Case Study: United Technologies Corporation.

Case Study: United Technologies Corporation
“10 Things we did to lock down SharePoint Collaboration”
November 2013
Jared Matfess
Thank you sponsors!
About Me
SharePoint Administrator at United Technologies Corporation
10+ years in the IT field, 0 book deals.
President of the CT SharePoint User Group
Twitter: @JaredMatfess
E-mail: [email protected]
Overview of United Technologies Corporation
The “10 Steps” towards more secure collaboration
Background Information
• June 2012, United Technologies has entered into a consent agreement
to settle violations of the AECA and ITAR in connection with the
unauthorized export and transfer of defense articles, to include
technical data, and the unauthorized provision of defense services to
various countries, including proscribed destinations.
• UTC developed new core focus on International Trade Compliance
Technical Data
The federal Export Administration Regulations (“EAR”) and International
Traffic In Arms Regulations (“ITAR”) control the export of certain
commodities, software, technical data and certain other information to
foreign countries. The EAR and the ITAR can restrict the furnishing of
information, technical data and software to foreign persons, whether this
takes place abroad or in the United States.
SharePoint Security & Governance at United Technologies Corporation
The Role of Corporate
• Policies, Standards, Consulting
• Shared Services
• User Profile
• Managed Metadata
• Search*
• Hosting of cross-business unit sites
• Host of business unit homepages
SharePoint Security & Governance at United Technologies Corporation
The Beginning of our Security Model Journey
SharePoint Security & Governance at United Technologies Corporation
Step 1: User Separation by Web Application
US Persons
US/FN Nontech Data
SharePoint Security & Governance at United Technologies Corporation
US/FN Tech
Technical Implementation
• Created web applications and set user policies that would “Deny All” to
users that did not meet the container requirements.
• Relied on global Active Directory Groups such as “All Domain Users”
What About Claims??
• Microsoft convinced us to create claims-based Web Applications
• Worked with Scot Hillier to develop a custom claims provider to augment
Windows token with Active Directory attribute values.
If US Person = Yes & Work Location = US, person meets US Person claim for
access to ITAR data
• Leverage Claims for the Web Application “Deny All” rules
Great TechNet Article (written by Scot & Ted Pattinson)
Some gotcha’s…
Deny All
• Service Accounts – Farm, Backup Software, Crawl account
• Support Staff - SharePoint Farm Administrators, IT Help Desk, etc
User Data
• Logic needs to include handling of value being NULL
• Source data should be clean and complete
Step 2: Integrate Site Request with Security Model
- InfoPath form captures key
site metadata
- Provisioning process
writes data to Hidden List
& Property Bag
- Site requests reviewed
ProTip: A Process Can Always be Improved
• Work with your customers to improve your process
• Groom them to be your SharePoint “Ambassadors”
SharePoint Security & Governance at United Technologies Corporation
Step 3: Site Classification cue
- Friendly cue to educate users to the classification of the site – is it locked
down to US Persons only? US Export Tech Data allowed/disallowed
- Delegate control placed on master page
<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- Displays either control based on Web Application name
Step 4: Site Information button
- Friendly cue to display overall information about the site – data owner, site
owner, department, etc
- Delegate control placed on master page
<SharePoint:DelegateControl runat="server" ControlId=“Your Control Name" AllowMultipleControls="false"/>
- JQuery to read from hidden list and display values in table
Site Information button – Lessons Learned
- We liked having the site metadata available in a hidden list because:
- End users wouldn’t accidentally re-classify the site
- You could index the data and perform custom search queries
- We discovered we needed a process to update the site metadata beyond
just a Help Desk ticket
- As part of site provisioning we had been writing the information to both the
hidden list as well as the site collection property bag*
Original Approach
Using the SharePoint CSOM API to get a Property Bag value
Jeremy Thake
SharePoint Security & Governance at United Technologies Corporation
Step 5: Report Inappropriate Content button
Content Excluded
- Popup window that provides employees options for reporting content
- Delegate control placed on master page
- Originated through discussions with HR about My Sites
Security Model - Visual Cues Summary
1. Site Classification cue – defines what type of data is allowed or
disallowed per the site request process
2. Site Information button – displays metadata about the site
3. Report Inappropriate content button – provides a list of avenues for
reporting information that a user deems is inappropriate
Step 6: Limitations of the Site Power User
Security Model – Roles & Permissions
Site Power User
Business Power User who
owns the site
Add/Update/Delete items
but no Manage List*,
Create Subsites, Groups, or
Permissions capability
IT Power User
Non-SharePoint Team
Full Control but no style
sheets or theme mgmt.
