spsri - sharing the point in an a/d world
TRANSCRIPT
Sharing the Point in an A/D & Commercial World Security & Governance Lessons Learned
November 2013
Jared Matfess
About Me
SharePoint Administrator at United Technologies Corporation
10+ years in the IT field, 0 book deals.
President of the CT SharePoint User Grouphttp://www.ctspug.org
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: [email protected]
2
Agenda
- Overview of United Technologies Corporation
- Security Model Journey
- Governance
- Social
3
4
5
Background Information
• June 2012, United Technologies has entered into a consent agreement to settle violations of the AECA and ITAR in connection with the unauthorized export and transfer of defense articles, to include technical data, and the unauthorized provision of defense services to various countries, including proscribed destinations.
• UTC developed new core focus on International Trade Compliance
http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html
6
The Start to Our SharePoint Adventure
7
• Immediate reaction was to separate users based on US Person vs Non-US Person status and not allow cross-collaboration
• Anonymous “departmental” sites would be allowed but require content approval & publishing processes
Beginning of our Security Model Journey
8
Technical Implementation
• Created web applications and set user policies that would “Deny All” to users that did not meet the container requirements.
• Relied on global Active Directory Groups such as “All Domain Users”.
9
What About Claims??
• Microsoft convinced us to create claims-based Web Applications
• Worked with Scot Hillier to develop a custom claims provider to augment Windows token with Active Directory attribute values.
• If US Person = Yes & Work Location = US, person meets US Person claim for access to ITAR data
• Leverage Claims for the Web Application “Deny All” rules
Great TechNet Article (written by Scot & Ted Pattinson)http://msdn.microsoft.com/en-us/library/gg615945.aspx
10
Some gotcha’s…
Deny All
• Service Accounts – Farm, Backup Software, Crawl account
• Support Staff - SharePoint Farm Administrators, IT Help Desk, etc
User Data
• Logic needs to include handling of value being NULL
• Source data should be clean and complete
11
Security Model – Roles & Permissions
Role Overview Permissions
Site Power User Business Power User who owns the site
Add/Update/Delete items but no Manage List*, Create Subsites, Groups, or Permissions capability
IT Power User Non-SharePoint Team Full Control but no style sheets or theme mgmt.
Contributor (No Delete) Business user Contribute but no delete items
InfoPath Form Submitter Form submitter Add items
Web Analytics Viewer Manager role who needs metrics
View Web Analytics
12
Limitations of the Site Power User
We will talk about this more later on in the presentation.
13
Site Request Process Feeds Security Model
- InfoPath form captures key site metadata
- Provisioning process writes data to Hidden List & Property Bag
- Site requests reviewed weekly
14
Security Model - Visual Cues
- Identified security model training need for end-users
- Benchmarked against Microsoft Best Practice- Site Risk (High / Medium / Low)
- Reviewed historical data escapes and identified “not knowing” as a reason for inappropriate files being posted on file share
15
Security Model - Visual Cues
1. Site Classification cue – defines what type of data is allowed or disallowed per the site request process
2. Site Information button – displays metadata about the site
3. Report Inappropriate content button – provides a list of avenues for reporting information that a user deems is inappropriate
1
2 3
16
Site Classification cue
- Friendly cue to educate users to the classification of the site – is it locked down to US Persons only? US Export Tech Data allowed/disallowed
- Delegate control placed on master page<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- Displays either control based on Web Application name
17
Site Information button (Version 1)
- Friendly cue to display overall information about the site – data owner, site owner, department, etc
- Delegate control placed on master page<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- JQuery to read from hidden list and display values in table
18
Site Information button – Lessons Learned
- We liked having the site metadata available in a hidden list because:- End users wouldn’t accidentally re-classify the site- You could index the data and perform custom search queries
- We discovered we needed a process to update the site metadata beyond just a Help Desk ticket
- As part of site provisioning we had been writing the information to both the hidden list as well as the site collection property bag*
19
Report Inappropriate Content button
- Popup window that provides employees options for reporting content
- Delegate control placed on master page
- Originated through discussions with HR about My Sites
Content Excluded
20
The pain of “Manage Lists”
Question: What is SharePoint?
Short Answer: Lists & Libraries
21
Why we took it away?
Content Approval
Mandatory Content Types
22
End user feedback
23
Build or Buy?
1. Continue to enforce through process and delegated administration (didn’t feel like an option)
2. Build a comprehensive solution- Event receivers - Timer jobs- PowerShell Scripts
3. Purchase a third party solution
24
AvePoint – Governance Automation
- Service catalog to the business- Site collection, list, & document library creation- Site metadata management- Site collection lifecycle management
25
Highlights of our solution
AvePoint Compliance Guardian:
Rules engine for taking action on document classification.
AvePoint’s DocAve Policy Enforcer:
Enforcement engine to clean up legacy sites as well as ensure delegated administration adheres to policies.
AvePoint’s DocAve Governance
Automation:
Allows end users to create lists/libraries without Manage List capability through automated workflow process.
26
Demo
27
Governance is King
Three most important decisions to make:
• Permissions – what level of access will you give users?
• Quotas – will you enforce quotas to corral the sprawl?
• Development / 3rd Party Applications – yes/no/maybe?
Blog Post by Me: http://wp.me/pj1do-5U
28
Our Governance
• Permissions – lots of custom roles & permissions
• Quotas • 250 MB file upload
• Small / Medium / Large / Jumbo site quotas
• Development / 3rd Party Applications • Dev / QA / Prod deployment cycle
• Code review by 3rd party Senior Developer
• Lots of politics to buy 3rd Party tools
29
Social
Main areas of concern:
1) Inappropriate comments being made
2) Unprofessional profile photos being set
3) EU Privacy Laws based on employee data being stored in separate system
4) “Who can see what profile data”?
5) “We want people to agree to legal disclosure.”
30
“The Great Production Pilot”
- People mostly post “can you see this” on other people’s note boards
- Unprofessional photos will be set (and removed when asked)
- Not enabling My Content really limits the usefulness of My Sites
- Without incentive most My Sites are abandoned within the first few weeks
31
End User Licensing Agreement
- Create delegate control (code that fires prior to page load) that checks user profile property
- If not checked – provide popup window / If checked continue and allow the user to navigate the site collection
32
Current status
- Available mostly in North America
- About 2,000 users have edited their profile
- Opportunities exist with the integration of Goodrich into our Enterprise
- European deployment pending discussions with “Works Councils”
33
Summary
- Security is always a journey – people love it when you restrict their access
- Governance is important – but you need something to govern
- Big companies aren’t always super social
34
Thanks for listening…
Blog: www.JaredMatfess.com
Twitter: @JaredMatfess
E-mail: [email protected]
Connecticut SharePoint Users Grouphttp://www.ctspug.org
Thanks to our sponsors! And you.
One final note
• Fill out your evaluation form & turn for the big raffle (tablet)
• SharePint next door (American) 5:30pm• Don’t forget WaterFire downtown tonight!