Top Concerns with Hybrid SharePoint: Security and Compliance

In the Hybrid SharePoint study conducted by CollabTalk and the BYU Marriott School earlier this year, the number one area of concern of customers as they began planning for their move to the cloud was security and compliance. With almost two decades of on-premises history, there are very robust and mature security, compliance, and governance solutions available – and many customers have come to rely on these products and services. Introducing the cloud may seem like an unnecessary risk to some organizations.

To ensure that security and compliance requirements are being met, experts recommend that all hybrid planning begin with a detailed, step-by-step review of governance policies and procedures, mapping out how each requirement is currently accomplished within the on-premises environment, and how each will be accomplished within the cloud environment. Additionally, organizations should consider how common measurements, reporting, and dashboards will be maintained between on-prem and cloud infrastructure.

While Microsoft is making tremendous investments into data security and compliance, organizations need to consider the entirety of their systems – of which SharePoint is just one component. Thankfully, Microsoft is not only investing in Office 365 and other solutions to ensure that they are compliant with local, regional, and international security and compliance regulations and standards, but they are also creating tools and guidelines to help customers become or remain compliant as well.

Microsoft is investing heavily in this area because they understand that to convince enterprise customers to give up real or perceived control of their data and environments, the company needs to be a leader in security and compliance.

Quick Overview: Hybrid SharePoint Security and Compliance

In this latest video with Bill Baer (@williambaer), a Senior Technical Product Manager on the SharePoint team, we discuss the topic of security and compliance within the SharePoint ecosystem, and discuss Microsoft’s leadership position in the space as the company also rapidly expands its data center footprint for both Office 365 and Azure.

Why is this topic important?

Security and compliance is one of the most rapidly evolving areas within collaboration. For example, in the video, Bill talks about how many organizations who do business in or with customers in the European Union are scrambling to understand and prepare for the General Data Protection Regulation (GDPR) which goes into effect in May 2018. Microsoft has committed to being GDPR-compliant in all of its products and services by that date – but that does not mean that by using Microsoft products and services, you will automatically be compliant yourself. Organizations need to assess their compliance for the GDPR across all of their systems and services, not just focusing on SharePoint workloads.

As Bill and I discuss, Microsoft is working hard to achieve region-by-region certifications and standards, while at the same time expanding their data center footprint to reach customers in under-served areas of the world. For example, South Africa has data centers coming online in 2018 near Johannesburg and Cape Town, and with them Microsoft now needs to meet a number of regional requirements and standards, including the Protection of Personal Information (POPI) Act, which is very similar to the GDPR.

But the biggest area of concern for organizations is not whether Microsoft will be compliant, or can help them become compliant, to these standards. The more serious issue is how Microsoft can help manage the security and compliance issues around the end user. By moving to the cloud, Microsoft is able to move very quickly to adapt and change to the ever-changing threats that are intentional or unintentional, rolling out updates and improvements to customers as quickly as necessary, providing real-time protection of their data and systems. That is one of the primary benefits of the cloud model – reducing the work and cost of proactive security of your data and intellectual property.

Organizations need to understand how they are meeting their security and compliance needs today, and how Microsoft can improve on that.

Microsoft Guidance

Microsoft’s high-level guidance on the topic of security and compliance across Office 365 and hybrid environments is fairly simple: monitor and proactively manage. Along with your users, data is the lifeblood of your organization. As a result, it’s critical to lay the groundwork to lock down access, manage the content (and end user) lifecycle, and protect your system from external threats. To accomplish this, Microsoft recommends leveraging the Security & Compliance Center to:

  • Set up and monitor alerts
  • Regularly review access and usage reports
  • Use the Threat Intelligence tools to research and respond to threats
  • Filter and quarantine your organization’s email
  • Follow all of Microsoft’s recommendations, based on your license types and usage patterns
  • Leverage the new Advanced Security Management features to investigate and mitigate potential issues
  • Regularly check your Office 365 Secure Score to identify areas for improvement

With SharePoint Hybrid Auditing (currently in preview), administrators have visibility into users’ file access activities in their SharePoint 2016 on-premises farms or in their SharePoint Online sites. Additionally, users can choose to upload their SharePoint diagnostic and usage logs, and have reports generated for them in Office 365.

How AvePoint can help with compliance and security in hybrid SharePoint

This is one area where AvePoint is the clear leader. For example, AvePoint Compliance Guardian enables administrators to automatically scan and classify content based on out-of-the-box and customizable rules. If you have taken the time to run a full assessment of your SharePoint environment, identifying all of your content, 3rd party solutions, and infrastructure layout and components, you’re already ahead of the game. Compliance Guardian’s data classification and protection framework incorporates regulatory and organization-specific governance and compliance policies as well as implements an automated approach to data discovery, tagging, and classification.

Next, you should also audit your existing security, compliance, and governance policies and other regulatory requirements, which will help you better plan for what data needs to remain on-prem, what can be archived off-site, and what can be moved to the cloud. Once you’ve identified what is running under the hood, you’ll be better prepared to build your plans for a hybrid environment.

AvePoint’s approach to security and compliance is simple: First, discover where your sensitive data lives and how it is being used on a day-to-day basis across your enterprise; Second, take action based on your risk analysis by implementing controls to secure data and achieve compliance; and Third, monitor and report on the actions and safeguards you’ve implemented in order to prove policy compliance.

Additional resources for Hybrid SharePoint Security and Compliance

As the world increasingly moves toward cloud-based solutions, Microsoft and its partners will continue to invest in security and compliance solutions to ensure the integrity of your data and systems. With a hybrid SharePoint environment, you will need to be more vigilant – and understand what is managed by your team, and what is managed in the cloud by Microsoft and other vendors. Here are some great resources to help you in your planning:

  • 3 Top Office 365 Management Considerations for a Hybrid Environment [Blog]
  • The Benefits of Office 365 and File Share Integration [Blog]
  • Overview of security and compliance in Office 365 [Support.Office.com]
  • Top 5 Tips for Controlling Permissions and Configuration Across Your Hybrid Office 365 Deployment [Blog]
  • Service Health and Continuity [TechNet]
  • Monitor apps for your SharePoint Online environment [Support.Office.com]
  • 3 Ways to Improve Life in the Microsoft Cloud with AvePoint Online Services [Blog]
  • Business and IT Challenges in the Cloud [Blog]
  • Talking Cloud 3: Four Viewpoints on Cloud Management [Blog]
  • Revolutionary Information Management for Changing Times [Blog]
  • Monitoring, Troubleshooting, and Optimizing SharePoint 2016 [Pluralsight course]
  • AvePoint’s Survival Guide for SharePoint: Automating SharePoint Governance [Blog]
  • Simplify Office 365 Governance Where You Work, When You Need It [Blog]
  • 10 steps to optimize SharePoint performance [NetworkWorld]
  • DocAve Governance Automation Now Supports SharePoint 2016 – and Much More [Blog]

The topic of Hybrid SharePoint security and compliance is fast-paced and continually evolving. We would love to hear your comments and concerns, so please share your feedback, and myself or someone from the AvePoint team will respond.

Profile photo of Christian Buckley

Christian Buckley

An Office Servers and Services MVP, internationally recognized author and speaker, Christian Buckley is Founder and CEO of the community-focused CollabTalk.