Thankfully, the Information Systems Audit and Control Association (ISACA) has developed a comprehensive standard called COBIT (Control Objectives for Information and Related Technology). This standard outlines best practices and guidance regarding the implementation of a controls and governance environments. It contains four domains:
* Plan and organize
* Acquire and implement
* Deliver and support
* Monitor and Evaluate.
It aligns with COSO, ITIL, BiSL, IS27000, CMMI, TOGAF and PMBOK.
In COBIT, controls must address the physical layer (the data center, facilities, and the network), the logical layer (operating systems and applications), and the data layer (databases and other data sources / repositories). To learn more about COBIT, please click here.
Also consider that your auditors, both internal and external, can be your friends (no really … it makes their lives easier too): consult them before selecting a platform or making other choices to help ensure your rationale and controls pass muster. It is much easier and less costly to make the right choices during the design and / or before a purchase than after the fact.
SharePoint Platform-Agnostic Control Options
Before we discuss specific SharePoint platform-specific considerations, let’s look at control features inherent in SharePoint regardless of platform (please note, depending on platform they may be available as part of the offering or they may need to be installed and configured.
Encrypted Web Traffic
This is available when leveraging transport layer security (TSL aka SSL). Traffic is encrypted during communications over the network
This relates to the ability to provide authenticated users access to the resources they require access to. These controls can be applied to web applications, site collections, sub-sites, lists, libraries, and even folders and items (which is rarely advisable).
Consider, that depending on the complexity of your security setup, we recommend the purchase and use of a third-party access management tool. Available tools include Sharegate Security, Metalogix ControlPoint, DocAve, and many others.
Information Rights Management
Available “out-of-the-box” with Office 365, and requiring a separate installation and licenses when using Azure and on-prem environments, this feature protects your documents wherever they go. It provides “at rest”, that is stored data, encryption. It is available to uses in Outlook Word, excel, PowerPoint and Windows explorer. Information rights management restricts actions based on policy, such as opening documents by unauthorized users, sending documents via email, copying and printing documents.
Data Loss Prevention
Data Loss Prevention provides “transmission control”. The control, which leverages SharePoint search, analyzes content based on one or many laws, to determine if they contain sensitive information. When a sensitive document or information is identified, it takes actions to prevent sensitive document from leaving the organization. For example, if the policy applied checks for credit card numbers or social security numbers, the affected documents would be protected. Actions are configurable and can range from a warning to lockdown. Pre-developed policies addressing various laws (e.g. GLBA) are available.
Office 365 / SharePoint Online
Office 365 Provides customers with Exchange Online, SharePoint Online (including OneDrive for Business), and Lync Online. Office 365 (as well as Azure) are hosted in Microsoft’s Cloud Infrastructure and Operations (MCIO) data centers. Azure provides supporting services for Office 365 application including authentication, virtual server hosting and system data storage.
Authentication (verification that users are who they claim to be) to SharePoint Online is facilitated via Active Directory (AD) Direct Sync or AD FS. Other authentication providers, such as Forms-Based Authentication are also permissible. The selection of authentication providers is based on the subscriber’s needs or preferences and can be setup differently for separate site collections.
IRM and DLP are available, however, they are only available in E3, E4, and E5 service offerings of Office 365.
SharePoint Online provides clients with “Host-Named Site Collections” (HNSC) in a multi-tenant environment managed by Microsoft. Supporting SharePoint application services are configured to help ensure complete isolation of tenants. Other tenants are setup to never see the subscribers’ data or customer-specific configuration settings.
Key Control features include extensive controls related to the physical and logic access to data centers, networks, applications, and data. Access to customer data is granted based on a least privilege basis only via a lockbox process, which requires specific authorization for work that exposes customer data. Support engineers leverage multi-factor authentication (Something you have and something you know … e.g. a phone-based security token and a password).
Change management controls and other controls supporting the regulations applicable to Your control environment have been implemented. For a more comprehensive discussion of Office 365 controls, please reference the “Office 365 White Paper “Security and Compliance”.
Third-Party Audit Reports
Third party audit reports supporting a number of the IT controls mentioned earlier are provided (to paying subscribers only) for MCIO, Azure, and Office 365. Subscribers are not permitted to reveal the test results of the reports to others. Audit reports include the AICPA’s Statement of Standards for Attestation Engagement (SSAE) 16 SOC1 and SOC2 Type II reports. Type II reports not only provide an audit of the control design, but also test the controls to verify compliance with the control procedures. The tested areas include controls supporting
1. General Information
2. Information Security
3. Organization of Information Security
4. Asset Management
5. Human Resources Security
6. Physical and Environmental Security
7. Communications and Operations Management
8. Access Control
9. Information Systems Acquisition, Development, and Maintenance
10. Information Security Incident Management
11. Business Continuity Management
12. Risk Management
Reading View. Alt Shift A for Accessibility Help.
* Redundant Data Centers and other redundancy controls, which can be extremely expensive to implement, are in place
* Third-Party auditor reports are available addressing your regulatory requirements and much more
* Farm setup and administration activities are not required, reducing staff or consultant / contractor supporting your environment
* 99.9% uptime service level
* Limited control over SharePoint configuration, timer jobs, and other “backend” resources
* Limited control over prioritization of customer service requests when needed
* Limited ability to deploy custom code
* Difficulty integrating with your legacy systems
Microsoft’s Azure Cloud & Computing Services essentially provide for a highly secured and (if purchased) redundant cloud-based data center offering. Virtual servers, based on Microsoft’s Hyper-V, can be provisioned to meet your needs. Costs are based on server size and CPU utilization / hour. As noted in the Office 365 discussion, Azure is hosted by MCIO data centers. Both Azure and MCIO provide Third-party audit reports to customers, which can be accessed from the Trust Center.
Access to an Azure hosted systems requires at least one VPN connection to Azure.
Gartner’s Magic Quadrant
* Data Center operations costs are greatly reduced
* SharePoint can be implemented and administered based on your requirements
* Integration with other systems and deployment of custom solutions is less restrictive
* Control compliance with regulations affecting your servers and SharePoint are your responsibility
* Dependent upon your setup, the connection to Azure may become a single point of failure
* SharePoint, server and other connectivity to Azure are your responsibility likely requiring additional staff / consultants
* Audit costs may increase due to additional audit requirements
SharePoint 2013 “On Premises”
When building out a SharePoint environment on premises, the security and control structure of this environment is entirely in Legacy Trust’s hands. Key controls supporting all layers of this environment will need to be considered. For example, to incorporate full availability, all parts of the environment should be redundant. This includes dual servers for SharePoint’s web front ends, redundant databases, load balancing between the servers, etc.
Also, strong general IT controls, including physical and logical access controls, change controls at all layers (e.g. operating system, networks, hardware, SharePoint, etc.) aligning with COBIT (see the references section) or other recognized standards will need to be put in place.
To provide full redundancy, failover capabilities to another data center should also be considered. To help ensure system changes are tested before deployment, a complete test environment should be available. Depending on Legacy Trust’s existing data center and related controls over physical and logical access, change controls, and existing availability controls, this may be a manageable or very complicated endeavor.
* SharePoint can be fully customized to suit your needs
* Integration with other systems, especially if residing in the same data center(s) is less complicated when compared with the other options
* The costs associated with setting up a fully redundant data center can be significant, including hardware, operating and staffing.
* Costs of any required regulatory audits are fully born by you. Depending on the governing bodies, multiple audits per year could be required.