This 3 part "SharePoint Decision Guide – A Best Practices Roadmap and Organizational Strategy" white paper provides you with key information and in-depth analysis that will assist your organization in developing a best practices 24-36 month SharePoint Roadmap and related implementation strategy. With SharePoint 2013’s release comes a wide array of options that have created a new architectural landscape within I.T. around on-premises implementations (i.e. private cloud) as well as hosted cloud-based (i.e. Office 365 \ SharePoint Online) deployments. There is also a very important “middle ground” that must be reviewed around SharePoint 2013’s hybrid architectural capabilities as well as the increasing requests from the organization’s overall user base to access their information and data with a mobile or external device all in a secured manner.
These elements are requiring organization’s to implement new strategies and related policies that, in some cases, have long been debated but never officially mandated by I.T or senior management. With all of these “moving pieces” there has never been a more important time in the past decade where the organization’s I.T. Roadmap should be communicated and enforced to avoid extensive “content sprawl” and sensitive intellectual property to be stored on systems that are not approved.
This white paper’s is relevant to both organizations who have SharePoint experience and existing implementations in place as well as those organizations who are moving away from their existing systems and into a new SharePoint 2013 platform. The growing mobility management and BYOD questions from users continue to increase and from my experience 60-70% of organizations may have a documented BYOD or mobility policy but no real enforcement or monitoring capabilities behind it to manage the devices in scope or approved for use by the business. There is also a new and growing “App” culture that is causing organizations to take a good look at their underlying application and custom development processes, standards, and available environments that directly coincides with the moving pieces described above which can make for a perfect storm of major technology decisions that need to be made that will affect the company for at least the next 3 or 4 years. The following sections of this white paper will address these and other key and time sensitive considerations and provide insight and strategies based off real-world experiences on hundreds of SharePoint implementations.
The Background and Basis of these Methodologies and Strategies
I think it is important to provide a quick backstory around the methodologies, strategies and thought process that went in to developing this white paper. As soon as the beta version / TAP program release(s) of SharePoint 2013 were available, I started testing and looking into each architectural component of this new 5th release of SharePoint. The ironic part of this here is that this has been my 5th “go-around” at getting my hands on a fresh version of SharePoint to test, break, and try and figure out what the heck I was actually doing.
In mid-2000 and early 2001, I was fortunate enough or possibly just in the right place at the right time, when I received some of the first beta “releases” of Tahoe, or what eventually was released as Microsoft SharePoint 1.0 (2001), and I have been put in a unique position to test all 5 releases of SharePoint. I have authored two previous SharePoint books on versions 2007 and 2010, both published by Microsoft Press / O’Reilly Media, that I felt were very formal and there was a bit of a “governed” line to follow when discussing Microsoft’s technology. While testing SharePoint 2013, I very much wanted to write a new book on SharePoint 2013 but from a different perspective than I had before. After reaching out to some contacts I had met over the years at SharePoint conferences and events I was extremely fortunate to enter into a new book development contract with Pearson Education / SAMS Publishing to write a book based on the past 14 years of being “in the trenches” with clients in trying to achieve SharePoint success from many different sides and perspectives. A major goal was to not develop a book that only covered SharePoint 2013 in an MSDN article type manner but from past experiences working alongside and learning from very smart and driven people to overcome not only the technical challenges but also the business potholes and political landmines that can be put in your path while trying to successfully implement this technology which ends up usually touching nearly every aspect of a business.
After 7 months of writing and 50+ SharePoint 2013 projects that my firm EPC Group has been engaged, I completed “SharePoint 2013 Field Guide: Advice from the Consulting Trenches” from this “real world” perspective which will be published later this year. Microsoft did throw a serious curveball at me during this process in releasing several product updates around Windows Server 2012 R2, System Center 2012 R2, Windows Intune, Office 365’s BI capabilities, new Office 365 Enterprise features, greater SkyDrive Pro capabilities, and SQL Server 2012 R2’s in-memory and online transaction processing technology coming out in SQL Server 2014. This cause some extensive updates to several chapters and hundreds of hours of additional testing and re-writes but in looking back it has been extremely beneficial. Over the past year I have been engaged with the senior architects at EPC Group and our client to review the impact these updates may have on the original SharePoint 2013’s deployment and configuration strategy. There were several updates recommendations that were made to organization’s SharePoint 2013 roadmap based on these new updates and upcoming releases and the ROI for which these clients were able to achieve was substantial.
