case study: united technologies corporation 10 things we did to lock down sharepoint collaboration...
TRANSCRIPT
![Page 1: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/1.jpg)
Case Study: United Technologies Corporation“10 Things we did to lock down SharePoint Collaboration”
November 2013
Jared Matfess
![Page 2: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/2.jpg)
Thank you sponsors!
![Page 3: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/3.jpg)
About Me
SharePoint Administrator at United Technologies Corporation
10+ years in the IT field, 0 book deals.
President of the CT SharePoint User Grouphttp://www.ctspug.org
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: [email protected]
3
![Page 4: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/4.jpg)
Agenda
- Overview of United Technologies Corporation
- The “10 Steps” towards more secure collaboration
4
![Page 5: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/5.jpg)
5
![Page 6: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/6.jpg)
6
Background Information
• June 2012, United Technologies has entered into a consent agreement to settle violations of the AECA and ITAR in connection with the unauthorized export and transfer of defense articles, to include technical data, and the unauthorized provision of defense services to various countries, including proscribed destinations.
• UTC developed new core focus on International Trade Compliance
http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html
![Page 7: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/7.jpg)
SharePoint Security & Governance at United Technologies Corporation7
Technical Data
The federal Export Administration Regulations (“EAR”) and International Traffic In Arms Regulations (“ITAR”) control the export of certain commodities, software, technical data and certain other information to foreign countries. The EAR and the ITAR can restrict the furnishing of information, technical data and software to foreign persons, whether this takes place abroad or in the United States.
![Page 8: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/8.jpg)
SharePoint Security & Governance at United Technologies Corporation8
The Role of Corporate
• Policies, Standards, Consulting
• Shared Services• User Profile• Managed Metadata• Search*
• Hosting of cross-business unit sites
• Host of business unit homepages
![Page 9: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/9.jpg)
SharePoint Security & Governance at United Technologies Corporation9
The Beginning of our Security Model Journey
![Page 10: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/10.jpg)
SharePoint Security & Governance at United Technologies Corporation10
Step 1: User Separation by Web Application
CollaborationFarm
US Persons Only US/FN Non-tech Data US/FN Tech Data
![Page 11: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/11.jpg)
11
Technical Implementation
• Created web applications and set user policies that would “Deny All” to users that did not meet the container requirements.
• Relied on global Active Directory Groups such as “All Domain Users”
![Page 12: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/12.jpg)
12
What About Claims??
• Microsoft convinced us to create claims-based Web Applications
• Worked with Scot Hillier to develop a custom claims provider to augment Windows token with Active Directory attribute values.
• If US Person = Yes & Work Location = US, person meets US Person claim for access to ITAR data
• Leverage Claims for the Web Application “Deny All” rules
Great TechNet Article (written by Scot & Ted Pattinson)http://msdn.microsoft.com/en-us/library/gg615945.aspx
![Page 13: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/13.jpg)
13
Some gotcha’s…
Deny All
• Service Accounts – Farm, Backup Software, Crawl account
• Support Staff - SharePoint Farm Administrators, IT Help Desk, etc
User Data
• Logic needs to include handling of value being NULL
• Source data should be clean and complete
![Page 14: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/14.jpg)
14
Step 2: Integrate Site Request with Security Model
- InfoPath form captures key site metadata
- Provisioning process writes data to Hidden List & Property Bag
- Site requests reviewed weekly
![Page 15: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/15.jpg)
SharePoint Security & Governance at United Technologies Corporation15
ProTip: A Process Can Always be Improved
• Work with your customers to improve your process
• Groom them to be your SharePoint “Ambassadors”
![Page 16: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/16.jpg)
16
Step 3: Site Classification cue
- Friendly cue to educate users to the classification of the site – is it locked down to US Persons only? US Export Tech Data allowed/disallowed
- Delegate control placed on master page<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- Displays either control based on Web Application name
![Page 17: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/17.jpg)
17
Step 4: Site Information button
- Friendly cue to display overall information about the site – data owner, site owner, department, etc
- Delegate control placed on master page<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- JQuery to read from hidden list and display values in table
![Page 18: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/18.jpg)
18
Site Information button – Lessons Learned
- We liked having the site metadata available in a hidden list because:- End users wouldn’t accidentally re-classify the site- You could index the data and perform custom search queries
- We discovered we needed a process to update the site metadata beyond just a Help Desk ticket
- As part of site provisioning we had been writing the information to both the hidden list as well as the site collection property bag*
![Page 19: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/19.jpg)
SharePoint Security & Governance at United Technologies Corporation19
http://goo.gl/emfLVi
Original Approach
Using the SharePoint CSOM API to get a Property Bag value
Jeremy Thake
Great post!
