So far in this series you’ve received some excellent tips from our team of experts on successfully rolling out SharePoint 2016. If you haven’t had the chance, I recommend taking a look at the rest of the series, which covers everything from strategies for deploying hybrid to the best tips for migration and adoption. Today we’re going to make sure you’re up to speed on how to deal with SharePoint 2016 data protection in your rollout, including a quick rundown of what Microsoft is doing for Data Loss Prevention (DLP) in SharePoint 2016.
Pre-Migration Planning: Data Inventories
When we’re gearing up for a migration, it’s pretty common to put on our engineering hats and start looking at the migration in terms of speeds and feeds: How fast can we move our data and how quickly can we get users trained on the new features? We’ve mentioned this before, but you can’t simply bulldoze your data to a new environment and hope that your SharePoint 2016 will be a great success! You can inventory your data before or after you migrate, but either way this step will be crucial to success for the following reasons:
- Determining what you own dictates how much “hybrid” you use in your SharePoint 2016 rollout. For instance, a migration of ITAR or export regulated data might slow down or prevent your rollout of hybrid search connectors or Delve in 2016.
- Identifying the types of data you own and regulations that govern them will help you create a stronger SharePoint 2016 information architecture. Segregation of data by policy with well-defined governance rules will help you create the right containers with the right security in our destination.
While you might not feel that understanding the data is your responsibility in this migration, there are plenty of reasons to plan for this step during your migration. Here in the US, you might be looking at SEC, ITAR, EAR, HIPAA, or any number of regulations that directly influence how you handle SharePoint and its governance controls. Marie Penot recently posted an insightful article on the General Data Protection Regulation (GDPR) in Europe, which reminds us that even if a small portion of our business happens in Europe – we’re accountable for the data we own! Even outside of regulations, privacy professionals agree that nearly 30% of breaches are caused by mishandling of data at rest in systems like SharePoint.
Migrations are a great time to start thinking about the data that we have. Gartner makes a great case:
“For organizations with large, chaotic SharePoint environments (which is the majority of the clients Gartner speaks to about migration), the largest part of the migration effort consists of activities that aren’t strictly due to the migration. […] Content cleanup includes reorganizing content, adding better metadata, improving the information architecture (for example, straightening out the navigation structure), applying consistent templates, and removing ROT (redundant, outdated or trivial content). […] Process cleanup includes revisiting SharePoint governance — implementing processes for requesting new sites, improving reporting procedures and implementing a formal help desk. These are all time-consuming tasks that organizations contemplate as part of (or better yet, before) a migration to get a fresh start with some better habits and decrease the amount of junk moved to the new environment.”
How Microsoft Helps: Creating a Sensitive Data Inventory
Microsoft’s new DLP features in SharePoint 2016 are born from this need to understand the data you have. Integrated into the new eDiscovery center in SharePoint 2016 is the ability to generate DLP queries based on pre-configured policies that map to common laws and regulations. If you’re interested in understanding what data you have as it pertains to the GDPR) financial regulations, or even HR and payroll data – this is the place you want to start! The current preview has several policies configured for the most popular regulations, but it’s very likely we’ll see some of the Office 365 policies moved to SharePoint 2016 before release.
It’s important to note that you should run this search with an account that has read-only access to all data in the defined SharePoint scope. The requirements line up with your typical eDiscovery query since you’re respecting the security trimming built into SharePoint search. It’s not common to have a business user with that level of access, so run these first as a site collection admin and look to share the results with privacy officers or business users to help clean up their data following the migration.
Cleaning Your Environment: Reporting You Can Use
The results that SharePoint 2016 provides out of the box can be a little tough to stomach for most privacy officers and business users. What you’re after is essentially a heat map of sensitive data, broken up by site or by group, to give you a target you can clean up. AvePoint Compliance Guardian can help take what is ordinarily a list of potential violations and turn it into something actionable.
The heat map specifically targets violations that have been identified and plots them by farm so CPOs can identify the largest areas of risk. The data can also be divided up according to access policies so individual business units can manage their own risk corresponding to their sites.
You can also run pre-migration scans against a variety of sources, even if you’re looking at SharePoint Server 2016 to aid you in consolidating information from file shares or other legacy systems.
