Being a Microsoft Office 365 Partner am keen to follow any news concerning feature changes and updates to Office365. Microsoft announced via this blog, that Office 2013 clients’ connections to commercial Office 365 services will not be supported after October 13, 2020. After this date, ongoing investments in the Office 365 cloud services – including Exchange Online, SharePoint Online, and OneDrive for Business – will proceed based on post-Office 2013 requirements.
Personal data (also referred to as PII – Personal Identifiable Information) identifies an individual. In that personal data, a name by itself is not enough to identify an individual, however, a name including the address would. For example, when you are called by an operator in a call centre, you will often be asked for your name, address and date of birth. That is an example of personal data. What they do with your personal information goes into data processing, that is, to store, sort, workflow (further processing) and retain till archive (disposal) that data. The controller of that data (that is, the owner of that call centre) is responsible for ensuring that data is stored securely on their system.
However, no matter how secure the system is, or in fact, any data processing system is, social engineering attacks is a key threat vector. The weakest part of an system is the people, since they are the easiest to deceive and manipulate. One of the weakest aspects is through impersonation attacks. Impersonation attacks are where someone plays the role of someone who is likely to be trusted (whose personal information was obtained through data processing). In other words, one of the ways to get enough personal information of an individual to impersonate is through getting their personal information in the first place, and, to a large degree, ‘data processing’ is where that information can be obtained.
Through the data processing, there are three key elements:
- The Subject, who owns the data.
- The Controller, who is responsible determining how the data is processed.
- The Processor, who is responsible for the data processing of the subject data.
This can be represented in virtually any process, let’s take a basic SharePoint example:
- The Subject uploads data into a SharePoint site.
- The Controller manages the site where the data is uploaded and determines how the data is processed (also known as a data owner on the site)
- The Processor holds that data from the point where it has been uploaded, to the point where the data is disposed of (this is generally some technical processes in the repository where the content has been uploaded, e.g. storage, workflow, disposition, security).
There are some assumptions to the above example in terms of the management of Personal information:
- The Subject assumes that the data being uploaded is securely managed (it can be security classified, can be readily accessed, and remain intact).
- The Controller assumes they are accountable to that data being serviced by making sure the processor is sufficiently set to securely that content and marked with an identifier of the subject. A basic example in SharePoint is that data uploaded gets marked with the name of the individual uploading the data, the time when that occurred and history of working with that data is recorded.
- The Processor assumes that it is designed in such a way that personal information is secure; that any alterations, changes, modifications, workflow is known to the subject.
A conundrum is the sheer collaboration aspect; that is, who has access to that data, and, unfortunately, that some controllers misunderstanding that security is somehow, the product. It is not. Any system can be bypassed using social engineering if that data is compromised. The personal information of the Subject can be accessed by anyone who has the view access to that data. For example, in the case of SharePoint Online, when a Subjects name is clicked in a repository, a list of other documentation recently uploaded / accessed is visible, along with a link to getting more information through Delve. Additionally, on the Delve screen is a further link to the Subjects’ OneDrive, and from there visibility of the Subjects’ team. In terms of technology this example works slightly different in SharePoint On-Premise, however, the outcome is the same.
The challenge is that irrespective of the tools used to provide the nature of storage, availability, integrity of data that there needs to be some thinking in managing the security of the data as well as personal information. Lets’ look at some of the requirements on those three elements:
- From the Subject, there needs to be understanding of how much information they enter about themselves using Delve (About Me, Projects, Skills and Expertise, Schools and Education, Interests and Hobbies) as this affects PII.
- From the Controller, they need to provide awareness to the subject that the data they provide is secure, and the level of accessibility to that data, and where that data is located.
