Being a Microsoft Office 365 Partner am keen to follow any news concerning feature changes and updates to Office365. Microsoft announced via this blog, that Office 2013 clients’ connections to commercial Office 365 services will not be supported after October 13, 2020. After this date, ongoing investments in the Office 365 cloud services – including Exchange Online, SharePoint Online, and OneDrive for Business – will proceed based on post-Office 2013 requirements.
SharePoint User Requirements Analysis is vital; the corner stone in developing, deploying and providing a properly managed SharePoint environment.(more…)
When utilising a collaboration tool the key productivity rationale is to automate processes through the content stored within that collaboration tool. SharePoint has a number of platform flavours (on-premise, hybrid, online) and has integration points which is only limited by creativity it seems (not simply confined to Microsoft products). Therefore, it is crucial that when thinking of what workflow tool should be used to automated business process that you understand also the options, strengths, weaknesses of the various workflow options that can be utilised with SharePoint.
Having had a lot of fun trying to fathom, making mistakes along the way of course, I got together all my notes, including querying lots of knowledgeable people (thanks to you all) – and put together an article; published on Tech Net blogs and also on DOCS!
The article is quite large therefore I had it split into four parts (great idea from Charlotte C at Microsoft – thanks)
Sections in Part 1 are:
1: Introduction to the business process automated
2: What does a workflow system need to accomplish
3: Mind set of developing workflow
4: Types of workflow
5: What does the full article cover in terms of product, scope
Sections in Part 2 are:
1: Options for workflow with on-premise SharePoint
2: Options for developing custom workflows using SharePoint Designer / Microsoft Visual Studio
Sections in Part 3 are:
1: Options for workflow in SharePoint Online through Office365
2: Options for workflow in hybrid situations
3: The ‘workflow manager’
4: Publishing workflows to Azure
5: Workflow options available through third parties
6: Strengths and weaknesses of covering all options
Part four completes the article by summarising the key take-away – what tasks should be carried out concerning an approach to choosing the workflow solution that suits you and the customer
As the use of content management systems evolve with users adding more, ahem, “content”, the organizations accountable for those content systems will need to ensure that they build in people resources who can manage that content, and particularly people who can find insights in that content for the benefit of the organization.
Business intelligence requirements and implementations are growing faster than ever before, particularly due to the rise of cloud computing and more cloud services. There is now much more pressure on ensuring that customer interactions are tracked as a key aspect of business intelligence data gathering. This is one of the most critically important ways of working out the value that cloud services provide.
The blog article has been written for TechNet and is available on this link.
One of the challenges concerning those implementing Service Delivery with Office365, is building proof that Office365 complies with regulatory standards and legislation. Service Assurance in Office365 is a primary goal, and if it vital that you understand how Office365 protects your data, especially since Office365 concerns email access, team communication, collaboration, content storage and specifically content viewed and edited in a browser. Service Delivery includes Service assurance, which is an organisational primary goal, and is directly aligned to the C/I/A triad (Confidentiality, Integrity and Availability), being key aspects of information security.
Office365 contains a Service Assurance area which allows Administrators to setup and provide resources to carry out risk assessments and audits, and includes a wealth of reports covering security, and the relevant legislation and standards that Office365 adheres to. I wrote an article for TechNet Blogs which gives a great overview on how to use Office365 Service Assurance (within the Security and Compliance section) here, go check it out!
Personal data (also referred to as PII – Personal Identifiable Information) identifies an individual. In that personal data, a name by itself is not enough to identify an individual, however, a name including the address would. For example, when you are called by an operator in a call centre, you will often be asked for your name, address and date of birth. That is an example of personal data. What they do with your personal information goes into data processing, that is, to store, sort, workflow (further processing) and retain till archive (disposal) that data. The controller of that data (that is, the owner of that call centre) is responsible for ensuring that data is stored securely on their system.
