistently across the entire SharePoint deployment 30

General Business Secure Information Sharing Strategy - Considerations Goal: Balance Sharing and Securing Information Checklist of Security Concerns to consider Administrative Access to Content Control Uploading Know what kind of information you have Classify Content with Metadata Raise Awareness about sensitive info with Visual Markings Use PDFs where necessary to avoid Unauthorized Editing 31

General Business Secure Information Sharing Strategy - Checklist Checklist of Security Concerns to consider Inheritance & Item-level Permissions for Sensitive Content Automate as much Security as you can Data Retention and Regular Auditing 32

General Business 33 Antonio Maio Senior Product Manager, Titus Inc.