Contributor (No Delete)
Business user
Contribute but no delete
InfoPath Form Submitter
Form submitter
Add items
Web Analytics Viewer
Manager role who needs
View Web Analytics
Step 7: Forced classification for documents
Our message to the Government is: “We want users to be accountable”.
The pain of “Manage Lists”
Question: What is SharePoint?
Short Answer: Lists & Libraries
Why we took it away?
Content Approval
Mandatory Content Types
End user feedback
Step 8 – Prototype & Consider Scale
- First Production Pilot consisted of a SharePoint Designer workflow that
would route all documents for initial upload & edit to an approver
- Portability proved to be a big problem
- Someone did the math for how much time people would spend approving
documents in a collaboration site
- The setup for each site collection would require a full time person doing
nothing but site collection configuration
Build or Buy?
1. Continue to enforce through process and delegated administration
(didn’t feel like an option)
2. Build a comprehensive solution
- Event receivers
- Timer jobs
- PowerShell Scripts
3. Purchase a third party solution
Decision: AvePoint Partnership
Governance Automation
- Request List Workflow
- Security Trimming based on site collection access
- Reference List Template in service
Compliance Guardian
If a user selects “Yes” for the Technical Data column, AvePoint’s
Compliance Guardian will delete the file and send a user notification.
If a user selects “I don’t know” for the Technical Data column, AvePoint’s
Compliance Guardian will quarantine the file and send a user
File Quarantine Notification
Quarantine Manager
The Quarantine Manager can be found in the Site Settings section:
Quarantine Manager
Quarantine Manager’s can
- Edit the properties
- Restore the file
- Permanently delete
Policy Enforcer
- Timer jobs without all the fuss
- Periodic scans/fixes
- 40 built-in rules, SDK for more!
Business use: Enable content approval on all document libraries on
“everyone” sites.
SharePoint Security & Governance at United Technologies Corporation
Solution Summary
List/Library creation through defined workflow (Governance Automation)
Periodic scans for compliance (Policy Enforcer)
Column Action Policies for delete or quarantine (Compliance Guardian)
Reporting on user activity (Report Center)
Scalable & Repeatable Process!
Step 9: Customized Training
- Security isn’t easy or fun, so try to make it enjoyable
- Role based training was much more effective than
“SharePoint Foundations 1”
- Lots of hand-holding in the beginning
Step 10: Make it easy where possible
Implemented auto-classification where the Jurisdiction & Classification
are set to Nontechnical when Technical Data is set to “No”
Security Model Journey Next Steps
Leverage AvePoint Policy Enforcer to check if List/Libraries have mandatory
Restore “Manage List” to Power Users
Continue to educate and grow the Power User base
Increase reporting/visibility of rejected documents
SharePoint Security & Governance at United Technologies Corporation
SharePoint Security is difficult but there are options
Prototype with simple solutions but always test for scale
Communication & training plans are the keys to success
Don’t be afraid of process improvement
They did name it SharePoint for a reason 
SharePoint Security & Governance at United Technologies Corporation
Thanks for listening…
Twitter: @JaredMatfess
E-mail: [email protected]
Connecticut SharePoint Users Group