Keeping Things Clean: Setting policies your users can follow
Now that you’ve identified the regulated data that might be in your environment, it’s pretty important to learn the best practices to work with it going forward – especially in a way that your users can understand! There are plenty of references you can use to help you dictate what governance controls are suggested for sensitive data by type, including our Definitive Guide on SharePoint Governance.
There are a few key controls you can start putting in place from the beginning.
Draw a clear line between sensitive data and non-sensitive data use in your environment. This one should be pretty clear, but you should be able to start mapping acceptable data to acceptable scopes. Our governance guide has more tips you can use, but to get you started, begin crafting a table:
You may not need all these columns since SharePoint generally takes a whitelisted approach to permissions, but you’ll find that use of the “share” button can generate plenty of unwanted users! Creating a blacklist gives you a good foundation for future policies, something you can implement with products like Policy Enforcer in DocAve Administrator.
How Microsoft Helps: Creating policies that track data as it is created
This is the second side of SharePoint 2016 DLP that extends capabilities from the eDiscovery center out to actual user activities. You’ll want to create a new site collection in each web application you need to control dedicated for managing these policies. To borrow an example from the table above, you’ll be creating a policy and mapping each non-finance site to check for financial data (an example of a policy violation).
Once we have our policy center, we can create a policy to dictate what happens when we find sensitive content, illustrated below:
The second step is applying these policies using the sites we’re looking to manage (such as an intranet portal, the MySites web app, or other managed paths) using the “DLP Policy Assignments for Site Collections”.
You’ll likely want to ensure that these are created during your site provisioning process to ensure proactive detection as content is being used. However, we do not recommend enabling these policies before your migration as you will likely generate plenty of alerts as you ship content to your new sites. See the sections above on running this cleanup before migration using AvePoint’s Compliance Guardian.
Once we’ve configured our policies to enable tool tips, your users are finally going to know when they’re doing something wrong before they do it (a good enough reason to start running SharePoint 2016)! Microsoft DLP introduces a great set of tips designed around educating users on what they got wrong, including this example from MSDN:
Ordering the Chaos: Creating a process for managing incidents
Once you’ve migrated your users over to SharePoint 2016 and helped them understand the policies in place, you can fully expect our users to test the boundaries they’re given!
Out of the box, SharePoint 2016 DLP gives you the ability to report incidents and generate email alerts. These can be sent to an incident management team, or a set of librarians for a group of sites (defined in the sensitive data policies when you assign them to sites). The level of detail these emails contain depends on the policies you create. In addition, you can effectively “quarantine” the file to the author and legal teams once the policy has been violated.
This still leaves something to be desired when it comes to the level of accountability required by most laws. Remember that fines for most regulations directly correspond to the amount of control you can show over sensitive data types. You’ll likely need to move from alerts only to more direct actions on the content when you see violations occurring.
AvePoint Compliance Guardian helps you go beyond these actions to:
- Redact sensitive data from the content prior to publishing on a site
- Automatically modify security settings on a document to match your regulations or ethical walls
- Quarantine files with an incident workflow to resolve these issues
- Move sensitive files to the appropriate destinations (such as from an unsecure to a secure network)
- Classify and tag data automatically as it is introduced
The last bullet is essential. SharePoint 2016 has continued to make great progress when it comes to information management policies, records management, and even metadata-driven search and navigation. Without the ability to automatically tag sensitive data, however, users will continue to struggle to find content, records managers will feel frustration in capturing data, and you’ll face many of the same struggles you’ve had in previous versions of SharePoint. This is especially true as you begin branching out from SharePoint Server 2016 to Yammer and other Office 365 components – all of which AvePoint Compliance Guardian also helps you protect.
While you use Microsoft DLP in SharePoint 2016 to begin the process of protecting and educating your users, I encourage you to try out AvePoint Compliance Guardian as part of the migration to help you along the way!
For more information on SharePoint 2016 DLP features, check out this article by Office Servers and Services MVP Steve Smith on MSDN.
If you would like additional tips to help prepare for your SharePoint 2016 migration watch our recent webinar, Start Your SharePoint 2016 Migration Today. Register now to access the on-demand recording!