Notes from the fieldHow Carolinas HealthCare System

Governs SharePointSeptember 2016

9/17/2016 2

9/17/2016 3

9/17/2016 4

9/17/2016 5

Who am I?

• Kelly D. Jones– Carolinas HealthCare System

• SharePoint Architect & SP Team Manager– 18+ years industry experience; 10+ SharePoint

• My blog: http://www.KellyDJones.com

• Twitter: @KellyDJones

9/17/2016 6

Agenda

• Why this presentation?

• What is Carolinas HealthCare System?

• The CHS SharePoint governance story– Where we started– Where we are– Where we’re going

9/17/2016 7

Why this presentation?

• Introductions to governance tend to focus on theory:– Governance is the set of policies, roles, responsibilities, and

processes that control how an organization's business divisions and IT teams work together to achieve its goals. – MS Technet

• Need for real world examples of governance• Need for real world examples of taming the wild west– Why was governance introduced?– How was governance implemented?– What problems did governance solve?

• Is the way we govern the best? Is it all directly applicable to you? – Probably not. Pick and choose what makes sense.

9/17/2016 8

What is CHS?Carolinas HealthCare System (http://www.carolinashealthcare.org)

9/17/2016 9

CHS – Where we started (2011)

So what massive SharePoint farm was supporting CHS?

• Number of servers in farm:

• Version of SharePoint:

• 70+:

• 2000+

One. (SharePoint + SQL Server)

WSS 3.0 (“free” version of SharePoint 2007)

Web applications.1 site collection had 330+ top level sub sites

Sub sites in 70+ site collections

9/17/2016 10

CHS – Where we started (2011) cont.• SharePoint 2010 was set up as a POC

– 1 SharePoint 2010 server– 2 SQL Server 2008 servers in a cluster

• Consulting firm was engaged:– Migrate WSS to SP2010– Estimated to take six weeks

That’s me.

9/17/2016 11

Migrating to 2010 – Backing into governance

• How many sites do we have?• What functionality is in use?• What customizations have been done?• Who do we talk to about this site? Who’s the owner?

9/17/2016 12

Step 1. Take an inventory

• Created a list of all web applications, site collections, sub sites, solutions

• Sub sites– Site owners– Size: amount of data, number

of lists, number of documents– Templates used– Is anonymous enabled?

• Web applications– DNS address– User policies

• Site collections– Address– Site Collection Admins– Size

9/17/2016 13

Step 2. Store that inventory

• Output of PowerShell can be XML or CSV

• Store them in Excel or SharePoint List?– We manually imported them from Excel into an SP List– Our PowerShell eventually could populate the list directly

9/17/2016 14

Step 3. Analyze data: What we found?• Fab 40 site templates• Lots of sites with “test” as part of title or URL• Sites with anonymous access• Sites storing sensitive data• One site collection with

– 330+ top level sub sites– 2,000+ total sub sites– 2,000+ SharePoint groups

• Users built Word documents that were simply a list of links to documents stored in the same SP library (views?)

• 98% of the usage was a glorified file share

9/17/2016 15

Step 4. Technical Enforcement

• Limited site collection administrators to the central SharePoint team– Gained control of SharePoint Designer options (and disabled it)– Gained control of SC features– Gained control of branding– Gained control of auditing settings– Gained control of sandbox solutions

• Set quotas on site collections– Improved database management– Improved stability – no more SQL running out of room and

bringing farm to a halt

9/17/2016 16

Step 5. Owner Policy Changes

• Defined site owners for site collections, not subsites– Many options/decisions are at the site collection level

• Auditing• Allowing sensitive data or not

– Instantly reduced number of owners from thousands to hundreds• Identify site owners

– Found owners by looking in the “Owners” group of the root site within a site collection (aka: tag you’re it!)

• Categorized owners– Data Owners– Primary Site Owner– Secondary Site Owner

9/17/2016 17

Step 6. Site Management List

• Turned list of site collections into the “Site Management List”

• Track status of site – new, renewed, read only, archived, deleted

• New Site Request and Site Update Forms allows owners to:– Submit names of new owners– Set the data classification (sensitive or not)– Can state site no longer needed

• Renewal process– Require owners to update their site info annually

9/17/2016 18

Step 7. Information Architecture Changes

• Split up large site collection– Turned each of the 300 into separate site collections

• Consolidated from 70+ to 1 web application– Eliminated vanity URLs

• Simplified communications about SharePoint• Eliminated issues with DNS changes

– Technical issues with that many web apps– Microsoft recommends no more than 10 per farm– Microsoft suggests that if you need more than 2-4, you’re doing

it wrong

9/17/2016 19

Step 8. Standard Branding

• Reinforce CHS brand to all teammates (meeting marketing goals)

• Reminds users this is a CHS property• Eliminates garish color schemes

– Reduces non productive time spent by owners (we hope they focus on their content and not the color scheme for the site)

• Added “alert” functionality– SP team can make a message appear on any site with different

colors– Great way to notify about outages or upcoming site moves

Lesson Learned: Branding should be as “lite” touch as possible.

• Think through how you will deploy changes to all site collections.• Test your branding with all site templates.• Be ready with an alternative if the branding breaks a particular site.

