Category Archives: Cloud

Putability – More thoughts on Office 365 for collaboration

My thinking has evolved a little further with regards to using Office 365 collaboration since my last blog. This is driven by some further investigation into the recent upgrades to Office 365 Groups and Microsoft Teams.

As mentioned before, these are somewhat interchangeable in terms of their intended purpose and both have a proper SharePoint team site on the back end which extends their capability into being actively useful. For those that remember Windows SharePoint Services (WSS) or the more recent SharePoint Foundation, Groups and Teams essentially are the modern successor. The most immediate difference between them is that Groups are email-centric while Microsoft Teams is (Skype) chat-centric; however, there are some different components presented in each. Stand-alone, they are great for very lightweight intranets and team collaboration; combined with other parts of Office 365 they offered the ability to build out midrange digital workspaces. They fill a very useful role for unmanaged or lightly managed collaboration, though some organisations will choose OneDrive for Business for their unmanaged collaboration needs, leaving Groups and Teams for lightly managed role.

When it comes to OneDrive for Business, we propose a Best Practice folder structure to that consists of:

  • Private
  • Shared with Team (<owner name>)
  • Shared with Everyone (<owner name>)
  • Shared Externally

We also commonly recommend a mechanism for managing organisational Office templates using OneDrive for Business, where we add the Custom Office Templates folder to our OneDrive for Business and point the Office clients at that.

OneDrive structure

Then there is Yammer… This also can store and share documents and allow a form of collaboration around them. Using Yammer in this way never felt very natural to us, but it was part of the original design of the product before Microsoft acquired it, and it may well suit some organisations. However, by embedding Yammer within a SharePoint page in an intranet, it becomes particularly useful for wrapping a shared conversation around a document, or conversely adding documents to a shared conversation.

The trouble with all this is that users are uncertain about where to store information. It’s a problem we’ve talked about before; with the excellent search now available across Office 365 through SharePoint and Delve – combined with an effective metadata strategy – the problem of ‘Findability’ is largely addressed. Unfortunately, ‘Putability’ – knowing where to store your content -remains a challenge.

 

The lovely people at Tata Steel have put a lot of thought into this which aligns closely with our thinking and so I share this extended version of their decision tree with their permission:

Putability

As you can see, it’s fairly complex and this reflects the complex nature of the content that we expect people to deal with on a day-to-day basis. It is, however, fairly easily explained as follows:

  1. Keep your own stuff in OneDrive and if you need to, share it with your team unless you have a team site or group for that
  2. Team and project content should go into the relevant intranet team site, or a Microsoft Team or Office 365 Group if it doesn’t have sophisticated processes wrapped around it
  3. If it doesn’t need collaboration, then publish it to an intranet publishing area such as the HR site or a Document Centre
  4. If you need to shared externally and consider a dedicated extranet, though OneDrive for Business could be used for non-sensitive content
  5. Anything which isn’t reliant on storing the document could be done using Yammer or email

 

There is no harm in embedding the above in a governance or user guide which is actively shared with your users. The better they understand where to put their content the easier it will be to find things later and much easier to keep everything managed.

Leave a comment

Filed under Cloud, Content management, Intranet, Office 365

Extending the perimeter – thoughts on establishing Collaboration in cloud vs on-premise

Understanding the file sharing collaborative products available from Microsoft

We tend to split file sharing and collaboration into 2 categories, real-time and non-real-time.

Microsoft’s core real-time tool is a Lync which is available both online and on premise. Lync users are able to is to message each other, people’s availability via real-time presence linked to their Exchange Server calendar and elevate discussions from text to voice over IP with supporting video and/or screen sharing. Lync is a great tool for meetings, team briefings and small groups working together on activities in real-time.

For off-line use the traditional way would be to store documents on file servers and, due to limitation of file servers, distribute documents and other content that needs to be worked on or approved via email. The new approach utilises a combination of SharePoint and OneDrive for Business (which actually also uses SharePoint under the hood). SharePoint allows Microsoft Office documents and other types of file to be stored in libraries and worked on by multiple users at the same time. Some key features include genuine multi-author editing in many cases (up to 16 authors can have the same Word document open for editing simultaneously); support for sophisticated metadata including document status (e.g. draft, awaiting review, published, expired); version control and approvals; the ability to send a link to the document via email without sending the whole document. Collaboration extends to other kinds of content, such as lists of information rather than documents, and can include other things such as shared calendars, tasks and more.

Generally, SharePoint is used for formal corporate collaboration, internal processes and team collaboration. It is possible to include an extranet solution within SharePoint to allow collaboration with people outside the organisation. Recommended best practice is for this to be a separate set of sites within a separate site collection. For this to work with an on premise SharePoint farm there needs to be a route to the SharePoint environment from the Internet through the organisation’s firewalls.

