Sps Albany Matfess

8/10/2019 Sps Albany Matfess

1/42

Case Study: United Technologies Corporation10 Things we did to lock down SharePoint Collaboration

November 2013

Jared Matfess


2/42

Thank you sponsors!


3/42

About Me

SharePoint Administrator at United Technologies Corporation

10+ years in the IT field, 0 book deals.

President of the CT SharePoint User Group

http://www.ctspug.org

Blog: www.JaredMatfess.com

Twitter: @JaredMatfess

E-mail: [email protected]

3
http://www.ctspug.org/http://www.jaredmatfess.com/mailto:[email protected]:[email protected]://www.jaredmatfess.com/http://www.ctspug.org/


4/42

Agenda

- Overview of United Technologies Corporation

- The 10 Steps towards more secure collaboration

4


5/42

5


6/42

6

Background Information

June 2012, United Technologies has entered into a consent agreement

to settle violations of the AECA and ITAR in connection with the

unauthorized export and transfer of defense articles, to include

technical data, and the unauthorized provision of defense services to

various countries, including proscribed destinations.

UTC developed new core focus on International Trade Compliance

http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html


7/42

SharePoint Security & Governance at United Technologies Corporation

7

Technical Data

The federal Export Administration Regulations (EAR) and International

Traffic In Arms Regulations (ITAR) control the export of certain

commodities, software, technical data and certain other information to

foreign countries. The EAR and the ITAR can restrict the furnishing of

information, technical data and software to foreign persons, whether this

takes place abroad or in the United States.


8/42

SharePoint Security & Governance at United Technologies Corporation8

The Role of Corporate

Policies, Standards, Consulting

Shared Services

User Profile

Managed Metadata

Search*

Hosting of cross-business unit sites

Host of business unit homepages


9/42


The Beginning of our Security Model Journey


10/42


Step 1: User Separation by Web Application

Collaboration

Farm

US Persons

Only

US/FN Non-

tech Data

US/FN Tech

Data


11/42

11

Technical Implementation

Created web applications and set user policies that would Deny All to

users that did not meet the container requirements.

Relied on global Active Directory Groups such as All Domain Users


12/42

12

What About Claims??

Microsoft convinced us to create claims-based Web Applications

Worked with Scot Hillier to develop a custom claims provider to augment

Windows token with Active Directory attribute values. If US Person = Yes & Work Location = US, person meets US Person claim for

access to ITAR data

Leverage Claims for the Web Application Deny All rules

Great TechNet Article (written by Scot & Ted Pattinson)

http://msdn.microsoft.com/en-us/library/gg615945.aspx
http://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspxhttp://msdn.microsoft.com/en-us/library/gg615945.aspx


13/42

13

Some gotchas

Deny All

Service AccountsFarm, Backup Software, Crawl account

Support Staff - SharePoint Farm Administrators, IT Help Desk, etc

User Data

Logic needs to include handling of value being NULL

Source data should be clean and complete


14/42

14

Step 2: Integrate Site Request with Security Model

- InfoPath form captures key

site metadata

- Provisioning process

writes data to Hidden List& Property Bag

- Site requests reviewed

weekly


15/42


ProTip: A Process Can Always be Improved

Work with your customers to improve your process

Groom them to be your SharePoint Ambassadors


16/42

16

Step 3: Site Classification cue

- Friendly cue to educate users to the classification of the siteis it locked

down to US Persons only? US Export Tech Data allowed/disallowed

- Delegate control placed on master page


17/42

17

Step 4: Site Information button

- Friendly cue to display overall information about the sitedata owner, site

owner, department, etc



18/42

18

Site Information buttonLessons Learned

- We liked having the site metadata available in a hidden list because:

- End users wouldnt accidentally re-classify the site

- You could index the data and perform custom search queries

- We discovered we needed a process to update the site metadata beyond

just a Help Desk ticket

- As part of site provisioning we had been writing the information to both the

hidden list as well as the site collection property bag*


19/42


http://goo.gl/emfLVi

Original Approach

Using the SharePoint CSOM API to get a Property Bag value

Jeremy Thake


20/42

20

Step 5: Report Inappropriate Content button

- Popup window that provides employees options for reporting content


- Originated through discussions with HR about My Sites

Content Exc luded


21/42

21

Security Model - Visual Cues Summary

1. Site Classification cuedefines what type of data is allowed or

disallowed per the site request process

2. Site Information buttondisplays metadata about the site

3. Report Inappropriate content buttonprovides a list of avenues forreporting information that a user deems is inappropriate

1

2 3


22/42

22

Step 6: Limitations of the Site Power User


23/42

23

Security ModelRoles & Permissions

Role Overview Permissions

Site Power User Business Power User who

owns the site

Add/Update/Delete items

but no Manage List*,

Create Subsites, Groups, or

Permissions capability

IT Power User Non-SharePoint Team Full Control but no stylesheets or theme mgmt.