It has been invaluable for me over the years to engage with clients of all shapes and sizes and listen to their feedback and overall business goals and attempt to translate those into to functional goals. There is no one “magic bullet” or step-by-step path in developing a proven SharePoint roadmap and organizational strategy as the type of company that you work in and its culture as well as the type of content and documents that exist can also play major factors in the overall approach. There are some strategies however that are universally applicable to all SharePoint deployments such as the implementation of a “power user” strategy as well as having a clear and defined communications and training strategy in-place that will ensure the end-users do not lose faith in “storing my content in SharePoint” are critical.
The sections below will cover multiple areas of SharePoint and provide you with the knowledge and tools as well as ensure you are asking the right questions to make the decisions that are appropriate for your organization to ensure SharePoint is a long-term success and that future phase goals are taken into consideration from the very beginning to assist in the development of a scalable, reliable, and hybrid-compatible platform.
Understanding SharePoint’s Alphabet Soup
As mentioned above, there have now been a total of 5 SharePoint version releases from Microsoft and the following section will briefly cover each of them to set a baseline of terms and understanding of SharePoint’s version acronyms that you may encounter during the development of your organization’s SharePoint roadmap and long-term strategy. This white paper will focus on the many moving pieces of SharePoint and the “context” for which the organization will deploy them around as well as discuss a phased SharePoint 2013 deployment that takes into consideration governance, compliance, and the business and I.T. roadmap 24-36 months down the road.
SharePoint 2013 (SharePoint Server 2013, Office 365, Private vs. Public)
Microsoft SharePoint 2013 is the latest version release of SharePoint and not surprisingly brings more features and capabilities than ever before. Microsoft has positioned SharePoint 2013 at the very heart of its Enterprise Software strategy and it is meant to offer organization’s a centralized “ecosystem” for ECM \ RM, collaboration, business intelligence (BI), social, intranet solution and workflow platform that is meant to be accessible regardless of the of device or browser of its user.
SharePoint 2013 can be referenced as the core technology in not only a SharePoint Server 2013 on-premises (i.e. private cloud) implementation but also as Office 365 / SharePoint Online (i.e. public hosted cloud) as the underlying architecture is nearly identical. Microsoft is gravitating away from the “SharePoint Online” term and rolling that into a single referenced in Office 365.
Note: There are many different terms that organizations use when they are referring to the “on-prem” or “cloud” offerings and that will be covered in detail in the section below.
Microsoft has achieve a true ECM \ RM platform that is industry leading and rivals and in many cases overshadows Documentum and LiveLink and allows organizations to integration with other line of business (LOB) systems to provide that “Enterprise Search” experience within 1 centralized location. Microsoft has also introduced the “App” terminology within SharePoint 2013 as both lists and libraries as well as custom App solutions can all be referred to now as an “App” which may confuse some project team members at first. SharePoint 2013 also natively contains Microsoft SharePoint 2010’s previous optional FAST Search capabilities with a large number of added “filtering” and tailored search criteria that does make SharePoint 2013’s search much more robust than any previous SharePoint version release.
Microsoft’s acquisition of Yammer and its “social” capabilities are also a major roadmap discussion area to take into consideration in your overall planning of SharePoint 2013 as there is new added “Communities” layer in this release that your organization must review in regards to hierarchy and taxonomy planning as well as what users or groups may be associated.
SharePoint 2010 (SharePoint Server 2010 and SharePoint Foundation 2010)
SharePoint 2010 was released with SharePoint Server 2010, both Standard and Enterprise for the majority, as well as with the free version of SharePoint Foundation 2010. SharePoint Foundation was originally going to be named WSS 4.0 but was later changed to SharePoint Foundation 2010 as that is what it is, the “foundation” of the 2010 version release.
