SPSRI - Sharing the Point in an A/D World
Download as PPTX, PDF1 like416 views
United Technologies Corporation implemented a new security model for their SharePoint environment after violations of export laws. They created claims-based web applications to separate users based on whether they were US persons or not, and deny access across applications. They also implemented governance policies around permissions, quotas, and third party applications. Finally, they addressed social collaboration concerns around inappropriate content and privacy when implementing My Sites and profiles.
SPSRI - Sharing the Point in an A/D World
- 1. Sharing the Point in an A/D & Commercial World Security & Governance Lessons Learned November 2013 Jared Matfess
- 2. About Me SharePoint Administrator at United Technologies Corporation 10+ years in the IT field, 0 book deals. President of the CT SharePoint User Group http://www.ctspug.org Blog: www.JaredMatfess.com Twitter: @JaredMatfess E-mail: Jared.Matfess@outlook.com 2
- 3. Agenda - Overview of United Technologies Corporation - Security Model Journey - Governance - Social 3
- 4. 4
- 5. Background Information • June 2012, United Technologies has entered into a consent agreement to settle violations of the AECA and ITAR in connection with the unauthorized export and transfer of defense articles, to include technical data, and the unauthorized provision of defense services to various countries, including proscribed destinations. • UTC developed new core focus on International Trade Compliance http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html 5
- 6. The Start to Our SharePoint Adventure 6
- 7. Beginning of our Security Model Journey • Immediate reaction was to separate users based on US Person vs NonUS Person status and not allow cross-collaboration • Anonymous “departmental” sites would be allowed but require content approval & publishing processes 7
- 8. Technical Implementation • Created web applications and set user policies that would “Deny All” to users that did not meet the container requirements. • Relied on global Active Directory Groups such as “All Domain Users”. 8
- 9. What About Claims?? • Microsoft convinced us to create claims-based Web Applications • Worked with Scot Hillier to develop a custom claims provider to augment Windows token with Active Directory attribute values. • If US Person = Yes & Work Location = US, person meets US Person claim for access to ITAR data • Leverage Claims for the Web Application “Deny All” rules Great TechNet Article (written by Scot & Ted Pattinson) http://msdn.microsoft.com/en-us/library/gg615945.aspx 9
- 10. Some gotcha’s… Deny All • Service Accounts – Farm, Backup Software, Crawl account • Support Staff - SharePoint Farm Administrators, IT Help Desk, etc User Data • Logic needs to include handling of value being NULL • Source data should be clean and complete 10
- 11. Security Model – Roles & Permissions Role Overview Permissions Site Power User Business Power User who owns the site Add/Update/Delete items but no Manage List*, Create Subsites, Groups, or Permissions capability IT Power User Non-SharePoint Team Full Control but no style sheets or theme mgmt. Contributor (No Delete) Business user Contribute but no delete items InfoPath Form Submitter Form submitter Add items Web Analytics Viewer Manager role who needs metrics View Web Analytics 11
- 12. Limitations of the Site Power User We will talk about this more later on in the presentation. 12
- 13. Site Request Process Feeds Security Model - InfoPath form captures key site metadata - Provisioning process writes data to Hidden List & Property Bag - Site requests reviewed weekly 13
- 14. Security Model - Visual Cues - Identified security model training need for end-users - Benchmarked against Microsoft Best Practice - Site Risk (High / Medium / Low) - Reviewed historical data escapes and identified “not knowing” as a reason for inappropriate files being posted on file share 14
- 15. Security Model - Visual Cues 1 2 3 1. Site Classification cue – defines what type of data is allowed or disallowed per the site request process 2. Site Information button – displays metadata about the site 3. Report Inappropriate content button – provides a list of avenues for reporting information that a user deems is inappropriate 15
- 16. Site Classification cue - Friendly cue to educate users to the classification of the site – is it locked down to US Persons only? US Export Tech Data allowed/disallowed - Delegate control placed on master page <SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/> - Displays either control based on Web Application name 16
- 17. Site Information button (Version 1) - Friendly cue to display overall information about the site – data owner, site owner, department, etc - Delegate control placed on master page <SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/> - JQuery to read from hidden list and display values in table 17
- 18. Site Information button – Lessons Learned - We liked having the site metadata available in a hidden list because: - End users wouldn’t accidentally re-classify the site - You could index the data and perform custom search queries - We discovered we needed a process to update the site metadata beyond just a Help Desk ticket - As part of site provisioning we had been writing the information to both the hidden list as well as the site collection property bag* 18
- 19. Report Inappropriate Content button Content Excluded - Popup window that provides employees options for reporting content - Delegate control placed on master page - Originated through discussions with HR about My Sites 19
- 20. The pain of “Manage Lists” Question: What is SharePoint? Short Answer: Lists & Libraries 20
- 21. Why we took it away? Content Approval Mandatory Content Types 21
- 23. Build or Buy? 1. Continue to enforce through process and delegated administration (didn’t feel like an option) 2. Build a comprehensive solution - Event receivers - Timer jobs - PowerShell Scripts 3. Purchase a third party solution 23
- 24. AvePoint – Governance Automation - Service catalog to the business - Site collection, list, & document library creation - Site metadata management - Site collection lifecycle management 24
- 25. Highlights of our solution 25
- 26. Demo 26
- 27. Governance is King Three most important decisions to make: • Permissions – what level of access will you give users? • Quotas – will you enforce quotas to corral the sprawl? • Development / 3rd Party Applications – yes/no/maybe? Blog Post by Me: http://wp.me/pj1do-5U 27
- 28. Our Governance • Permissions – lots of custom roles & permissions • Quotas • 250 MB file upload • Small / Medium / Large / Jumbo site quotas • Development / 3rd Party Applications • Dev / QA / Prod deployment cycle • Code review by 3rd party Senior Developer • Lots of politics to buy 3rd Party tools 28
- 29. Social Main areas of concern: 1) Inappropriate comments being made 2) Unprofessional profile photos being set 3) EU Privacy Laws based on employee data being stored in separate system 4) “Who can see what profile data”? 5) “We want people to agree to legal disclosure.” 29
- 30. “The Great Production Pilot” - People mostly post “can you see this” on other people’s note boards - Unprofessional photos will be set (and removed when asked) - Not enabling My Content really limits the usefulness of My Sites - Without incentive most My Sites are abandoned within the first few weeks 30
- 31. End User Licensing Agreement - Create delegate control (code that fires prior to page load) that checks user profile property - If not checked – provide popup window / If checked continue and allow the user to navigate the site collection 31
- 32. Current status - Available mostly in North America - About 2,000 users have edited their profile - Opportunities exist with the integration of Goodrich into our Enterprise - European deployment pending discussions with “Works Councils” 32
- 33. Summary - Security is always a journey – people love it when you restrict their access - Governance is important – but you need something to govern - Big companies aren’t always super social 33
- 34. Thanks for listening… Blog: www.JaredMatfess.com Twitter: @JaredMatfess E-mail: Jared.Matfess@outlook.com Connecticut SharePoint Users Group http://www.ctspug.org 34