- From Processing, the design of repositories needs to include the management of storage of data, classification, workflow relevant to how personal information is passed. For example, the use of a form to capture information relevant to content uploaded may require the subject to ensure personal information, maybe even beyond what is already supplied in Delve. If this is the case, the Controller should make the subject aware of the kind of information gathered, and what the Processing element will do with that data, and how long that data will exist in the repository. Another example is where the data uploaded includes Personal Information and through machine learning metadata is extracted and posted as viewable column data in a repository. And this does stop at metadata. The very design of code used to carry out further processing through workflow should be scrutinised since the level of Personal Information recorded needs to meet legislative laws; in particular, the Data Protection Act 1998 UK law covers this including sensitive personal information to which you should have the Subjects consent beforehand to process.
Managing Personal information is a crucial aspect data security; the key aspect to understanding how to prevent breaches of personal data through impersonation or masquerading.
This short article is designed to get you thinking of the actual service delivery in managing personal information not just for SharePoint (either Online or On-Premise); even beyond to endpoints connected to it; and then even beyond into the roadmap surrounding Office365. In a data processing system, the fundamental requirement is to secure the content through its lifecycle. The challenge is ensuring that the features of the tools involved are fully understood when it comes to the storage of personal information, and that security awareness, policies, and training is provided to subjects and data controllers. Legislation is important to understand in this area and a good checklist to start from is here.
The key element, the Subject, can be made more aware of storing personal information in content they upload. A good article for working say through a Word document and removing personal identifiable information is here.
A distinct point to make is that Microsoft cloud applications are by their very nature tools used to upload and transmit information by customers through their relevant tenants. For example, whilst Azure services covers tools for system maintenance, infrastructure, security, record retention, information management, system development, there are data processing activities which the tenants manage. They must ensure that they are responsible for ensuring that information stored or transmitted through the services is securely managed, in that they at the very least should have carried out a security risk assessment against any data processing / controlling surrounding managing personal Information. The key thing to remember, is that security is not a product – the responsibility of securing data through its processing lies with the Controller of that data – the tenant owner, the SharePoint site owner, and therefore the organisation responsible for providing those sites.
One of the most useful documents in my view in planning implementations of Office365 is understanding data encryption and data backup and the standards applied. Microsoft have provided audit reports covering their cloud stack (Dynamics CRM, Office365, Yammer and Azure). These SOC and ISO reports include testing and trust principles in these areas:
- Data Transmission and Encryption
- Security Development Lifecycle
- Data Replication and Data Backup
To access these reports, you will need to access the Security and Compliance area in your Office365 tenant.
As said, these cover the Microsoft Cloud Stack, however, the two key documents for Office365 are:
Office 365 ISO 27001-ISO 27018-ISO 27017 – this is an audit document confirming whether Office365 fulfils the standards and criteria against ISO 27001, 27018 and 27017.
- PII is included in Office365 because it is run over Public Cloud for multi-tenant customers.
- Cloud Security is included in Office365 because it is defined as a SaaS (Software as a Service)
- All encryption adheres to TLS requirements and hashing (specific)
Office 365 SOC 2 AT 101 Audit Report 2016 – this is an audit document looking at the controls relevant to Security, Availability, Confidentiality and Processing Integrity.
- Details on the services concerning planning, performance, SLAs, hiring process (including background checks of staff) are provided.
- Control Monitoring, Access and Identify Management, Data Transmission (encryption between Microsoft, Client and data centres) are described.
- Project requirements through to Final Approval concerning the SDLC process is described
- Availability, Data Replication and Backup is covered.
The above SOC and ISO are extremely useful in aiding any risk assessment that you should take to confirm the service assurance of Office365 going forward. Risk assessments are not a ‘one shot’ task. They should be carried out on an annual basis. The Office365 service is a rich offering of Infrastructure, Software, People, Procedures and Data. Each requires security controls and confirmation that they meet standards which can be dovetailed into your organisation. The audits go into great detail concerning the controls (especially things like Data in Transit / Rest – SSL / TLS). A lot of questions is asked by customers concerning security controls – the video below is a good method of getting you to understand (and your clients) how Microsoft ensures proactive protection, and you should definitely check out the Microsoft Trust Centre for great information concerning encryption.