Contributor (No Delete) Business user Contribute but no delete

items

InfoPath Form Submitter Form submitter Add items

Web Analytics Viewer Manager role who needsmetrics

View Web Analytics


24/42

24

Step 7: Forced classification for documents

Our message to the Government is: We want users to be accountable.


25/42

25

The pain of Manage Lists

Question: What is SharePoint?

Short Answer: Lists & Libraries


26/42

26

Why we took it away?

Content Approval

Mandatory Content Types


27/42

27

End user feedback


28/42

28

Step 8Prototype & Consider Scale

- First Production Pilot consisted of a SharePoint Designer workflow that

would route all documents for initial upload & edit to an approver

- Portability proved to be a big problem

- Someone did the math for how much time people would spend approvingdocuments in a collaborationsite

- The setup for each site collection would require a full time person doing

nothing but site collection configuration


29/42

29

Build or Buy?

1. Continue to enforce through process and delegated administration

(didnt feel like an option)

2. Build a comprehensive solution

- Event receivers

- Timer jobs

- PowerShell Scripts

3. Purchase a third party solution


30/42

30

Decision: AvePoint Partnership


31/42

31

Governance Automation

- Request List Workflow

- Security Trimming based on site collection access

- Reference List Template in service


32/42

32

Compliance Guardian

- If a user selects Yes for the Technical Data column, AvePoints

Compliance Guardian will delete the file and send a user notification.

- If a user selects I dont know for the Technical Data column, AvePoints

Compliance Guardian will quarantinethe file and send a user

notification.


33/42

33

File Quarantine Notification


34/42

34

Quarantine Manager

http://site/_layouts/CCS.QuarantineManager/QuarantineManager.aspx

The Quarantine Manager can be found in the Site Settings section:


35/42

35

Quarantine Manager

Quarantine Managers can

- Edit the properties

- Restore the file

- Permanently delete


36/42


Policy Enforcer

- Timer jobs without all the fuss

- Periodic scans/fixes

- 40 built-in rules, SDK for more!

Business use: Enable content approval on all document libraries on

everyone sites.


37/42

37

Solution Summary

- List/Library creation through defined workflow (Governance Automation)

- Periodic scans for compliance (Policy Enforcer)

- Column Action Policies for delete or quarantine (Compliance Guardian)

- Reporting on user activity (Report Center)

Scalable & Repeatable Process!


38/42

38

Step 9: Customized Training

- Security isnt easy or fun, so try to make it enjoyable

- Role based training was much more effective than

SharePoint Foundations 1

- Lots of hand-holding in the beginning


39/42

39

Step 10: Make it easy where possible

Implemented auto-classification where the Jurisdiction & Classification

are set to Nontechnical when Technical Data is set to No


40/42


Security Model Journey Next Steps

- Leverage AvePoint Policy Enforcer to check if List/Libraries have mandatory

columns

- Restore Manage List to Power Users

- Continue to educate and grow the Power User base

- Increase reporting/visibility of rejected documents


41/42


Summary

- SharePoint Security is difficult but there are options

- Prototype with simple solutions but always test for scale

- Communication & training plans are the keys to success

- Dont be afraid of process improvement

- They did name it SharePoint for a reason


42/42

Thanks for listening

Blog: www.JaredMatfess.com

Twitter: @JaredMatfess

E-mail: [email protected]

Connecticut SharePoint Users Group

http://www.ctspug.org
http://www.jaredmatfess.com/mailto:[email protected]://www.ctspug.org/http://www.ctspug.org/http://www.ctspug.org/http://www.ctspug.org/http://www.ctspug.org/mailto:[email protected]://www.jaredmatfess.com/

Documents

Sps Albany Matfess