Sharing the Point in an A/D & Commercial World Security & Governance Lessons Learned

November 2013

Jared Matfess

About Me

SharePoint Administrator at United Technologies Corporation

10+ years in the IT field, 0 book deals.

President of the CT SharePoint User Grouphttp://www.ctspug.org

Blog: www.JaredMatfess.com

Twitter: @JaredMatfess

E-mail: Jared.Matfess@outlook.com

2

Agenda

- Overview of United Technologies Corporation

- Security Model Journey

- Governance

- Social

3

4

5

Background Information

• June 2012, United Technologies has entered into a consent agreement to settle violations of the AECA and ITAR in connection with the unauthorized export and transfer of defense articles, to include technical data, and the unauthorized provision of defense services to various countries, including proscribed destinations.

• UTC developed new core focus on International Trade Compliance

http://www.pmddtc.state.gov/compliance/consent_agreements/UTC.html

6

The Start to Our SharePoint Adventure

7

• Immediate reaction was to separate users based on US Person vs Non-US Person status and not allow cross-collaboration

• Anonymous “departmental” sites would be allowed but require content approval & publishing processes

Beginning of our Security Model Journey

8

Technical Implementation

• Created web applications and set user policies that would “Deny All” to users that did not meet the container requirements.

• Relied on global Active Directory Groups such as “All Domain Users”.

9

What About Claims??

• Microsoft convinced us to create claims-based Web Applications

• Worked with Scot Hillier to develop a custom claims provider to augment Windows token with Active Directory attribute values.

• If US Person = Yes & Work Location = US, person meets US Person claim for access to ITAR data

• Leverage Claims for the Web Application “Deny All” rules

Great TechNet Article (written by Scot & Ted Pattinson)http://msdn.microsoft.com/en-us/library/gg615945.aspx

10

Some gotcha’s…

Deny All

• Service Accounts – Farm, Backup Software, Crawl account

• Support Staff - SharePoint Farm Administrators, IT Help Desk, etc

User Data

• Logic needs to include handling of value being NULL

• Source data should be clean and complete

11

Security Model – Roles & Permissions

Role Overview Permissions

Site Power User Business Power User who owns the site

Add/Update/Delete items but no Manage List*, Create Subsites, Groups, or Permissions capability

IT Power User Non-SharePoint Team Full Control but no style sheets or theme mgmt.

Contributor (No Delete) Business user Contribute but no delete items

InfoPath Form Submitter Form submitter Add items

Web Analytics Viewer Manager role who needs metrics

View Web Analytics

12

Limitations of the Site Power User

We will talk about this more later on in the presentation.

13

Site Request Process Feeds Security Model

- InfoPath form captures key site metadata

- Provisioning process writes data to Hidden List & Property Bag

- Site requests reviewed weekly

14

Security Model - Visual Cues

- Identified security model training need for end-users

- Benchmarked against Microsoft Best Practice- Site Risk (High / Medium / Low)

- Reviewed historical data escapes and identified “not knowing” as a reason for inappropriate files being posted on file share

15

Security Model - Visual Cues

1. Site Classification cue – defines what type of data is allowed or disallowed per the site request process

2. Site Information button – displays metadata about the site

3. Report Inappropriate content button – provides a list of avenues for reporting information that a user deems is inappropriate

1

2 3

16

Site Classification cue

- Friendly cue to educate users to the classification of the site – is it locked down to US Persons only? US Export Tech Data allowed/disallowed

- Delegate control placed on master page<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>

- Displays either control based on Web Application name

17

Site Information button (Version 1)

- Friendly cue to display overall information about the site – data owner, site owner, department, etc

- Delegate control placed on master page<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>

- JQuery to read from hidden list and display values in table

18

Site Information button – Lessons Learned

- We liked having the site metadata available in a hidden list because:- End users wouldn’t accidentally re-classify the site- You could index the data and perform custom search queries

- We discovered we needed a process to update the site metadata beyond just a Help Desk ticket

- As part of site provisioning we had been writing the information to both the hidden list as well as the site collection property bag*

19

Report Inappropriate Content button

- Popup window that provides employees options for reporting content

- Delegate control placed on master page

- Originated through discussions with HR about My Sites

Content Excluded

20

The pain of “Manage Lists”

Question: What is SharePoint?

Short Answer: Lists & Libraries

21

Why we took it away?

Content Approval

Mandatory Content Types

22

End user feedback

23

Build or Buy?

1. Continue to enforce through process and delegated administration (didn’t feel like an option)

2. Build a comprehensive solution- Event receivers - Timer jobs- PowerShell Scripts

3. Purchase a third party solution

24

AvePoint – Governance Automation

- Service catalog to the business- Site collection, list, & document library creation- Site metadata management- Site collection lifecycle management

25

Highlights of our solution

AvePoint Compliance Guardian:

Rules engine for taking action on document classification.

AvePoint’s DocAve Policy Enforcer:

Enforcement engine to clean up legacy sites as well as ensure delegated administration adheres to policies.

AvePoint’s DocAve Governance

Automation:

Allows end users to create lists/libraries without Manage List capability through automated workflow process.

26

Demo

27

Governance is King

Three most important decisions to make:

• Permissions – what level of access will you give users?

• Quotas – will you enforce quotas to corral the sprawl?

• Development / 3rd Party Applications – yes/no/maybe?

Blog Post by Me: http://wp.me/pj1do-5U

28

Our Governance

• Permissions – lots of custom roles & permissions

• Quotas • 250 MB file upload

• Small / Medium / Large / Jumbo site quotas

• Development / 3rd Party Applications • Dev / QA / Prod deployment cycle

• Code review by 3rd party Senior Developer

• Lots of politics to buy 3rd Party tools

29

Social

Main areas of concern:

1) Inappropriate comments being made

2) Unprofessional profile photos being set

3) EU Privacy Laws based on employee data being stored in separate system

4) “Who can see what profile data”?

5) “We want people to agree to legal disclosure.”

30

“The Great Production Pilot”

- People mostly post “can you see this” on other people’s note boards

- Unprofessional photos will be set (and removed when asked)

- Not enabling My Content really limits the usefulness of My Sites

- Without incentive most My Sites are abandoned within the first few weeks

31

End User Licensing Agreement

- Create delegate control (code that fires prior to page load) that checks user profile property

- If not checked – provide popup window / If checked continue and allow the user to navigate the site collection

32

Current status

- Available mostly in North America

- About 2,000 users have edited their profile

- Opportunities exist with the integration of Goodrich into our Enterprise

- European deployment pending discussions with “Works Councils”

33

Summary

- Security is always a journey – people love it when you restrict their access

- Governance is important – but you need something to govern

- Big companies aren’t always super social

34

Thanks for listening…

Blog: www.JaredMatfess.com

Twitter: @JaredMatfess

E-mail: Jared.Matfess@outlook.com

Connecticut SharePoint Users Grouphttp://www.ctspug.org

Thanks to our sponsors! And you.

One final note

• Fill out your evaluation form & turn for the big raffle (tablet)

• SharePint next door (American) 5:30pm• Don’t forget WaterFire downtown tonight!