1. Sharing the Point in an A/D & Commercial World
Security & Governance Lessons Learned
November 2013
Jared Matfess
2. About Me
SharePoint Administrator at United Technologies Corporation
10+ years in the IT field, 0 book deals.
President of the CT SharePoint User Group
http://www.ctspug.org
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: Jared.Matfess@outlook.com
2
5. Background Information
• June 2012, United Technologies has entered into a consent agreement
to settle violations of the AECA and ITAR in connection with the
unauthorized export and transfer of defense articles, to include
technical data, and the unauthorized provision of defense services to
various countries, including proscribed destinations.
• UTC developed new core focus on International Trade Compliance
http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html
5
7. Beginning of our Security Model Journey
• Immediate reaction was to separate users based on US Person vs NonUS Person status and not allow cross-collaboration
• Anonymous “departmental” sites would be allowed but require content
approval & publishing processes
7
8. Technical Implementation
• Created web applications and set user policies that would “Deny All” to
users that did not meet the container requirements.
• Relied on global Active Directory Groups such as “All Domain Users”.
8
9. What About Claims??
• Microsoft convinced us to create claims-based Web Applications
• Worked with Scot Hillier to develop a custom claims provider to augment
Windows token with Active Directory attribute values.
•
If US Person = Yes & Work Location = US, person meets US Person claim for
access to ITAR data
• Leverage Claims for the Web Application “Deny All” rules
Great TechNet Article (written by Scot & Ted Pattinson)
http://msdn.microsoft.com/en-us/library/gg615945.aspx
9
10. Some gotcha’s…
Deny All
• Service Accounts – Farm, Backup Software, Crawl account
• Support Staff - SharePoint Farm Administrators, IT Help Desk, etc
User Data
• Logic needs to include handling of value being NULL
• Source data should be clean and complete
10
11. Security Model – Roles & Permissions
Role
Overview
Permissions
Site Power User
Business Power User who
owns the site
Add/Update/Delete items
but no Manage List*,
Create Subsites, Groups, or
Permissions capability
IT Power User
Non-SharePoint Team
Full Control but no style
sheets or theme mgmt.
Contributor (No Delete)
Business user
Contribute but no delete
items
InfoPath Form Submitter
Form submitter
Add items
Web Analytics Viewer
Manager role who needs
metrics
View Web Analytics
11
12. Limitations of the Site Power User
We will talk about this more later on in the presentation.
12
13. Site Request Process Feeds Security Model
- InfoPath form captures key
site metadata
- Provisioning process
writes data to Hidden List
& Property Bag
- Site requests reviewed
weekly
13
14. Security Model - Visual Cues
- Identified security model training need for end-users
- Benchmarked against Microsoft Best Practice
- Site Risk (High / Medium / Low)
- Reviewed historical data escapes and identified “not knowing” as a
reason for inappropriate files being posted on file share
14
15. Security Model - Visual Cues
1
2
3
1. Site Classification cue – defines what type of data is allowed or
disallowed per the site request process
2. Site Information button – displays metadata about the site
3. Report Inappropriate content button – provides a list of avenues for
reporting information that a user deems is inappropriate
15
16. Site Classification cue
- Friendly cue to educate users to the classification of the site – is it locked
down to US Persons only? US Export Tech Data allowed/disallowed
- Delegate control placed on master page
<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- Displays either control based on Web Application name
16
17. Site Information button (Version 1)
- Friendly cue to display overall information about the site – data owner, site
owner, department, etc
- Delegate control placed on master page
<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- JQuery to read from hidden list and display values in table
17
18. Site Information button – Lessons Learned
- We liked having the site metadata available in a hidden list because:
- End users wouldn’t accidentally re-classify the site
- You could index the data and perform custom search queries
- We discovered we needed a process to update the site metadata beyond
just a Help Desk ticket
- As part of site provisioning we had been writing the information to both the
hidden list as well as the site collection property bag*
18
19. Report Inappropriate Content button
Content Excluded
- Popup window that provides employees options for reporting content
- Delegate control placed on master page
- Originated through discussions with HR about My Sites
19
20. The pain of “Manage Lists”
Question: What is SharePoint?
Short Answer: Lists & Libraries
20
21. Why we took it away?
Content Approval
Mandatory Content Types
21
23. Build or Buy?
1. Continue to enforce through process and delegated administration
(didn’t feel like an option)
2. Build a comprehensive solution
- Event receivers
- Timer jobs
- PowerShell Scripts
3. Purchase a third party solution
23
24. AvePoint – Governance Automation
- Service catalog to the business
- Site collection, list, & document library creation
- Site metadata management
- Site collection lifecycle management
24
27. Governance is King
Three most important decisions to make:
• Permissions – what level of access will you give users?
• Quotas – will you enforce quotas to corral the sprawl?
• Development / 3rd Party Applications – yes/no/maybe?
Blog Post by Me: http://wp.me/pj1do-5U
27
28. Our Governance
• Permissions – lots of custom roles & permissions
• Quotas
• 250 MB file upload
• Small / Medium / Large / Jumbo site quotas
• Development / 3rd Party Applications
• Dev / QA / Prod deployment cycle
• Code review by 3rd party Senior Developer
• Lots of politics to buy 3rd Party tools
28
29. Social
Main areas of concern:
1) Inappropriate comments being made
2) Unprofessional profile photos being set
3) EU Privacy Laws based on employee data being stored in separate
system
4) “Who can see what profile data”?
5) “We want people to agree to legal disclosure.”
29
30. “The Great Production Pilot”
- People mostly post “can you see this” on other people’s note boards
- Unprofessional photos will be set (and removed when asked)
- Not enabling My Content really limits the usefulness of My Sites
- Without incentive most My Sites are abandoned within the first few
weeks
30
31. End User Licensing Agreement
- Create delegate control (code that fires prior to page load) that
checks user profile property
- If not checked – provide popup window / If checked continue and
allow the user to navigate the site collection
31
32. Current status
- Available mostly in North America
- About 2,000 users have edited their profile
- Opportunities exist with the integration of Goodrich into our
Enterprise
- European deployment pending discussions with “Works Councils”
32
33. Summary
- Security is always a journey – people love it when you restrict their
access
- Governance is important – but you need something to govern
- Big companies aren’t always super social
33
34. Thanks for listening…
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: Jared.Matfess@outlook.com
Connecticut SharePoint Users Group
http://www.ctspug.org
34
Editor's Notes
Information about UTC and the consent agreement is freely available on the Internet.
* Mention the Plumtree migration to SharePoint
Web Application security model – US only & US/FN no-tech data