Data Breaches and Implementing Proactive Security Policies – Office 365 & Azure
Data Breaches and Implementing Proactive Security Policies – Office 365 & Azure Considerations
Over the past few, there have been some very high profile instances of data breaches in environments of all types. The NSA IT Administrator Edward Snowden, who accessed and shared classified NSA data, has been the most widely publicized incident around this and there has been an added push to mitigate future data breaches and examine how these types of incidences actually occurred.
Do you or the assigned person within your organization have reporting capabilities regarding user access and security levels? What about the ability to view “approved” security levels or have an available feature that sends out an alert if an unapproved security level is applied to an individual? Being more vigilant around securing your organization’s data should be one of the leading drivers of your SharePoint and overall IT roadmap as many organizations have become complacent in this area.
In many cases, an organizations records “retention schedule” would provide you insights into what content is sensitive, proprietary, or regulated and how can it be identified. The issue here is that 30-40% of organizations throughout the globe do not have an “approved retention schedule” or are in the process of developing one. EPC Group has been deeply involved in working with organizations legal and compliance departments around the development of their “retention schedule” and it is not easy or sexy task to accomplish.
In many cases it comes down to the content owner or even power users who understands what type of content exists within their “area” or “department” and it is not formally documented. EPC Group has recently been involved in several SharePoint 2007 and SharePoint 2010 to SharePoint 2013 upgrades \ migrations where governance was not previously enforced and content sprawl within document libraries in multiple and in many cases very similar sites exist.
Note: EPC Group’s Hybrid Cloud Advisory Practice was created out of these very needs for organization’s to get real-world and best practices guidance tailored to their exact needs and business vertical.
Highly Publicized Data Breaches & Questions Being Posed
Because of some of these more highly publicized cases of data breaches and extremely sensitive information being exposed, six of the world’s top government security agencies, as detailed in the image below, have published their own recommendations regarding “Cloud Security Recommendations” to assist organizations by providing “lessons learned” around some of the growing threats that they have been addressing.
What Are Your Organization’s Compliance Policies?
Protection of your organization’s intellectual property as well as the ability to adhere to regulations and laws such as PHI, PII, FISMA and HIPAA must be a top requirement and an inherit ability of any architecture considerationfor SharePoint 2013.
As a baseline, how do you currently protect sensitive and the very important data that exists in your enterprise?
It is also important when developing compliance policies you are actively looking for ways to reduce any exposure risks that may exist.
Depending on the size of your of our organization you may have designated resources around litigation,eDiscovery, and maintaining your currently “compliance status” but small to mid-sized business will more than likely have resources that were “many different hats” and SharePoint Server 2013 will provide you with many industry leading capabilities to manage compliance.
It is also important to ask questions of your organization such as:
- How does your organization quickly find information?
- How does your organization ensure policy consistency?
- How does your organization scale the compliance solution to the enterprise?
- What is the current strategy on cost control and information management or compliance?
Understanding the Implications of International Law and Your Organization’s Data
For the past six or seven years, there has been a growing and very public backlash against laws in the US and those laws that govern US-based data centers such as the Patriot Act.
The US is not alone as there are similar laws in numerous countries that have been much less publicized but when implementing a global SharePoint 2013 implementation where data centers around the world are in scope, it is very important to understand how this may affect your deployment.
For many years, countries such as Germany and others in the EU have enacted very strict privacy laws that ban information from being published or readily available in not only public information and search platforms but in private and company owned systems.
SharePoint’s My Site functionality is a good example here as EPC Group has had to develop and apply features to some of our clients in these areas that block some personal fields from “People Search” such as a person’s manager, their home or cell numbers, as well as many variations of this.
Many large Fortune 1000 US organizations have a stance around being English-only and have successfully been able to avoid some of these regional specific implications but this is heating up again and becoming an area of concern that should be discussed within your organization’s IT departments as well as legal and compliance to ensure your following certain protocols and county-specific laws as there can be daily fines levied against companies as well as temporary “freezes” placed on data or system access.
Microsoft has been proactive around many regulatory issues both in the United States and in the EU in obtaining certifications and approvals in areas such as the EU Safe Harbor Certification, HIPAA, FERPA, SAS 70, and ISO 27001 to name a few.
This will undoubtedly grow or continue to be updated so it is very important that you or a designated individual with your organization monitor updates from Microsoft as well as other cloud-providers should you have global offices that may be affected and governed by specific laws.