A major challenge in businesses is a misconception, that data is 100% secure concerning any part of its data processing within that business. This data processing concerns the content management lifecycle; from creation, to storage, to distribution, to workflow and eventually archive of that data. The misconception? “Security Breach? Its not going to happen to us” mentality. It is vital that there is an understanding of Information security and Information Assurance in content management security. As an information security professional (or Architect covering security), you should be prepared for any aspect of secure breach can happen that can affect the confidentiality, availability, and integrity of the data. Any service delivery disruption caused by a security breach is harmful to the profitability, and has far reach consequences which could include liability, status and much more.
A key aspect of implementing SharePoint in an organisation is relevant to security of content. The success of SharePoint in an organisation is due not only to how comfortable users are with using their current technology with SharePoint, it is also down to ensuring that the users are comfortable knowing the data they manage on their SharePoint sites are secure…
Merry Christmas Everyone!
As the seasonal period quickly approaches, the discussions concerning what happens to supporting SharePoint over the holiday either approaches, or has been covered, or even assumed. The Christmas period is of course where your SharePoint sponsors are more likely to show a little more concern than normal about how their SharePoint platforms are going to be monitored over the period.
So then, lets remind ourselves of the holiday period in question – basically, the days that will relate to anyone, is the week of Christmas starting from the 23rd through to the 28th. There are two days pretty much important to us guys in the UK over the seasonal period, especially in Scotland – Christmas Day and New Years day. Then there is Boxing day when it’s likely that you would be relaxing in front of the telly, or sledging, or skiing – using that day to wind down after the Christmas day madness. Then there’s the two days after boxing day, the 26th and the 27th, where relaxation, relief and playing with the various presents, and getting stuck in to food 🙂
So that means that over the period you are likely to do over those two days, probably a combination of one or more of the following not be in the Office, switch off the mobile, inform people you are not available?
So chances are, that on the days in question, you will be chilling out, and possibly even like me having a choice Mince pie, a Glass of port (or more – like Rum)…
But this is not about what you will be doing over those periods away from the office. It is about how you are going to support SharePoint, isn’t it?
First, let’s consider the available types of support:
- On Premise SharePoint Support / IT Support combined / Outsourced
- Off-Premise Office 365 Microsoft provisioned Support
- Third party product support
Throwing caution to the wind
My dad once said to me when I was a lot younger that in order for Santa Claus to know what present I would like, that I should write a letter, and throw it into the wind when it was blowing north, so that the letter would reach the north pole.
Of course, by doing that I eventually realized that the letter would not get there, unless my dad without me seeing ran like the clappers to retrieve the letter once I threw it out of the window.
Clearly, I was throwing caution to the wind, assuming things would happen – luckily for me, most of the times when I did throw that letter, things would work out – but only because there was a contingency – my dad, running like the clappers.
This relates in a way to the lack of responsibility those charged with SharePoint management judge the level of the support needed to ensure the availability of SharePoint services over an important period, like Christmas! There is not enough preparation carried out preceding the Christmas period by some organizations, to ensure that there is adequate coverage of SharePoint support. In some organizations, instead, there is a laissez faire approach, by simply throwing caution to the wind. Or, worse still, their IT support departments will not think to include SharePoint as system that should be monitored, and instead not including those with basic knowledge of SharePoint on the support desk.
Take this real scenario which happened a while back. Fictional company used though, however, if their now SharePoint support individuals are reading this article, they will definitely remember this event!
Five days leading up to Christmas day. Fabrikam has an IT Support department, and a number of individuals who are tasked solely with looking after SharePoint, called ‘SharePoint Admins’. These SharePoint Admins look after the platform solely, there are no monitoring systems in place except for the server monitoring systems (alarm bells ringing already – no pun intended). A member of IT Support asks what the SharePoint Administrators will be doing on Christmas day.
“We won’t be around, that’s for sure…” … “SharePoint looks after itself” – pipped the SharePoint Administrators. “We will just take a peek at midday to make sure all is well”.
IT Support reports this discussion to the IT Support Manager. The IT Support Manager waves his arm saying ‘that’s not a problem, we have IT Support people on the desk who know a little of SharePoint, nothing can really go wrong’.