Organizations were drawn to SharePoint Server 2010 for not only its much improved ECM \ RM capabilities but also its more robust workflow and Microsoft Office integration capabilities. SharePoint 2010 has been highly customized by some organizations using either the dreaded SharePoint Designer 2010 or via Visual Studio and “features” that could include anything from workflows to custom web parts or master pages. SharePoint 2010 contained the major user interface updates such as the “Ribbon” that allowed for management and layout changes to be completed in a manner that Microsoft Office 2007 users would easily understand.
SharePoint Server 2010 provided new content management features such as managed metadata, the ability to centrally define taxonomies that can be leveraged within and across farms, as well as Unique Document IDs, which provide for the ability to assign a document a unique identification number users can use to retrieve a document even after it is moved. Document Sets in SharePoint Server 2010 were a welcomed feature by legal and compliance and records managers as they provided for the ability to group multiple work items into one consolidated atomic work product.
Note: SharePoint Server 2010 does have the optional SharePoint FAST Search capabilities. The FAST Search capabilities have been added to SharePoint 2013’s native search and now there is only 1 central search feature that includes all of these previously optional and more expensive licensing search features.
SharePoint 2007 (SharePoint Server 2007 (MOSS) and WSS 3.0)
SharePoint 2007, which is commonly referred to as either MOSS or WSS, also included the Microsoft Office SharePoint Server 2007 Standard and Enterprise versions as well as the free version, Windows SharePoint Services 3.0 (WSS 3.0), that was widely adopted throughout the globe. SharePoint 2007 was a major update from SharePoint 2003 as it introduced “item level permissions” as well as the new My Site capabilities that provided users with a personal “site” to store their information. In my 2007 publication of Windows SharePoint Server 3.0 (WSS 3.0), I recall referring to the My Site capabilities as the “MySpace.com of the enterprise” which is funny as it just goes to show what poor roadmap and strategy planning can do to a software platform. Project Server 2010 also came with a tailored WSS 3.0 release that project teams used to save their project documents which were stored on a separate site collection and content database.
SharePoint 2003 (SPS 2003 and WSS 2.0)
SharePoint 2003 was, in my opinion, the really first workable version of SharePoint that included Microsoft SharePoint Portal Server 2003 (SPS) as well as Windows SharePoint Services 2.0 (WSS 2.0). Many deployments of SharePoint 2003 were very highly customized by Microsoft FrontPage and this has caused a pain point for a lot of organizations as they faced a dilemma of recreating the customizations or simply migrating the content to a new and fresh installation of SharePoint 2007. Project Server 2003 also came with a tailored WSS 2.0 release that project teams used to save their project documents which were stored on a separate site collection and content database.
SharePoint 2001 (SPS 2001 and WSS 1.0)
Microsoft SharePoint Portal Server 2001 was Microsoft’s first release of SharePoint which came out of the project previously code-named "Tahoe," and provided the entry of a search solution for organizations as well as a web-based collaboration capability.
To quote Microsoft, “SharePoint Portal Server 2001 integrates a flexible Web portal based on Microsoft Digital Dashboard technology, content indexing and search, document management, and a collaborative applications platform. With SharePoint Portal Server, developers with basic or advanced skills can create collaborative solutions.
For Microsoft Windows and Microsoft Office users, SharePoint Portal Server is a portal solution for users to find, share and publish information. SharePoint Portal Server brings together a single solution for corporate portals, document management, and content indexing and searching.
Understanding On-Premises, Cloud, and Hybrid Environments in SharePoint 2013
The on-premises vs. cloud environment debate around SharePoint started several years ago and that debate became much more heated when Jared Spataro, Director of SharePoint at Microsoft, announced during a conference that SharePoint 2013 was being developed using a “Cloud First” strategy and that Office 365 customers could expect to have access to the benefits of the new release sooner than on-premises deployments.
