Follow me on Twitter @AntonioMaio2

Wednesday, May 4, 2016

The Future of SharePoint Security and Governance

May the 4th Be With You

Today is typically set aside to celebrate Star Wars movies and culture that many of us have enjoyed for years.  I'm hoping to take in one of the Star Wars movies with my family this evening, once the kids finish their homework of course.

In other important news...
Today Microsoft announced the general availability of SharePoint Server 2016!

Microsoft also announced major new directions that we're going to see for SharePoint over the coming year!  People that read my ramblings know that I focus much of my work on security, so I'd like to share some of the security related capabilities that are included in Microsoft's roadmap for SharePoint. Microsoft has also reaffirmed their commitment to security, privacy and compliance with some significant new capabilities in their roadmap.

Dynamic Conditional Access Policies

One major new feature we're going to see is dynamic conditional access policies that administrators can define, allowing them to control the content that users can access based on the user's identity, the application or device they're using and their network location.

Administrators will be able to effectively prevent users from accessing high-security files in SharePoint from a mobile device or home network which the organization doesn't control, but allow the user to access those files from a corporate laptop.

Microsoft Windows Server 2012 has had this capability for years with its Dynamic Access Control (DAC) capability where you can define policies based on attributes in a user's identity (ex. security clearance) and metadata associated with a document (ex. its classification) and have those policies automatically enforced on Windows file servers.  It typically required use of the Windows File Classification Infrastructure (FCI).  As well, some third party security tools have layered these types of security policies on top of on premise SharePoint deployments in the past.

From a security perspective, it will be fantastic to see this or a similar capability finally making its way to SharePoint.

Site Classification

In an update later this year, customers will be able to classify SharePoint sites so that security policies are scoped and enforced on all content in the site. When creating a new site, whether a team site or a publishing site, you'll be able to select the classification of the site. A site's classification is typically related to the sensitivity of the content you plan to store or present within the site, which will be displayed right below the site's name by default. This will really help users to understand when they are accessing sites with sensitive corporate data.

This feature sounds simple, but its extremely significant because it allows customers to identify where sensitive data exists in their environment. Identifying where sensitive data lives is traditionally the first battle you fight, when trying to protect your sensitive corporate data. This is a great advancement in improving the governance of our SharePoint environments.

Hybrid SharePoint Insights - Hybrid Activity Monitoring and Reporting

Between the fall of 2015 and early 2016, Microsoft released the activity monitoring and reporting features within SharePoint Online and OneDrive for Business. This is a great capability for either monitoring user activity within your tenant, or performing forensic analysis into data breaches. I wrote an article about this capability here: Securing Office 365 with Activity Monitoring.

By the end of 2016, Microsoft will release a preview of Hybrid SharePoint Insights which will aggregate data from both your on premise SharePoint 2016 environment and your SharePoint Online/OneDrive for Business tenant. This will allow you to monitor and report on user activity from both your on premise and Office 365 environments through one easy to use interface.

Bring Your Own Encryption Keys

We've have heard over the last year about how Microsoft encrypts all content stored within SharePoint Online and OneDrive for Business with a complex system that partitions data, uniquely encrypts each partition with a different key, randomly distributes and stores those encrypted partitions in Azure Storage Blobs, encrypts the keys themselves and stores those in a master key store and rotates all keys every 24 hours.  I've written about this myself here:  How Does Microsoft Protect Our Data in Office 365.  This is already happening in Office 365 and its completely transparent to customers.

What's new is that later this year customers will be able to bring their own encryption keys to further lock down their data, preventing even Microsoft technical staff running the Office 365 service from accessing your data.  These continued efforts continue to help protect our data and our privacy.

Data Loss Prevention Improvements

I recently gave a webinar on the new SharePoint 2016 data loss prevention feature which can be found here: Data Loss Prevention in SharePoint 2016. Later this year you will be able to apply data loss prevention policies down to the site level. Today you can only apply those policies at the site collection level. This will allow us to get more specific about where and which content data loss prevention policies are applied to.

External Sharing Improvements

In Office 365, you can now whitelist and blacklist specific domains for external sharing. As well, later this year we'll be able to set an expiry period for external sharing, so content is only shared externally for a specific period of time.

Other Exciting Additions - New Mobile Experience, Team Sites...

There are many other welcome new additions planned over the coming year including a new SharePoint Mobile app experience, allowing users to easy access news from across the company, the sites that people use and access most, quick links to important pages and a list of their coworkers or those they collaborate most with.  This new app apparently uses Microsoft's investments in machine learning and the Office Graph to help surface the most relevant content and people for you, and present that ahead of less relevant information.  This sounds a lot like a mobile version of Delve doesn't it?!   The new mobile app will be available towards end of June 2016 for iOS, with Android and Windows versions coming later this year.  The OneDrive mobile app will also be getting enhancements through machine learning to provide users with suggestions of useful content through both OneDrive for Business and SharePoint.

As well, team sites will get a new home page which gives users a quick look at team sites which they are part of, along with updates that have been recently made to those sites.  The idea here being that users can more quickly get to the work and sites that are more relevant to them at that moment.

There's tons of other exciting updates... within Office 365, we hear that SharePoint team sites will be coming together with Office 365 groups as well - whenever a new Office 365 group is created, a new team site will be created as well. As a result, you'll be able to share team sites within Office 365 groups with external users through the Office 365 external sharing feature. This is a nice addition, but can create some security issues as well if you don't have appropriate governance in place.

We will likely see these updates come out through Microsoft's new SharePoint 2016 Feature Packs planned over the next year.

May the 4th be with you!

1 comment:

  1. Antonio, your insights into the latest SharePoint developments are fascinating. It's great to see how technology continues to evolve. By the way, are there any assignment services or resources you recommend for staying up-to-date with these industry advancements and implementing them effectively in businesses?