Over the next 4 days, no more is mentioned as the company ‘winds down’. On the 23rd of December, the CEO puts a Christmas message to the communication team who then puts the message in an announcement list on the Fabrikam SharePoint Extranet.
Christmas Day. At 9.30am that day, the CEO of the company, with his family in the Seychelles, decides to show a friend the message that was put on the SharePoint Portal on the 23rd. When attempting to display the announcement, the web page displays an error. Concerned, he raises a call into IT Support. IT Support try to get hold of the SharePoint Administrator, who has switched off his mobile because he is at the top of the hill where he lives, sledging. The CEO asks whether there is anyone else who can help, but IT Support have no knowledge of anyone and neither do they have any other contact number for the SharePoint Administrator.
The SharePoint Administrator calls in at midday to find chaos. The CEO is fuming because he has no idea whether anyone saw the announcement, and even if they tried saw the error which was embarrassing. IT Support have stated to the CEO that they do not know how to fix the problem, which is embarrassing. And, guess what, the SharePoint Administrator, who fixes the issue in minutes finds that the rest of his day is spent building confidence with the CEO and IT Support – he is embarrassed.
That SharePoint Admin threw caution to the wind. And in doing so, assumed the following:
1: No one will care whether SharePoint is available or not
2: The SharePoint Admins does not care whether SharePoint is available or not
3: The SharePoint Admins assumed that the problem will ‘fix itself’
4: The SharePoint Admins assumed that they will eventually be told or will find out themselves that there is a problem, and that no one will moan when they do, or how long it takes to correct the problem.
5: That if a problem occurs where SharePoint is not available that there is no financial impact or otherwise
Preparing for Christmas
You must prepare your SharePoint environment to be supported over the Christmas period. This is just like preparing for Christmas itself. Doing things like putting up a Christmas tree, carefully putting up decorations without falling off ladders, writing Christmas cards, posting them, wrapping presents (carefully) without getting the sellotape stuck on the wrong part of the wrapping paper and making a mess. You put effort into doing all of that because you want to make others comfortable and yourself prepared. Therefore, there is no difference when it comes to SharePoint support.
There are a nine things you could put in place, so that you can ensure that SharePoint is supported over the Christmas period:
- Make it clear the days when there will be SharePoint cover over the period. When on holiday, for example, ensure that there are phone contacts and that is communicated to IT Support and your SharePoint sponsor.
- Ensure that the contact details have a backup. One number is not enough. Consider adding on the home phone number or the number of the place you will be staying / visiting on the key days. Reasons for this could be bad mobile coverage, or you could be travelling
- Ensure that there is a remote method of you accessing the SharePoint environment. Most organisations using on-premise SharePoint have a method whereby individuals can log in over the Internet using say a Citrix / VPN / Xen Desktop etc. connection.
- Ensure that a member of the IT Support team is aware of any resolutions that can be used for ‘possible issues’. For example, one issue could be that in order to quickly reset an application pool for a SharePoint site to go into IIS on a relevant server, etc.
- Ensure that there is a list of the infrastructure, and details of any specific login information.
- Based on point (3) above, try to log into the SharePoint environment at least once a day to quickly check the status of the environment.
- Ensure that relevant third party information concerning their levels of support is listed and the details made known to IT Support.
- Provision monitoring systems for IT support which includes the status of key services to the SharePoint platform (on-premise).
- Provision monitoring services which includes the status of services for Office 365 Tenants
- Make it clear the days when there will be SharePoint cover over the period. When on holiday, for example, ensure that there are phone contacts and that is communicated to IT Support and your SharePoint sponsor.
On-Premise and Off-Premise Support are that different
At a very basic level, the provision of support for SharePoint over a Christmas could be divided two segments – the SharePoint ‘supporter’ – the associated services ‘supporter’.
For on-premise SharePoint, the levels of support are:
1: The SharePoint ‘supporter’. The person(s) responsible for managing the products provided in SharePoint services.
2: The Associated services ‘supporter’. The person(s) responsible for providing support for the infrastructure and associated services.