I think this was a combination of Microsoft testing the waters to see how many organization’s would opt to dive right in to Office 365 while also leaving the door open so to not alienate SharePoint’s long-term “bread and butter” on-premises deployment base which has driven SharePoint to be the fastest growing, non-Windows product in Microsoft history. Around the same time, Microsoft began referencing on-premises SharePoint deployments as “the private cloud” and off-premises environments as “the public cloud” or a variance of an external-based “cloud”, etc. You could make the argument that the reference to SharePoint 2013 being developed using a “Cloud First” strategy could fit in either the “private” or “public” cloud.
It is also important to note that Microsoft will slowly start to move away soon from the “SharePoint Online” reference and primarily reference Office 365 when refereeing to “SharePoint Online” versions other than those deployments that are hybrid in nature and consuming services of an on-premises “client” datacenter.
Reviewing Non-SharePoint Cloud Successes and the History Behind Recent Cloud Pushes \ Mandates
Several years ago, EPC Group was engaged with NASA around their enterprise SharePoint efforts and I had the opportunity to work closely with then NASA CIO Chris Kemp who led an extremely successful effort around NASA Ames “Nebula Cloud Computing Pilot” for which he spearheaded. The goal of the “Nebula Could Computing Pilot” project was to leverage the web as platform and take the lead in open, transparent and participatory space exploration and government. Kemp’s Cloud efforts at NASA were simply a resounding success. I worked with Chris for several months and received some great insights into his vision of the cloud and the success that NASA was experiencing. These conversations took place between the completely separate SharePoint efforts that myself and the EPC Group team were leading at NASA around planning the overall future governance and architectural strategy SharePoint for NASA. Seeing both one of the world’s largest cloud efforts at that time while working on a specific separate SharePoint initiative was an eye opener for me into how different underlying architectural platforms and systems can live in parallel to meet different functions and requirements. During the SharePoint effort at NASA, I travelled with Mr. Kemp, whose background also included being the founder of the popular Classmates.com, to many of NASA’s major Centers and Facilities on several road trips and mini SharePoint roadshow to help organizations understand how important governance is and the underlying architecture that should be considered. The insight I gained has been extremely valuable over the past few years as the cloud has grown in being able to provide some very real-world examples of what should be planned for and considered for both the near and long-term.
A short time after working with NASA’s CIO Chris Kemp and seeing NASA’s cloud effort firsthand, I was able to meet with Vivek Kundra, the first ever CIO of the United States who was a presidential appointee by President Barack Obama. Mr. Kemp had actually been working with Mr. Kundra at NASA’s Ames Research Center when Kundra launched Apps.gov that allows federal agencies to subscribe to “cloud” IT services. Mr. Kundra saw the potential in leveraging cloud services as an alternative to physical hardware in an effort to reduce costs and the overall federal government’s infrastructure management. During his tenure as the CIO of the United States, Kundra published the “25 Point Implementation Plan to Reform Federal Information Technology Management which included the original “Cloud First” push for the government to achieve IT efficiently. As part of this plan, Cloud First required each government agency to identify three cloud initiatives.
I think that it is important to take some external factors into considerations when reviewing certain technology pushes or major waves and especially those that come with a Presidential mandate. At that time, in late 2010, the US Government was recovering from the financial crises and many of the lending and banking issues that came out of that where cost cutting and reducing the bottom line was extremely critical. I am in no way saying that this decision around implementing an effort to cut costs and reduce the bottom line is not right or something that should not have been pursued. As a business owner myself, I am always looking at the bottom line and ensuring that there are not areas were budget is being spent in areas that are not providing any ROI or benefits to our clients and overall organizational mission and strategy. It would be irresponsible or wasteful for anyone to not look at the bottom line or simply allow available budget and dollars to be spent where they are not needed but rather put to use to better an organization or effort for which they are involved.
The U.S. General Services Administration (GSA) has since closed Apps.gov and phased it out to a “storefront” that the GSA set up for government agencies to research and purchase cloud offerings and services but the GSA launched a new site on gsa.gov that provides government agencies help in complying with the cloud mandates and provides templates to IT owners around Inventory, Application Mapping, Migration Planning and Migration execution strategies as well as a number of other core elements that must be followed when procuring cloud-based IT services within the Federal Government.
