About Me SharePoint Administrator at United Technologies Corporation 10+ years in the IT field, 0 book deals. President of the CT SharePoint User Group http://www.ctspug.org Blog: www.JaredMatfess.com Twitter: @JaredMatfesswww.JaredMatfess.com E-mail: Jared.Matfess@outlook.comJared.Matfess@outlook.com 3
Agenda - Overview of United Technologies Corporation - The 10 Steps towards more secure collaboration 4
6 Background Information June 2012, United Technologies has entered into a consent agreement to settle violations of the AECA and ITAR in connection with the unauthorized export and transfer of defense articles, to include technical data, and the unauthorized provision of defense services to various countries, including proscribed destinations. UTC developed new core focus on International Trade Compliance http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html
SharePoint Security & Governance at United Technologies Corporation 7 Technical Data The federal Export Administration Regulations (EAR) and International Traffic In Arms Regulations (ITAR) control the export of certain commodities, software, technical data and certain other information to foreign countries. The EAR and the ITAR can restrict the furnishing of information, technical data and software to foreign persons, whether this takes place abroad or in the United States.
SharePoint Security & Governance at United Technologies Corporation 8 The Role of Corporate Policies, Standards, Consulting Shared Services User Profile Managed Metadata Search* Hosting of cross-business unit sites Host of business unit homepages
SharePoint Security & Governance at United Technologies Corporation 9 The Beginning of our Security Model Journey
SharePoint Security & Governance at United Technologies Corporation 10 Step 1: User Separation by Web Application Collaboration Farm US Persons Only US/FN Non- tech Data US/FN Tech Data
11 Technical Implementation Created web applications and set user policies that would Deny All to users that did not meet the container requirements. Relied on global Active Directory Groups such as All Domain Users
12 What About Claims?? Microsoft convinced us to create claims-based Web Applications Worked with Scot Hillier to develop a custom claims provider to augment Windows token with Active Directory attribute values. If US Person = Yes & Work Location = US, person meets US Person claim for access to ITAR data Leverage Claims for the Web Application Deny All rules Great TechNet Article (written by Scot & Ted Pattinson) http://msdn.microsoft.com/en-us/library/gg615945.aspx
13 Some gotchas… Deny All Service Accounts – Farm, Backup Software, Crawl account Support Staff - SharePoint Farm Administrators, IT Help Desk, etc User Data Logic needs to include handling of value being NULL Source data should be clean and complete
14 Step 2: Integrate Site Request with Security Model -InfoPath form captures key site metadata -Provisioning process writes data to Hidden List & Property Bag -Site requests reviewed weekly
SharePoint Security & Governance at United Technologies Corporation 15 ProTip: A Process Can Always be Improved Work with your customers to improve your process Groom them to be your SharePoint Ambassadors
16 Step 3: Site Classification cue -Friendly cue to educate users to the classification of the site – is it locked down to US Persons only? US Export Tech Data allowed/disallowed -Delegate control placed on master page -Displays either control based on Web Application name
17 Step 4: Site Information button -Friendly cue to display overall information about the site – data owner, site owner, department, etc -Delegate control placed on master page -JQuery to read from hidden list and display values in table
18 Site Information button – Lessons Learned -We liked having the site metadata available in a hidden list because: -End users wouldnt accidentally re-classify the site -You could index the data and perform custom search queries -We discovered we needed a process to update the site metadata beyond just a Help Desk ticket -As part of site provisioning we had been writing the information to both the hidden list as well as the site collection property bag*
SharePoint Security & Governance at United Technologies Corporation 19 http://goo.gl/emfLVi Original Approach Using the SharePoint CSOM API to get a Property Bag value Jeremy Thake
20 Step 5: Report Inappropriate Content button -Popup window that provides employees options for reporting content -Delegate control placed on master page -Originated through discussions with HR about My Sites Content Excluded
21 Security Model - Visual Cues Summary 1.Site Classification cue – defines what type of data is allowed or disallowed per the site request process 2.Site Information button – displays metadata about the site 3.Report Inappropriate content button – provides a list of avenues for reporting information that a user deems is inappropriate 1 23
23 Security Model – Roles & Permissions RoleOverviewPermissions Site Power UserBusiness Power User who owns the site Add/Update/Delete items but no Manage List*, Create Subsites, Groups, or Permissions capability IT Power UserNon-SharePoint TeamFull Control but no style sheets or theme mgmt. Contributor (No Delete)Business userContribute but no delete items InfoPath Form SubmitterForm submitterAdd items Web Analytics ViewerManager role who needs metrics View Web Analytics
24 Step 7: Forced classification for documents Our message to the Government is: We want users to be accountable.
25 The pain of Manage Lists Question: What is SharePoint? Short Answer: Lists & Libraries
26 Why we took it away? Content Approval Mandatory Content Types
28 Step 8 – Prototype & Consider Scale -First Production Pilot consisted of a SharePoint Designer workflow that would route all documents for initial upload & edit to an approver -Portability proved to be a big problem -Someone did the math for how much time people would spend approving documents in a collaboration site -The setup for each site collection would require a full time person doing nothing but site collection configuration
29 Build or Buy? 1.Continue to enforce through process and delegated administration (didnt feel like an option) 2.Build a comprehensive solution -Event receivers -Timer jobs -PowerShell Scripts 3.Purchase a third party solution
31 Governance Automation -Request List Workflow -Security Trimming based on site collection access -Reference List Template in service
32 Compliance Guardian -If a user selects Yes for the Technical Data column, AvePoints Compliance Guardian will delete the file and send a user notification. -If a user selects I dont know for the Technical Data column, AvePoints Compliance Guardian will quarantine the file and send a user notification.
34 Quarantine Manager http://site/_layouts/CCS.QuarantineManager/QuarantineManager.aspx The Quarantine Manager can be found in the Site Settings section:
35 Quarantine Manager Quarantine Managers can -Edit the properties -Restore the file -Permanently delete
SharePoint Security & Governance at United Technologies Corporation 36 Policy Enforcer -Timer jobs without all the fuss -Periodic scans/fixes -40 built-in rules, SDK for more! Business use: Enable content approval on all document libraries on everyone sites.
37 Solution Summary -List/Library creation through defined workflow (Governance Automation) -Periodic scans for compliance (Policy Enforcer) -Column Action Policies for delete or quarantine (Compliance Guardian) -Reporting on user activity (Report Center) Scalable & Repeatable Process!
38 Step 9: Customized Training -Security isnt easy or fun, so try to make it enjoyable -Role based training was much more effective than SharePoint Foundations 1 -Lots of hand-holding in the beginning
39 Step 10: Make it easy where possible Implemented auto-classification where the Jurisdiction & Classification are set to Nontechnical when Technical Data is set to No
SharePoint Security & Governance at United Technologies Corporation 40 Security Model Journey Next Steps -Leverage AvePoint Policy Enforcer to check if List/Libraries have mandatory columns -Restore Manage List to Power Users -Continue to educate and grow the Power User base -Increase reporting/visibility of rejected documents
SharePoint Security & Governance at United Technologies Corporation 41 Summary -SharePoint Security is difficult but there are options -Prototype with simple solutions but always test for scale -Communication & training plans are the keys to success -Dont be afraid of process improvement -They did name it SharePoint for a reason
42 Thanks for listening… Blog: www.JaredMatfess.com Twitter: @JaredMatfesswww.JaredMatfess.com E-mail: Jared.Matfess@outlook.comJared.Matfess@outlook.com Connecticut SharePoint Users Group http://www.ctspug.org