The interesting aspect of Off-Premise (e.g. Office 365) Support is that there is in effect, also two levels:
1: The SharePoint ‘supporter’. The person(s) responsible for managing the products provided in the Office 365 tenant – e.g. SharePoint Team Sites and relevant products in those sites.
2: The Associated services ‘supporter’. The person(s) responsible for providing support for the Office 365 tenant.
Both of these, on-premise and Office 365 have monitoring tools. Both have the priorities and service delivery of support defined to SLAs, which is communicated to the person responsible for managing the products provided. This information is then cascaded in an understandable form to the client.
There is a huge amount of monitoring tools available to on-premise SharePoint support (default and third party provisioned), which I will not go into (and there are a huge number of articles that describe them). SharePoint Online now has a good amount of services and tools for monitoring. The Office 365 Admin app for which allows those responsible for supporting Office 365 to connect to their organization’s Office 365 service status on the go. The app enables them to view service health information and maintenance status updates from their mobile device. You can also filter information by service subscriptions and configure app data refresh intervals.
To get the app, go here:
Office 365 also has the Office Message Centre. The Message Centre is located in the Microsoft Online Portal. The Message Centre is the central hub for communicating with you about Office 365. And in there you will find the topics including those in the Admin Task Newsletter, messages on new feature releases, and other important information. The Office Message Centre also links with the Office365 Admin app, so you can have messages concerning the state of services sent direct to your mobile device.
More information about the Office Message Centre: http://blogs.office.com/b/office365tech/default.aspx
There are also methods of logging transactional data through code. Microsoft is releasing the Office 365 Management Activity API which allows visibility of all user and admin transactions within Office365 covering activity logs. These logs would include information like tenant, service, action, object, user location, IP Address and more.
More information about the Office 365 Management Activity API: https://blogs.office.com/2015/04/21/announcing-the-new-office-365-management-activity-api-for-security-and-compliance-monitoring/
Additionally, for those who have access to Microsoft System Centre Operations Manager, there are of course services available to monitor SharePoint on-premise, and to monitor Office 365. For those who have not done this before, or need to get further information, I wrote a blog ‘Office 365 Monitoring using System Centre Operations Manager’ located here:
I hope by reading this article you have understood the importance of providing adequate and understandable SharePoint support over the Christmas period. The ability for you as a SharePoint ‘supporter’ to be forewarned of issues so that at the very least clients can be informed is vital. For on-premise, the ability to be contacted, or the ability provided to IT support to be able to deal with common issues, provides a service which in the eyes of the SharePoint sponsor is ‘good’. So I do hope that you are able to take points from this article and apply them to your SharePoint support cover proposals….
I’d like to finish up by wishing you and yours a wonderful holiday season!
I was privileged to be speaking at the Workflow for Everyone, Everywhere conference hosted by Nintex at Microsoft UK in London on Wednesday the 16th of April. I shared the stage with Pete Hampton, Productivity Specialist Sales Manager at Microsoft, Nintex and an elite team of industry experts, Microsoft SharePoint specialists and MVPs. This was a free, one-day seminar that showed how to get more out of your existing workflow investments, and showcase ways to help create integrated, on-premise and online workflow solutions.
It was a great event. Attendees found out how their industry peers have improved their businesses, got exclusive industry insight and best practices, and saw for themselves how Nintex solutions keep work flowing for users – wherever they are, however they work.
In just one day attendees learnt:
- How to create efficient processes – Find out how to automate everyday processes for rapid ROI
- How to get more from SharePoint – Get the inside scoop on how to get the most out of your SharePoint investment
- What the industry really thinks – Industry experts take on market trends, solutions, and more
- SharePoint best practices – Hear from SharePoint MVPs and specialists on how to integrate your business processes with your cloud services and beyond
- What your peers are up to – Network with your peers and hear their real-world success stories
- How to empower everyone, everywhere – Integrate and extend your business processes on-premise, in the cloud, and via mobile, and social
I conducted a session on Cloud Solution Sustainment which was my take on the current Cloud situation, its impact on the delivery process, and what IT and the Business should do to ensure that whatever cloud solution they take on follows a process of evaluation and provision.