![Page 20: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/20.jpg)
20
Step 5: Report Inappropriate Content button
- Popup window that provides employees options for reporting content
- Delegate control placed on master page
- Originated through discussions with HR about My Sites
Content Excluded
![Page 21: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/21.jpg)
21
Security Model - Visual Cues Summary
1. Site Classification cue – defines what type of data is allowed or disallowed per the site request process
2. Site Information button – displays metadata about the site
3. Report Inappropriate content button – provides a list of avenues for reporting information that a user deems is inappropriate
1
2 3
![Page 22: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/22.jpg)
22
Step 6: Limitations of the Site Power User
![Page 23: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/23.jpg)
23
Security Model – Roles & Permissions
Role Overview Permissions
Site Power User Business Power User who owns the site
Add/Update/Delete items but no Manage List*, Create Subsites, Groups, or Permissions capability
IT Power User Non-SharePoint Team Full Control but no style sheets or theme mgmt.
Contributor (No Delete) Business user Contribute but no delete items
InfoPath Form Submitter Form submitter Add items
Web Analytics Viewer Manager role who needs metrics
View Web Analytics
![Page 24: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/24.jpg)
24
Step 7: Forced classification for documents
Our message to the Government is: “We want users to be accountable”.
![Page 25: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/25.jpg)
25
The pain of “Manage Lists”
Question: What is SharePoint?
Short Answer: Lists & Libraries
![Page 26: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/26.jpg)
26
Why we took it away?
Content Approval
Mandatory Content Types
![Page 27: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/27.jpg)
27
End user feedback
![Page 28: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/28.jpg)
28
Step 8 – Prototype & Consider Scale
- First Production Pilot consisted of a SharePoint Designer workflow that would route all documents for initial upload & edit to an approver
- Portability proved to be a big problem
- Someone did the math for how much time people would spend approving documents in a collaboration site
- The setup for each site collection would require a full time person doing nothing but site collection configuration
![Page 29: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/29.jpg)
29
Build or Buy?
1. Continue to enforce through process and delegated administration (didn’t feel like an option)
2. Build a comprehensive solution- Event receivers - Timer jobs- PowerShell Scripts
3. Purchase a third party solution
![Page 30: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/30.jpg)
30
Decision: AvePoint Partnership
AvePoint Compliance Guardian:
Rules engine for taking action on document classification.
AvePoint’s DocAve Policy Enforcer:
Enforcement engine to clean up legacy sites as well as ensure delegated administration adheres to policies.
AvePoint’s DocAve Governance
Automation:
Allows end users to create lists/libraries without Manage List capability through automated workflow process.
![Page 31: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/31.jpg)
31
Governance Automation
- Request List Workflow
- Security Trimming based on site collection access
- Reference List Template in service
![Page 32: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/32.jpg)
32
Compliance Guardian
- If a user selects “Yes” for the Technical Data column, AvePoint’s Compliance Guardian will delete the file and send a user notification.
- If a user selects “I don’t know” for the Technical Data column, AvePoint’s Compliance Guardian will quarantine the file and send a user notification.
Complete Control
![Page 33: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/33.jpg)
33
File Quarantine Notification
![Page 34: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/34.jpg)
34
Quarantine Manager
http://site/_layouts/CCS.QuarantineManager/QuarantineManager.aspx
The Quarantine Manager can be found in the Site Settings section:
![Page 35: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/35.jpg)
35
Quarantine Manager
Quarantine Manager’s can- Edit the properties- Restore the file- Permanently delete
![Page 36: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/36.jpg)
SharePoint Security & Governance at United Technologies Corporation36
Policy Enforcer
- Timer jobs without all the fuss
- Periodic scans/fixes
- 40 built-in rules, SDK for more!
Business use: Enable content approval on all document libraries on “everyone” sites.
![Page 37: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/37.jpg)
37
Solution Summary
- List/Library creation through defined workflow (Governance Automation)
- Periodic scans for compliance (Policy Enforcer)
- Column Action Policies for delete or quarantine (Compliance Guardian)
- Reporting on user activity (Report Center)
Scalable & Repeatable Process!
![Page 38: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/38.jpg)
38
Step 9: Customized Training
- Security isn’t easy or fun, so try to make it enjoyable
- Role based training was much more effective than “SharePoint Foundations 1”
- Lots of hand-holding in the beginning
![Page 39: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/39.jpg)
39
Step 10: Make it easy where possible
Implemented auto-classification where the Jurisdiction & Classificationare set to Nontechnical when Technical Data is set to “No”
![Page 40: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/40.jpg)
SharePoint Security & Governance at United Technologies Corporation40
Security Model Journey Next Steps
- Leverage AvePoint Policy Enforcer to check if List/Libraries have mandatory columns
- Restore “Manage List” to Power Users
- Continue to educate and grow the Power User base
- Increase reporting/visibility of rejected documents
![Page 41: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/41.jpg)
SharePoint Security & Governance at United Technologies Corporation41
Summary
- SharePoint Security is difficult but there are options
- Prototype with simple solutions but always test for scale
- Communication & training plans are the keys to success
- Don’t be afraid of process improvement
- They did name it SharePoint for a reason
![Page 42: Case Study: United Technologies Corporation 10 Things we did to lock down SharePoint Collaboration November 2013 Jared Matfess](https://reader036.vdocuments.us/reader036/viewer/2022062404/55168c4a5503469d698b6252/html5/thumbnails/42.jpg)
42
Thanks for listening…
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: [email protected]
Connecticut SharePoint Users Grouphttp://www.ctspug.org