Recent SharePoint 2013 Cloud Activities and Launch of the Client Cloud Decision Framework
In the past 12 months specific to SharePoint 2013, I have engaged along with my with senior architecture colleagues at EPC Group with organization’s who are very interested in moving to the cloud as well as those who currently feel they do not see their organization moving to the cloud for at least the next 2 or 3 years or until they feel it gets a little more mature. There are also organizations that we have worked closely with who do not ever see moving to the cloud and feel that there is too much risk involved with their intellectual property and handing the keys to the underlying I.T. castle off to an outside provider.
In conjunction with the feedback received from clients or potential clients in technical deep-dive meetings and roadmap development sessions from over 30 organizations with at least 1000 or more users, I launched a “Private, Public, and Hybrid” research initiative at EPC Group to help ensure that, internally, we had a mechanism and measurable framework to provide accurate and updated recommendations around the cloud and cloud computing to our clients as their “Trusted Advisor” without any influence from either service providers or mass marketing campaigns that have seemed to flood this technology space. This internal research initiative was the largest ever conducted at EPC Group in our 14 year history that included several visits to Microsoft as well as other popular cloud providers data centers such as Amazon (AWS) to address a list of concern that I had as well as several clients while actually being onsite and to have the ability to ask questions first-hand of operations and management teams managing the vast amount of hardware and technology around them in these centers. This research initiative led to some very lengthy white boarding sessions and technical deep dives into areas such as provider’s service level agreements (SLAs) and standard operating procedures around specific scenarios. This was extremely insightful for me while at the same time a bit sobering in seeing how fast new technologies in cloud computing are coming to market and being tested.
Based on this research initiative, EPC Group formally developed the “SharePoint 2013 P.P.H. (Private, Public, and Hybrid) Decision Framework” to assist organizations in planning their “Private”, “Public”, or “Hybrid” cloud in an unbiased manner while also presenting related “pros” and “cons” as well as the types of risks associated. One of the key areas I feel we have covered around risk and risk mitigation is gauging the impact and consequences of specific risks.
One of the major goals in the development of this framework was to ask the tough “what if” questions and throw out specific scenarios on how provider’s procedures cover them or mitigate and resolve them. For us to conduct this research and framework development initiative and dig into sometimes sensitive “standard operating procedures” or configurations, the providers we worked with understandably required us to consent to non-disclosure agreements to protect their intellectual property and any infrastructure configurations and non-published operating procedures.
Digging in and Covering SharePoint Specific Topics
There are specific requirements and pre-requisites as well as predictable and repeatable results that must be established before a consulting firm should ever throw out the term “best practice” and I believe this has been accomplished in the new framework described above meant to “demystify” the cloud.
The following image details an example of a hybrid SharePoint 2013 environment that includes both on-premises (Dev, QA, and Prod) as well as cloud-based services including Windows Azure.
I think a common misconception exists that SharePoint consulting firms have a vested interest in advising an organization to implement SharePoint 2013 on-premises rather than investigating the additional options involved in a possible cloud-based or hybrid-based environment. There is no getting around the fact that a successful SharePoint implementation is driven by key principals and best practices and this applies regardless of where the actual deployment is applied. Over the past 2 years I have found that there are, in many cases, more technical requirements requiring senior or expert level (SME) external resources required of an organization to properly implement a secured cloud environment housing the data of an enterprise SharePoint 2013 deployment.
It is important that you and your organization’s make these very important decisions around SharePoint’s architecture and your longer-term roadmap be made based on actual requirements and the corresponding ability of the specific on-premises, cloud, or hybrid offering to meet those requirements as your businesses critical systems as well as the intellectual property at the very core of an organization’s existence is at stake.
I do think that some cloud providers are prematurely pushing or possibly over-marketing the jump into a cloud that is really not enterprise ready as many questions remain improperly addressed around legal, regulatory, data spillage, data breach, and related list of concerns that will be discuss in the section below. Also, to preface the following statement with complete and full disclosure that I am neither a democrat or republican, I do believe the Obama Administration was very premature in their edict for all US Government agencies projects to follow a “Cloud First” policy as there have been immense struggles that have been experienced around enterprise content management (ECM) / record management (RM) initiatives as well as other cancelled SharePoint initiatives that were previously going to move forward within an existing on-premises virtualized environment as the IT management was, in many cases, weary and unsure of the governing policies or rules they must follow in deploying possibly sensitive or secured content to a cloud outside their firewall and within their direct reach of control.