However, no matter how secure the system is, or in fact, any data processing system is, social engineering attacks is a key threat vector. The weakest part of an system is the people, since they are the easiest to deceive and manipulate. One of the weakest aspects is through impersonation attacks. Impersonation attacks are where someone plays the role of someone who is likely to be trusted (whose personal information was obtained through data processing). In other words, one of the ways to get enough personal information of an individual to impersonate is through getting their personal information in the first place, and, to a large degree, ‘data processing’ is where that information can be obtained.
Through the data processing, there are three key elements:
- The Subject, who owns the data.
- The Controller, who is responsible determining how the data is processed.
- The Processor, who is responsible for the data processing of the subject data.
This can be represented in virtually any process, let’s take a basic SharePoint example:
- The Subject uploads data into a SharePoint site.
- The Controller manages the site where the data is uploaded and determines how the data is processed (also known as a data owner on the site)
- The Processor holds that data from the point where it has been uploaded, to the point where the data is disposed of (this is generally some technical processes in the repository where the content has been uploaded, e.g. storage, workflow, disposition, security).
There are some assumptions to the above example in terms of the management of Personal information:
- The Subject assumes that the data being uploaded is securely managed (it can be security classified, can be readily accessed, and remain intact).
- The Controller assumes they are accountable to that data being serviced by making sure the processor is sufficiently set to securely that content and marked with an identifier of the subject. A basic example in SharePoint is that data uploaded gets marked with the name of the individual uploading the data, the time when that occurred and history of working with that data is recorded.
- The Processor assumes that it is designed in such a way that personal information is secure; that any alterations, changes, modifications, workflow is known to the subject.
A conundrum is the sheer collaboration aspect; that is, who has access to that data, and, unfortunately, that some controllers misunderstanding that security is somehow, the product. It is not. Any system can be bypassed using social engineering if that data is compromised. The personal information of the Subject can be accessed by anyone who has the view access to that data. For example, in the case of SharePoint Online, when a Subjects name is clicked in a repository, a list of other documentation recently uploaded / accessed is visible, along with a link to getting more information through Delve. Additionally, on the Delve screen is a further link to the Subjects’ OneDrive, and from there visibility of the Subjects’ team. In terms of technology this example works slightly different in SharePoint On-Premise, however, the outcome is the same.
The challenge is that irrespective of the tools used to provide the nature of storage, availability, integrity of data that there needs to be some thinking in managing the security of the data as well as personal information. Lets’ look at some of the requirements on those three elements:
- From the Subject, there needs to be understanding of how much information they enter about themselves using Delve (About Me, Projects, Skills and Expertise, Schools and Education, Interests and Hobbies) as this affects PII.
- From the Controller, they need to provide awareness to the subject that the data they provide is secure, and the level of accessibility to that data, and where that data is located.
- From Processing, the design of repositories needs to include the management of storage of data, classification, workflow relevant to how personal information is passed. For example, the use of a form to capture information relevant to content uploaded may require the subject to ensure personal information, maybe even beyond what is already supplied in Delve. If this is the case, the Controller should make the subject aware of the kind of information gathered, and what the Processing element will do with that data, and how long that data will exist in the repository. Another example is where the data uploaded includes Personal Information and through machine learning metadata is extracted and posted as viewable column data in a repository. And this does stop at metadata. The very design of code used to carry out further processing through workflow should be scrutinised since the level of Personal Information recorded needs to meet legislative laws; in particular, the Data Protection Act 1998 UK law covers this including sensitive personal information to which you should have the Subjects consent beforehand to process.
Managing Personal information is a crucial aspect data security; the key aspect to understanding how to prevent breaches of personal data through impersonation or masquerading.
This short article is designed to get you thinking of the actual service delivery in managing personal information not just for SharePoint (either Online or On-Premise); even beyond to endpoints connected to it; and then even beyond into the roadmap surrounding Office365. In a data processing system, the fundamental requirement is to secure the content through its lifecycle. The challenge is ensuring that the features of the tools involved are fully understood when it comes to the storage of personal information, and that security awareness, policies, and training is provided to subjects and data controllers. Legislation is important to understand in this area and a good checklist to start from is here.
