Upload
ronitraje
View
216
Download
0
Embed Size (px)
Citation preview
8/10/2019 Sps Albany Matfess
1/42
Case Study: United Technologies Corporation10 Things we did to lock down SharePoint Collaboration
November 2013
Jared Matfess
8/10/2019 Sps Albany Matfess
2/42
Thank you sponsors!
8/10/2019 Sps Albany Matfess
3/42
About Me
SharePoint Administrator at United Technologies Corporation
10+ years in the IT field, 0 book deals.
President of the CT SharePoint User Group
http://www.ctspug.org
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: [email protected]
3
http://www.ctspug.org/http://www.jaredmatfess.com/mailto:[email protected]:[email protected]://www.jaredmatfess.com/http://www.ctspug.org/8/10/2019 Sps Albany Matfess
4/42
Agenda
- Overview of United Technologies Corporation
- The 10 Steps towards more secure collaboration
4
8/10/2019 Sps Albany Matfess
5/42
5
8/10/2019 Sps Albany Matfess
6/42
6
Background Information
June 2012, United Technologies has entered into a consent agreement
to settle violations of the AECA and ITAR in connection with the
unauthorized export and transfer of defense articles, to include
technical data, and the unauthorized provision of defense services to
various countries, including proscribed destinations.
UTC developed new core focus on International Trade Compliance
http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html
8/10/2019 Sps Albany Matfess
7/42
SharePoint Security & Governance at United Technologies Corporation
7
Technical Data
The federal Export Administration Regulations (EAR) and International
Traffic In Arms Regulations (ITAR) control the export of certain
commodities, software, technical data and certain other information to
foreign countries. The EAR and the ITAR can restrict the furnishing of
information, technical data and software to foreign persons, whether this
takes place abroad or in the United States.
8/10/2019 Sps Albany Matfess
8/42
SharePoint Security & Governance at United Technologies Corporation8
The Role of Corporate
Policies, Standards, Consulting
Shared Services
User Profile
Managed Metadata
Search*
Hosting of cross-business unit sites
Host of business unit homepages
8/10/2019 Sps Albany Matfess
9/42
SharePoint Security & Governance at United Technologies Corporation9
The Beginning of our Security Model Journey
8/10/2019 Sps Albany Matfess
10/42
SharePoint Security & Governance at United Technologies Corporation10
Step 1: User Separation by Web Application
Collaboration
Farm
US Persons
Only
US/FN Non-
tech Data
US/FN Tech
Data
8/10/2019 Sps Albany Matfess
11/42
11
Technical Implementation
Created web applications and set user policies that would Deny All to
users that did not meet the container requirements.
Relied on global Active Directory Groups such as All Domain Users
8/10/2019 Sps Albany Matfess
12/42
12
What About Claims??
Microsoft convinced us to create claims-based Web Applications
Worked with Scot Hillier to develop a custom claims provider to augment
Windows token with Active Directory attribute values. If US Person = Yes & Work Location = US, person meets US Person claim for
access to ITAR data
Leverage Claims for the Web Application Deny All rules
Great TechNet Article (written by Scot & Ted Pattinson)
http://msdn.microsoft.com/en-us/library/gg615945.aspx
http://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspx8/10/2019 Sps Albany Matfess
13/42
13
Some gotchas
Deny All
Service AccountsFarm, Backup Software, Crawl account
Support Staff - SharePoint Farm Administrators, IT Help Desk, etc
User Data
Logic needs to include handling of value being NULL
Source data should be clean and complete
8/10/2019 Sps Albany Matfess
14/42
14
Step 2: Integrate Site Request with Security Model
- InfoPath form captures key
site metadata
- Provisioning process
writes data to Hidden List& Property Bag
- Site requests reviewed
weekly
8/10/2019 Sps Albany Matfess
15/42
SharePoint Security & Governance at United Technologies Corporation15
ProTip: A Process Can Always be Improved
Work with your customers to improve your process
Groom them to be your SharePoint Ambassadors
8/10/2019 Sps Albany Matfess
16/42
16
Step 3: Site Classification cue
- Friendly cue to educate users to the classification of the siteis it locked
down to US Persons only? US Export Tech Data allowed/disallowed
- Delegate control placed on master page
8/10/2019 Sps Albany Matfess
17/42
17
Step 4: Site Information button
- Friendly cue to display overall information about the sitedata owner, site
owner, department, etc
- Delegate control placed on master page
8/10/2019 Sps Albany Matfess
18/42
18
Site Information buttonLessons Learned
- We liked having the site metadata available in a hidden list because:
- End users wouldnt accidentally re-classify the site
- You could index the data and perform custom search queries
- We discovered we needed a process to update the site metadata beyond
just a Help Desk ticket
- As part of site provisioning we had been writing the information to both the
hidden list as well as the site collection property bag*
8/10/2019 Sps Albany Matfess
19/42
SharePoint Security & Governance at United Technologies Corporation19
http://goo.gl/emfLVi
Original Approach
Using the SharePoint CSOM API to get a Property Bag value
Jeremy Thake
8/10/2019 Sps Albany Matfess
20/42
20
Step 5: Report Inappropriate Content button
- Popup window that provides employees options for reporting content
- Delegate control placed on master page
- Originated through discussions with HR about My Sites
Content Exc luded
8/10/2019 Sps Albany Matfess
21/42
21
Security Model - Visual Cues Summary
1. Site Classification cuedefines what type of data is allowed or
disallowed per the site request process
2. Site Information buttondisplays metadata about the site
3. Report Inappropriate content buttonprovides a list of avenues forreporting information that a user deems is inappropriate
1
2 3
8/10/2019 Sps Albany Matfess
22/42
22
Step 6: Limitations of the Site Power User
8/10/2019 Sps Albany Matfess
23/42
23
Security ModelRoles & Permissions
Role Overview Permissions
Site Power User Business Power User who
owns the site
Add/Update/Delete items
but no Manage List*,
Create Subsites, Groups, or
Permissions capability
IT Power User Non-SharePoint Team Full Control but no stylesheets or theme mgmt.