Like any new major architectural or computing innovation that comes to market, there is going to be a marketing “hype cycle” that will occur and in reading the detailed estimates put out by major IT analysts, their firms and IT publications across the globe, organizations were obviously providing initial feedback and communications in regards to their near-term and aggressive interest in the cloud. I believe there was also a much different “wildcard” factor involved in the initial aggressive analyst reports of companies push towards the cloud and then the prevailing and much lower number of actual cloud migrations that had been completed.
I believe that the “wildcard” that may have skewed the initial cloud migration analyst reports were driven in part by organizational leadership’s requirements to cut costs and the many mentions of these “Cloud First” recommend announcements by major software companies and state and government agencies. The other factor I think that caused many companies to put a hold on their cloud migration plans were some of these regulatory, intellectual property, and security related concerns that realized and warranted more research before authorizing the actual migration effort.
During several SharePoint 2013 initiatives I have been involved in over the past year, the security and privacy laws of European countries (EU) as well as PHI, PII, and HIPPA have been identified as a major milestone or “risk” item on many SharePoint 2013 project plans. The following chart references Office 365 offerings as well as the due diligence that Microsoft has completed to ensure that data is protected and the underlying systems meets certain regulatory requirements. EPC Group has conducted additional in-depth analysis on data security and the information architectural required by several of our clients around issues such as SAFEHARBOR, FISMA and HIPPA and the image below expands some on these specific laws and regulations:
The following diagram details the location of many of Microsoft’s data centers for additional insight in planning any globally dispersed SharePoint environments and related location-based procurement needs:
Three Major Types of Cloud Services
It is important to understanding the different options available around hosting as well as the underlying options provided. There are three common offerings of the cloud that currently exist as detailed below:
SaaS— Software-as-a-Service involves the of application software such as Office 365. Software as a service has been a very popular on-demand software delivery mechanism typically delivered via web browser and other optional plug-ins.
PaaS— Platform-as-a-Service encompasses all the development, service hosting and service management environments needed to operate an application that uses on-demand compute and storage capacity and , network bandwidth. These PaaS offerings also provide for the database and related services to be managed by the provider Windows Azure and SQL Azure are great examples of PaaS.
IaaS— Infrastructure-as-a-Service provides raw computer and storage capacity with management tools available to be controlled by the client. Microsoft’s System Center suite which is run on the Hyper-V Cloud server environment within a Microsoft datacenter is a perfect example of IaaS. Certain configuration of Windows Azure are also sometimes referred to as IaaS.
The SaaS model has been popular for many years and is typically straightforward or well understood. The PaaS and IaaS offerings have more recently started to complete with each other in some areas based on the options selected from the provider. The following diagram details the three different major offerings as well as examples as to some popular industry solutions offered within each:
Microsoft’s Windows Azure are housed by Microsoft facilities with underlying SQL Server databases for data storage. There are some additional options outside of SQL Server but for this whitepaper and SharePoint discussion I will focus on the SQL Server offerings. Azure’s SQL platform (Microsoft SQL Azure) is the official name of the underlying database platforms and Azure also integrates with Active Directory so that you are able to, in most cases, integrate \ federate, etc. with your organization’s existing AD platform and management tools like Microsoft System Center.
Windows Azure allows for the development of custom applications to build on the cloud’s Office 365 and SharePoint offerings as well as the ability to develop “hybrid apps” that could be used for a private App Store for your organization that may exist on premises as well as in the cloud.
These custom Apps are built in ASP.NET or other leading development technology and are able to authenticate, as mentioned above, by using Active Directory or what Azure’s platform terminology refers to as OAuth 2.0.