I remember vividly when I received several a phone call from IT and business stakeholders one evening from a client of EPC Group that had regional offices in relatively small country in Africa and because of recent laws there as well as the regime change that had recently taken affect in that country, the government had seized their servers and temporarily shut down all internet access and the ability for them to access their data.
This client is a household name in the oil and gas area throughout many areas of the world but this counties government was not impressed and did not care about even the day-to-day drilling and oil production taking place and production ground to a screeching halt.
The total cost of this shutdown was estimated by this client on day 2 of this incident to be in the ballpark of 6 million dollars per day and they had to get this resolved one way or another.
In a nutshell, this country had recently passed a law stating that all data that is accessed by a computer system in their country in relation to Oil Well data had to actually reside or be stored within the country’s borders.
The incident started when a local government official performed an audit on the this company in performing a set of random searches in SharePoint 2007 that returned results about some Oil Well specification that were nearby but were stored in a SharePoint department \ team site in London.
This issues was ultimately resolved within 7 days and is obviously extremely unique and bordering on the bizarre, but I remember it vividly as I do not think I slept for more than 5 hours that entire week. It is pretty clear that a “data loss” type issue here with a 6 million dollar a day price tag and severe impact on the business, this had to be resolved and done so “yesterday.”
There have been a handful of other incidents like this I have personally seen or been engaged by a client to assist in resolving has led to some of my more cautious or sometimes “dooms day” like questions at times during road mapping and architectural design session for some of EPC Group’s global clients.
I think it is worth mentioning in this overall architectural roadmap planning and discussion topics as you must plan for and have contingency plans around data protection, data loss, and data spillage areas in a your organization’s environments and when engaging on a deployment in the cloud where sensitive data exists you may not have the access 24/7 to immediately act on an issue so further investigating cloud-providers service level agreements (SLAs) and policies around these types of issues much be discussed, documented, and fully disclosed.
I have had some issues with cloud-provider representatives not knowing the answers to these questions, which in some cases is understandable due to the possible role they have at the provider, but any cloud provider you select should be able to quickly direct you to contacts that handle these issues as well as to very granular documentation regarding how these issues are dealt with and what you can expect from them.
It has been frustrating to view some of the SLAs and granular information provided by some providers as they provide sometimes vague responses but be sure you dig very deep here when planning for your infrastructure and hold these providers accountable to provide you with specifics to your questions before procuring their services.
These type of topics will continue to mature over time and cloud providers will eventual all have representatives or technical teams up-to-speed on these granular issues but I am concerned about “data spillage” issues within cloud providers that can have extremely sensitive data be mistakenly made available to users or other even search engines and the nightly “content source crawl” results where this data must be identified, cleansed, and the issue solved right away.
I have a concern about companies who are not at all at fault but somehow their SharePoint or Office 365 search results, or even custom .NET application(s) running on an AWS platform, start returning results with content you have never seen before and have no idea where its source is and due to this data spillage your environment is taken down temporarily by either the provider or even a government agency made aware of this sensitive data breach.
Reviewing Your Organization’s Current Disaster Recovery or Business Continuity Plan
It is key to consider the differences in your organization’s current disaster recovery or business continuity plan versus that of a cloud-based and possibly service provider led disaster recovery related plan to following the following:
- Environment and Security Governance
- SharePoint Disaster Recovery Governance
- Defining SharePoint SLAs
- Cloud Mapping
- Network Mapping
- Enable Protection
- Recovery Plans
- Planned failover
- Unplanned failover
The environment you select to deploy your organization’s SharePoint 2013 environment on in your 24-36 month SharePoint roadmap, and governance strategy, (i.e. Azure, AWS, On-Prem, etc.) must take all of these issues into consideration into account as sometimes the “Pros” outweigh the “Cons” but other times the “Cons”, although mathematically slim in possibility, would so outweigh the “Pros” that the risk of downtime may not even be something the organization would consider.
EPC Group’s Nationally Recognized Practice Areas
EPC Group leading SharePoint, Office 365, Infrastructure Design and Business Intelligence Practice areas continue to lead the way in providing our clients with the most up-to-date and relevant information that is tailored to their individual business and functional needs.
Additional “From the Consulting Trenches” strategies and methodologies are covered in EPC Group’s new book, “SharePoint 2013 Field Guide: Advice from the Consulting Trenches” covering not only SharePoint 2013, Office 365 and SharePoint Online but Information Management, ECM\RM and overall compliance strategies in this ever changing world of “Hybrid IT.”