OneDrive for Business can be used to support collaboration with external parties or for informal collaboration activities and is a cloud solution only.

The other core collaboration technology, in our opinion, is OneNote. Our best practice recommendation is to have multiple OneNote notebooks, and to store these in SharePoint or OneDrive. We find that one notebook per collaboration site works very well and provides a real-time information capture, note taking and semi-structured knowledge capture tool.

Understanding the ease of deployment of an internal HyperV cloud based solution,

Although organisations talk about internal clouds or private clouds, the reality is that the crowd benefits don’t really manifest themselves until organisations have large farms running where the individual HyperV servers can take on or switch roles according to the load on the farm as a whole. We rarely see this for farms under about 12 servers, which is substantially more infrastructure and is required for this kind of deployment.

Nevertheless, installing SharePoint on-site requires a considerable amount of investment. Key steps are:

  • design farm architecture
  • provision Windows servers on HyperV
  • source SharePoint Server licenses
  • Install SharePoint Server on HyperV servers
  • configure SharePoint server instances, including permissions, site collections, templates etc.
  • source SharePoint Client Access Licenses and allocate

Only the last 2 items would be required using the Office 365 platform

Once installed, and on premise farm requires around 20% of an FTE to provide ongoing admin for the farm and the application.

Understating the security functionality / configurability in both the HyperV cloud solution vs Office 365 cloud options.

SharePoint security is a massive discussion in its own right. The summary version is as follows:

SharePoint maintains a sophisticated internal security model that provides granular access based on permission groups (which may be tied to or interact with Active Directory groups), supports security trimming (which prevents users seeing any content to which they have no access) and assigns different rights (such as view, edit, approve) to different roles and allows different roles to be assigned to different artefacts (sites, lists, libraries etc.) throughout the application.

Access to SharePoint is via a standard logon process. For on premise solutions this is usually based on the users Active Directory/Windows credentials, providing single sign-on. For cloud solutions there is an option to synchronise these credentials or to employ full Active Directory Federation which gives the same single sign-on option.

On premise solutions (e.g. a HyperV farm) are protected from the outside world by the organisation’s standard perimeter security, i.e. firewalls, threat protection and prevention. While this is often considered to be secure, the issue with this is that any content that needs to be accessed remotely or shared with 3rd parties have to circumvent this perimeter protection and this sharing rarely have strong governance; the extranet option referred to above requires holes to be created in the firewall etc. which can present a risk not only to the SharePoint farm and content but conceivably to other applications as well if not managed correctly.

Cloud solutions, including Office 365, generally has a much more sophisticated perimeter security solution. Furthermore the physical security of the server farm is far greater than can be easily achieved by most organisations with an on premise solution. Communication with the cloud solution is encrypted via SSL certificates (https:) and there is an option to enable encryption of the database. There is also an option to employ 2 factor authentication, which is achieved using a one-time code delivered via text message or using an authenticator app on a smart phone. We recommend using this sparingly as is option interferes with the ease of access to information for users, who will typically revert to less secure methods in response. The cloud solution includes an option to enable external sharing without compromising any of the organisations applications; Best practice still needs to be adhered to to protect the content within the SharePoint environment as noted above.

Security within the SharePoint application is, to all intents and purposes, the same whether on premise or in the cloud. In most cases an Office 365 environment is as secure as an on premise environment; while it is exposed to more potential threats from the intranet this is balanced by more sophisticated threat prevention built into the environment. In cases where the solution is only required for internal, on premise collaboration an argument could be made that an on premise solution can be made more secure; however when external sharing is required Solution has the benefit of segregating itself from other business applications, reducing the threat surface and avoiding compromise to the organisations network perimeter while enabling external collaboration and remote working.

This position is backed up by a number of security certifications for Office 365 and other cloud solutions. This includes an announcement from the EU in April 2014 that Microsoft’s cloud contracts and infrastructure comply with EU privacy laws and the UK data protection act across all of their infrastructure (data centres in the US and Singapore are treated as being within Europe for these purposes under this clarification). Details can be found here: http://blogs.microsoft.com/blog/2014/04/10/privacy-authorities-across-europe-approve-microsofts-cloud-commitments/

Organisations are wise to do appropriate diligence and research on the security capabilities of cloud offerings. However cloud services have matured over the last 5 years and the Microsoft ones are considered to be particularly strong. There are few reasons to reject cloud solutions out of hand on the basis of security; many financial institutions, multinationals and other organisations with commercially or legally sensitive information are committing their content to the cloud, with appropriate safeguards (which can include tools such as AvePoint’s compliance Guardian which can monitor what is being uploaded).

In reality most organisations employee local security and network security that is, at best, no better than cloud solutions. As ever the single greatest threat is the action of staff, and this needs to be addressed equally strongly regardless of the location of the application.

Leave a comment

Filed under Cloud, SharePoint