Contributor (No Delete) Business user Contribute but no delete
items
InfoPath Form Submitter Form submitter Add items
Web Analytics Viewer Manager role who needsmetrics
View Web Analytics
8/10/2019 Sps Albany Matfess
24/42
24
Step 7: Forced classification for documents
Our message to the Government is: We want users to be accountable.
8/10/2019 Sps Albany Matfess
25/42
25
The pain of Manage Lists
Question: What is SharePoint?
Short Answer: Lists & Libraries
8/10/2019 Sps Albany Matfess
26/42
26
Why we took it away?
Content Approval
Mandatory Content Types
8/10/2019 Sps Albany Matfess
27/42
27
End user feedback
8/10/2019 Sps Albany Matfess
28/42
28
Step 8Prototype & Consider Scale
- First Production Pilot consisted of a SharePoint Designer workflow that
would route all documents for initial upload & edit to an approver
- Portability proved to be a big problem
- Someone did the math for how much time people would spend approvingdocuments in a collaborationsite
- The setup for each site collection would require a full time person doing
nothing but site collection configuration
8/10/2019 Sps Albany Matfess
29/42
29
Build or Buy?
1. Continue to enforce through process and delegated administration
(didnt feel like an option)
2. Build a comprehensive solution
- Event receivers
- Timer jobs
- PowerShell Scripts
3. Purchase a third party solution
8/10/2019 Sps Albany Matfess
30/42
30
Decision: AvePoint Partnership
8/10/2019 Sps Albany Matfess
31/42
31
Governance Automation
- Request List Workflow
- Security Trimming based on site collection access
- Reference List Template in service
8/10/2019 Sps Albany Matfess
32/42
32
Compliance Guardian
- If a user selects Yes for the Technical Data column, AvePoints
Compliance Guardian will delete the file and send a user notification.
- If a user selects I dont know for the Technical Data column, AvePoints
Compliance Guardian will quarantinethe file and send a user
notification.
8/10/2019 Sps Albany Matfess
33/42
33
File Quarantine Notification
8/10/2019 Sps Albany Matfess
34/42
34
Quarantine Manager
http://site/_layouts/CCS.QuarantineManager/QuarantineManager.aspx
The Quarantine Manager can be found in the Site Settings section:
8/10/2019 Sps Albany Matfess
35/42
35
Quarantine Manager
Quarantine Managers can
- Edit the properties
- Restore the file
- Permanently delete
8/10/2019 Sps Albany Matfess
36/42
SharePoint Security & Governance at United Technologies Corporation36
Policy Enforcer
- Timer jobs without all the fuss
- Periodic scans/fixes
- 40 built-in rules, SDK for more!
Business use: Enable content approval on all document libraries on
everyone sites.
8/10/2019 Sps Albany Matfess
37/42
37
Solution Summary
- List/Library creation through defined workflow (Governance Automation)
- Periodic scans for compliance (Policy Enforcer)
- Column Action Policies for delete or quarantine (Compliance Guardian)
- Reporting on user activity (Report Center)
Scalable & Repeatable Process!
8/10/2019 Sps Albany Matfess
38/42
38
Step 9: Customized Training
- Security isnt easy or fun, so try to make it enjoyable
- Role based training was much more effective than
SharePoint Foundations 1
- Lots of hand-holding in the beginning
8/10/2019 Sps Albany Matfess
39/42
39
Step 10: Make it easy where possible
Implemented auto-classification where the Jurisdiction & Classification
are set to Nontechnical when Technical Data is set to No
8/10/2019 Sps Albany Matfess
40/42
SharePoint Security & Governance at United Technologies Corporation40
Security Model Journey Next Steps
- Leverage AvePoint Policy Enforcer to check if List/Libraries have mandatory
columns
- Restore Manage List to Power Users
- Continue to educate and grow the Power User base
- Increase reporting/visibility of rejected documents
8/10/2019 Sps Albany Matfess
41/42
SharePoint Security & Governance at United Technologies Corporation41
Summary
- SharePoint Security is difficult but there are options
- Prototype with simple solutions but always test for scale
- Communication & training plans are the keys to success
- Dont be afraid of process improvement
- They did name it SharePoint for a reason
8/10/2019 Sps Albany Matfess
42/42
Thanks for listening
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: [email protected]
Connecticut SharePoint Users Group
http://www.ctspug.org
http://www.jaredmatfess.com/mailto:[email protected]://www.ctspug.org/http://www.ctspug.org/http://www.ctspug.org/http://www.ctspug.org/http://www.ctspug.org/mailto:[email protected]://www.jaredmatfess.com/