The slide deck (in PDF format) is available here:
The ‘Prezi’ presentation is available below – Enjoy!
Hi Folks, As promised in last weeks’ article, a quick warn that I will be drawing attention to a number of third party products which I have used with SharePoint in particular articles going forward. Before embarking on what can only be described as a wonderful adventure, I’d like to clarify why I am doing this, given that this site is devoted to SharePoint service delivery. This clarification is important, because, for a long time, I have been “externally SharePoint technology agnostic”, and instead, user focused in terms of the actual process of service delivery (implementation, support, capability etc). That will not end of course!
So why the third party tool mentions Geoff? Well, as a SharePoint solutions architect, I have always maintained that whilst a lot of things can be achieved using SharePoint in-built features and components, that there will be times where a third party tool, used to augment SharePoint, or to meet a specific requirement, carries more value add. There will be instances when it is either bringing in the third party tool, or instead, having to either (a) redesign the wheel (b) attempt to hack around SharePoint (c) bring in developers to code (d) inform the customer in a Star Trek Scottie style ‘It cannae be doon, capn’, or a combination of those.
Indeed, I can think of many instances where a third party product, sanctioned by the SharePoint sponsor, meets key requirements much quicker, smoother and can bring long term enhanced user adoption and therefore a greater ROI.
Note however, that in adopting third party tools is not without its pitfalls, for example, having to ensure that there is a strong relationship with the third party development team. Support must be manageable, that the third party tool must be scalable (or its limitations understood fully), and that the tool sits within the organizational SharePoint strategy. This is the essence of commoditization of course, the ability for SharePoint to evolve and morph into exactly what the customer requires (if the process of doing so is defined and managed). And, given that as a SharePoint community the app model of the cloud (Office 365) brings a lightning bolt of third party components means SharePoint becomes even more commoditized. Already, Microsoft Office is fully tuned into SharePoint – with the news that the Access App is now available in SharePoint online it is now even more important that we, as SharePoint workers are aware of third party tools also. This is particularly since, as these tools gather pace, they will increase their own customer base to the point that new skillsets evolve in the marketplace that become commoditized. For example, a number of third party tool providers produce their own training courses, which become a commodity due to the size of the customer base for that tool.
Anyway, I will for now list the tools (in alphabetical order) which I will give special mentions to as they relate to areas of SharePoint service delivery. There are many others I have absolutely no doubt, but these are the ones which I particularly have experience in and therefore can write about with a little more authority:
|ControlPoint||Metalogix (was Axceler)||Administration (governance)|
|Nintex Workflow||Nintex||Workflow Process automation|
|PDFShareForms||PDF Share Forms LLC||PDF Forms Design|
|Quick Apps for SharePoint||Quest||Rapid application development|
A gentle reminder that where the tools are discussed that I will not describe what is good or what is bad about the tool. I am not a sales person for any of the tools. Do not expect me to go into details of installation or configuration either. The key is to identify where I have used the tool, why, and how – including the process of how I went about provisioning the tool from a business perspective……
Providing a sustained and good SharePoint service means providing adequate SharePoint support – and that is not simply for ‘work-days’. As Christmas looms, there needs to be ample preparation done to ensure that those charged with providing SharePoint support over the period, have the necessary tools and processes in place. I penned an article for TechNet which is on the following link:
Happy Reading, and Happy Christmas and a wonderful new Year to all!
One of the most difficult areas of delivering a SharePoint solution is identifying not just who should be targetted for User Adoption, but, going forward, how to sustain that User Adoption through communication. Reasons include rapid changes in the business culture, direction, and changes in technology concerning the methods used to communicate (e.g. business process changes from manual to email notification to automation, etc.). Moreover, if you have developed a customer list for Service Delivery purposes (e.g. support, user adoption, training, governance, etc.) then you will need to keep tabs on customer culture, communication technology and apply communication tactics and strategies.