The key element, the Subject, can be made more aware of storing personal information in content they upload. A good article for working say through a Word document and removing personal identifiable information is here.
A distinct point to make is that Microsoft cloud applications are by their very nature tools used to upload and transmit information by customers through their relevant tenants. For example, whilst Azure services covers tools for system maintenance, infrastructure, security, record retention, information management, system development, there are data processing activities which the tenants manage. They must ensure that they are responsible for ensuring that information stored or transmitted through the services is securely managed, in that they at the very least should have carried out a security risk assessment against any data processing / controlling surrounding managing personal Information. The key thing to remember, is that security is not a product – the responsibility of securing data through its processing lies with the Controller of that data – the tenant owner, the SharePoint site owner, and therefore the organisation responsible for providing those sites.
One of the most useful documents in my view in planning implementations of Office365 is understanding data encryption and data backup and the standards applied. Microsoft have provided audit reports covering their cloud stack (Dynamics CRM, Office365, Yammer and Azure). These SOC and ISO reports include testing and trust principles in these areas:
- Data Transmission and Encryption
- Security Development Lifecycle
- Data Replication and Data Backup
To access these reports, you will need to access the Security and Compliance area in your Office365 tenant.
As said, these cover the Microsoft Cloud Stack, however, the two key documents for Office365 are:
Office 365 ISO 27001-ISO 27018-ISO 27017 – this is an audit document confirming whether Office365 fulfils the standards and criteria against ISO 27001, 27018 and 27017.
- PII is included in Office365 because it is run over Public Cloud for multi-tenant customers.
- Cloud Security is included in Office365 because it is defined as a SaaS (Software as a Service)
- All encryption adheres to TLS requirements and hashing (specific)
Office 365 SOC 2 AT 101 Audit Report 2016 – this is an audit document looking at the controls relevant to Security, Availability, Confidentiality and Processing Integrity.
- Details on the services concerning planning, performance, SLAs, hiring process (including background checks of staff) are provided.
- Control Monitoring, Access and Identify Management, Data Transmission (encryption between Microsoft, Client and data centres) are described.
- Project requirements through to Final Approval concerning the SDLC process is described
- Availability, Data Replication and Backup is covered.
The above SOC and ISO are extremely useful in aiding any risk assessment that you should take to confirm the service assurance of Office365 going forward. Risk assessments are not a ‘one shot’ task. They should be carried out on an annual basis. The Office365 service is a rich offering of Infrastructure, Software, People, Procedures and Data. Each requires security controls and confirmation that they meet standards which can be dovetailed into your organisation. The audits go into great detail concerning the controls (especially things like Data in Transit / Rest – SSL / TLS). A lot of questions is asked by customers concerning security controls – the video below is a good method of getting you to understand (and your clients) how Microsoft ensures proactive protection, and you should definitely check out the Microsoft Trust Centre for great information concerning encryption.
One of the biggest challenges in supporting Office365 is getting a real statement on issues that have been put by users and also those known by Microsoft.
As part of the knowledge base on this site, I’ve provided direct from Microsoft a list of the most common Office365 answers concerning Office, SharePoint, Internet Explorer, Lync and Outlook. Use the below as an indicator; select the relevant technology, and then select the PLUS (+) icon next to the statement to get more information.
A major challenge in businesses is a misconception, that data is 100% secure concerning any part of its data processing within that business. This data processing concerns the content management lifecycle; from creation, to storage, to distribution, to workflow and eventually archive of that data. The misconception? “Security Breach? Its not going to happen to us” mentality. It is vital that there is an understanding of Information security and Information Assurance in content management security. As an information security professional (or Architect covering security), you should be prepared for any aspect of secure breach can happen that can affect the confidentiality, availability, and integrity of the data. Any service delivery disruption caused by a security breach is harmful to the profitability, and has far reach consequences which could include liability, status and much more.
One of the most compelling challenges for Office 365 is centralised monitoring. Those working in the SharePoint arena will know only too well importance of monitoring and reporting across the platforms they manage. This is not simply from a technical but also from proof of service; the availability and evolution of those services.