9/17/2016 20

Migrations, Migrations, Migrations!

• Upgrade from WSS 3.0 to SharePoint 2010– November 2011 until July 2012 (SP2010 Transition farm)

• 3 SP2010 servers + 2 node SQL cluster

– July 2012 until July 2013 (SP2010 Production farm)• 8 SP2010 servers + 2 FAST + 3 SQL (2 node cluster + AlwaysOn)

• SharePoint 2010 to SharePoint Online– CHS decided to go 100% to SharePoint Online in June 2013

• Goal is to be migrated by: 12/2013; 3/2014; 7/2014; 10/2015– Actual migration of sites: January 2015 through June 2016– Currently decommissioning SharePoint 2010 on premise

9/17/2016 22

Current Environment: Office 365• Office 365

– CHS decided to go 100% to SharePoint Online in June 2013– 40k users licensed with E3 plan

• Exchange, SharePoint, OneDrive, Yammer (Skype is on prem)

• SharePoint Online – 725 Production Site Collections– 2.9TB SharePoint; 3.7TB OneDrive– Data Storage Growth

• 20% from 2011 until 2014 (WSS 3.0 & SP2010)• 100% for 2014 (SP2010 & SharePoint Online)• 30% for 2015 (SharePoint Online only)• 260% for 2015 (SharePoint Online & OneDrive)• 165% for 2016 (SharePoint Online only)• 152% for 2016 (SharePoint Online & OneDrive)

9/17/2016 23

New Governance Goals

• Providing more information to users to increase their understanding of our policies

• Reinforce ownership at the site collection level

• Address compliance concerns about new functionality

9/17/2016 24

Governance Updates

• New issues to address– External Sharing– File synchronization– SharePoint App Store– Promoted sites on Sites page– OneDrive automatic deletion

• Opportunity to address existing issues– Site Owners don’t know what they “own”

• Many site collections versus many sub sites

9/17/2016 25

About This Site

• Everyone can view:– Who the owners are– Whether sensitive data can

be stored there– A description of the site,

reinforcing its intended purpose

– Whether external sharing or SharePoint Designer are enabled

– Link for owners to update info

9/17/2016 26

New Security Reports

• Goal is to increase accurate permissions• External Sharing Report

– List all external users– What address the invitation was sent to– What email address accepted the invitation

• Permissions Report– More easily identify people who should no longer have access– Highlight problem areas – like too many full control users

• Active Directory Group Report– If sensitive data is present, how do owners know who is in an AD

group?

9/17/2016 27

Permission Reports ReviewData Tier Classification

External Sharing Enabled? Schedule

Tier 1 Yes MonthlyTier 1 No Bi-monthly (every other month)Tier 2 Yes QuarterlyTier 2 No Six monthsTier 3 Yes AnnuallyTier 3 No Annually

9/17/2016 28

File Synchronization

• Using OneDrive for Business client users can synchronize the contents of any library to a non CHS controlled device

• Compliance Issues:– No requirement for local encryption– No requirement that the data is remotely wiped when someone

is no longer with CHS• Solution:

– Built a utility to disable file sync on each and every library in SharePoint Online and OneDrive

9/17/2016 29

• Microsoft apologized at Microsoft Ignite (May 2015)– Poor user experience (buggy) with OneDrive for Business Sync

Client– Lack of compliance controls

• Released 2nd Half of 2015:– PowerShell command to restrict sync client to work only with

computers joined to a domain

– OneDrive for Business Next Generation Sync Client• Microsoft is combining all sync clients into one code base

(OneDrive, OneDrive for Business, Mac Client)• Much better stability, recoverability, and selective sync

File Synchronization - UPDATE

Lesson Learned: Explorer View• Attractive alternative to file sync (NOT REALLY)• Only works with IE• Users can seriously mess up their sites

• “I don’t need folder”• Not changing work habits that are 20+ years old

9/17/2016 30

SharePoint Designer

• Added checkbox on site request form – owners can now ask for Designer to be enabled

• Owners will be reminded:– Designer can lead to site outages if not used correctly– Any Full Control users can use Designer– Support time may increase due to Designer issues taking longer

to troubleshoot (reverse engineer) and resolve• CHS will still require standard branding• Why allow it now?

– CHS has a pent up demand for business process automation

9/17/2016 31

Audit Logs

• CHS written utility will insure audit log configuration is consistent across all site collections

• Reports will be surfaced to site owners so they can review (along with permissions reports)

• CHS didn’t enable on all SharePoint 2010 sites due to overhead – only enabled on sensitive site collections

• Overhead is now a Microsoft concern, so auditing will be enabled

9/17/2016 32

One Last Thing• Attempting to engage our users at a higher level

– Not just break/fix– Let us help you take advantage of SharePoint

• Moving quick questions to eLearning– reduce burden on help desk

• Improving eLearning– Rebuilt site to improve usability– Added Brainstorm videos– Added tutorials to share longer answers to commonly asked

questions (some include Skype video recordings)• Taking advantage of Yammer

– Q/A, Announcements, Tips

9/17/2016 33

9/17/2016 34

Blog: http://www.kellydjones.com

Twitter mentions are appreciated: @kellydjones

Thank you!

Any Questions?