If your organization is planning to develop in on-premises as well as cloud or hybrid Apps, you should become very familiar with the OAuth 2.0 authorization framework as detailed in the image below:
IaaS High-level Principals
1. Perception of infinite capacity
2. Perception of continuous availability
3. Drive predictability
4. Take a Service Provider’s approach to delivering infrastructure
5. Resiliency over redundancy mindset
6. Minimize human involvement
7. Optimize resource usage
8. Incentivise desired resource consumption behavior
What Are Your Organization’s Compliance Policies?
Protection of your organization’s intellectual property as well as the ability to adhere to regulations and laws such as PHI, PII, FISMA and HIPPA must be a top requirement and an inherit ability of any architecture consideration for SharePoint 2013. As a baseline, how do you currently protect sensitive and the very important data that exists in your enterprise?
It is also important that when developing compliance policies you are actively looking for ways to reduce any exposure risks that may exist.
Depending on the size of your of our organization you may have designated resources around litigation, eDiscovery, and maintaining your currently “compliance status” but small to mid-sized business will more than likely have resources that were “many different hats” but SharePoint Server 2013 will provide you with many industry leading capabilities to manage compliance. It is also important to ask questions of your organization such as:
· How does your organization quickly find information?
· How does your organization ensure policy consistency?
· How does your organization scale the compliance solution to the enterprise?
· What is the current strategy on cost control and information management or compliance?
Instances of Data Breaches and Implementing Proactive Security Policies
Over the past year, there have been some very high profile instances of data breaches in environments of all types. The IT Administrator Edward Snowden, who accessed and shared classified NSA data, has been the most widely publicized incident of this and there has been an added push to mitigate future data breaches and examine how these types of incidences actually occurred. Many leading CIOs have stated that securing your organization’s platform or system isn’t enough anymore as security must be enforced, monitored, and documented. Do you or the assigned person within your organization have reporting capabilities regarding user access and security levels? What about the ability to view “approved” security levels or have a features that sends an alert if an unapproved security level is applied even if the person who created or applied it has the appropriate “Admin” rights? Are we getting to paranoid? The answer to that is no and organizations have become more complacent.
In many cases, an organizations records “retention schedule” would provide you insights into what content is sensitive, proprietary, or regulated and how can it be identified. The issue here is that 30-40% of organizations throughout the globe do not have an “approved retention schedule” or are in the process of developing one. I have personally been involved in working with organizations legal and compliance departments around the development of a “retention schedule” and it is not easy or sexy task to accomplish.
In many cases it comes down to the content owner or even power users who understands what type of content exists within their “area” or “department” and it is not formally documented. I have recently been involved in several SharePoint 2007 to SharePoint 2013 upgrades \ migrations where governance was not enforced and content sprawl within document libraries in multiple and in many cases very similar sites exist.
Because of some of these more highly publicized cases of data breaches and extremely sensitive information being exposed, 6 of the world’s top government security agencies, as detailed in the image below, have published their recommendations regarding “Cloud Security and Recommendations” to assist organizations by providing them “lessons learned” and some of the growing threats that they have been addressing.
Understanding the Implications of International Law and Your Organization’s Data
For the past 6 or 7 years, there has been a growing and very public backlash against laws in the US and those that govern US-based data centers such as the Patriot Act. The US is not alone as there are similar laws in numerous countries that have been much less publicized but when implementing a global SharePoint 2013 implementation where data centers around the world are in scope, it is very important to understand how this may affect your deployment.
For many years, countries such as Germany and others in the EU have enacted very strict privacy laws that ban information from being published or readily available in not only public information and search platforms but in private and company owned systems. SharePoint’s My Site functionality is a good example here as EPC Group has had to develop and apply features to some of our clients in these areas that block some personal fields from “People Search” such as a person’s manager, their home or cell numbers, as well as many variations of this.
Many large Fortune 1000 US organizations have a stance around being English-only and have successfully been able to avoid some of these regional specific implications but this is heating up again and becoming an area of concern that should be discussed within your organization’s IT departments as well as legal and compliance to ensure your following certain protocols and county-specific laws as there can be daily fines levied against companies as well as temporary “freezes” placed on data or system access.
Microsoft has been proactive around many regulatory issues both in the United States and in the EU in obtaining certifications and approvals in areas such as the EU Safe Harbor Certification, HIPPA, FERPA, SAS 70, and ISO 27001 to name a few. This will undoubtedly grow or continue to be updated so it is very important that you or a designated individual with your organization monitor updates from Microsoft as well as other Cloud-providers should you have global offices that may be affected and governed by specific laws.
I remember vividly when I received several a phone call from IT and business stakeholders one evening from a client of EPC Group that had regional offices in relatively small country in Africa and because of recent laws there as well as the regime change that had recently taken affect in that country, the government had seized their servers and temporarily shut down all internet access and the ability for them to access their data. This client is a household name in the oil and gas area throughout many areas of the world but this counties government was not impressed and did not care about even the day-to-day drilling and oil production taking place and production ground to a screeching halt. The total cost of this shutdown was estimated by this client on day 2 of this incident to be in the ballpark of 6 million dollars per day and they had to get this resolved one way or another. In a nutshell, this country had recently passed a law stating that all data that is accessed by a computer system in their country in relation to Oil Well data had to actually reside or be stored within the country’s borders. The incident started when a local government official performed an audit on the this company in performing a set of random searches in SharePoint 2007 that returned results about some Oil Well specification that were nearby but were stored in a SharePoint department \ team site in London.
This issues was ultimately resolved within 7 days and is obviously extremely unique and bordering on the bizarre, but I remember it vividly as I do not think I slept for more than 5 hours that entire week. It is pretty clear that a “data loss” type issue here with a 6 million dollar a day price tag and severe impact on the business, this had to be resolved and done so “yesterday.” There have been a handful of other incidents like this I have personally seen or been engaged by a client to assist in resolving has led to some of my more cautious or sometimes “dooms day” like questions at times during road mapping and architectural design session for some of EPC Group’s global clients. I think it is worth mentioning in this overall architectural roadmap planning and discussion topics as you must plan for and have contingency plans around data protection, data loss, and data spillage areas in a your organization’s environments and when engaging on a deployment in the cloud where sensitive data exists you may not have the access 24/7 to immediately act on an issue so further investigating cloud-providers service level agreements (SLAs) and policies around these types of issues much be discussed, documented, and fully disclosed.
I have had some issues with cloud-provider representatives not knowing the answers to these questions, which in some cases is understandable due to the possible role they have at the provider, but any cloud provider you select should be able to quickly direct you to contacts that handle these issues as well as to very granular documentation regarding how these issues are dealt with and what you can expect from them. It has been frustrating to view some of the SLAs and granular information provided by some providers as they provide sometimes vague responses but be sure you dig very deep here when planning for your infrastructure and hold these providers accountable to provide you with specifics to your questions before procuring their services.
Lastly, this specific topic is one that is going to mature over time and cloud providers will eventual all have representatives or contacts \ documentation on these granular issues but I am concerned about “data spillage” issues within cloud providers that can have extremely sensitive data be mistakenly made available to users or other even search engines and the nightly “content source crawl” results where this data must be identified, cleansed, and the issue solved right away. I have a concern about companies who are not at all at fault but somehow their SharePoint or Office 365 search results start returning results with content you have never seen before and have no idea where its source is and due to this data spillage your environment is taken down temporarily by either the provider or even a government agency made aware of this sensitive data breach.
Note: It is key to consider the differences in your organization’s current disaster recovery or business continuity plan versus that of a cloud-based and possibly service provider led disaster recovery related plan as shown below:
The environment you select to deploy your organization’s SharePoint 2013 environment on in your 24-36 month SharePoint roadmap must take all of these issues into consideration into account as sometimes the “Pros” outweigh the “Cons” but other times the “Cons”, although mathematically slim in possibility, would so outweigh the “Pros” that the risk of downtime may not even be something the organization would consider.#InformationGovernance #ElectronicRecordsManagement #ScanningandCapture #SharePointConsulting #ErrinO'Connor #Collaboration #HybridCloudAdvisor #EPCGroup.net #SharePointhybrid #EPCGroupTeam #SharePoint #complianceconsiderations #SharePointDecisionGuide #office365consulting #BusinessProcessManagement #EPCGroup