esddc - making secured content discoverable in sharepoint
TRANSCRIPT
Jonathan RaltonBlueMetal
Making Secured Content Discoverable in SharePoint
AgendaDefining the Problem
SharePoint Search
SharePoint Security
Cryptzone Security Sheriff
Solution Overview
Wrapping Up
Questions
ME
Jonathan RaltonSenior Information Architect
• SharePoint professional/consultant since 2005
• No coding!
• Focused on document management, content management, knowledge management…
• Search & Analytics
• User Experience Design
@jonralton
blog.jonralton.net
linkedin.com/in/jonathanralton
2014
YOU
What roles are you in?
What’s your SharePoint experience?
Defining the ProblemMaking Secured Content Discoverable in SharePoint
How do you let your users discover the content that
they cannot see?
How would someone know to ask for permission to examine something
if they don't know that it exists?
“Your role is to help foster safe behaviors,
control information access, and verify
ongoing compliance…
all without hampering creativity, productivity, collaboration, or other daily activities.”
August 2016
allowing open collaboration
controlling and protecting
information
• Research Institution
• History of innovation
• Chemists
• Engineers
• Researchers file documentation
• Experiments/Discoveries
• Chemical formulas and compounds, technical designs...
• Decades of documentation
• Pre-electronic formats scanned with OCR
• Curated by technical librarians
• With prior authorization, able to search repository and view documentation
• Past documentation is searchable/viewable
• Repository either completely locked or unlocked in its entirety
nypl.org
Tristan Fewings/Getty Images
Scenario Componentry
• Restricted content which requires authorization
• Openly searchable electronic index of the content along with qualitative information
• Discovery of relevant content
• Permission request form designed to match the requester’s attributes with appropriate material
• Review and approval process
• Assignment of tailored permissions
• Access controls remain in place throughout
Case Study Platform
SharePoint does this thing called
Content Management
SharePoint SearchMaking Secured Content Discoverable in SharePoint
SharePoint Search Architecture
SharePoint Search Architecture
Security Trimming
Results returned for your search query will not include any content that you do not have permission to consume.
LIMITATION
FEATURE
SharePoint SecurityMaking Secured Content Discoverable in SharePoint
What do we have to work with?
What do we have to work with?
Farm
Web Application
Content Database
Site Collection
Site List/Library
Item
Item
Site Collection
Site List/Library Item
Site List/Library Item
Content Database
Site Collection
Site List/Library Item
Web Application
Content Database
Site Collection
Site
List/Library
Item
Item
List/Library ItemSite Collection
Site
What do we have to work with?
Tenant
Site Collection
Site List/Library
Item
Item
Site Collection
Site List/Library Item
Site List/Library Item
Site Collection
Site List/Library Item
Site Collection
Site
List/Library
Item
Item
List/Library ItemSite Collection
Site
What do we have to work with?
Site Collections
Sites
Lists/Libraries
Folders
Document Sets
Items/Documents
Inheritance
Site 1
Site 1.1Site 1.1.1
Site 1.1.2
Site 1.2 Site 1.2.1
Site 1.3
Site 2Site 2.1 Site 2.1.1
Site 2.2Site 3
Inheritance
Site
Library A
Folder
Document A1
Document A2Document
A3
Library B
Document B1
Document B2
Library C
Document C1
Document Set
Document C2
Document C3Document
C4
Site Collections
Sites
Lists/Libraries
Folders
Document Sets
Who/What/Where?
Security SheriffMaking Secured Content Discoverable in SharePoint
Knowing how SharePoint Search and SharePoint Security work…
how would we architect different content and security groupings?
Managing SharePoint Security
How are organizations securing SharePoint content?
• Juggling inherited permissions on items and folders
• Maintaining multiple user groups
• Creating unique silos for specific sharing scenarios
• Settling for undesirable results• Hard to manage and maintain
• Complicated interactions
• Frustrated users/administrators
Managing SharePoint Security
What if we could dynamically secure SharePoint content?
• The ability to handle dynamic security in real time—user context, location, etc.
• The ability to secure documents when they are relocated or extracted from SharePoint
• The ability to leverage known information about both content and users to apply security
Users in Motion
JaneManagerProject A
AdamDeveloperProject A
JoeAnalyst
Project B
Coffee Shop
Consultant
Enterprise Headquarters
Office 365 /SharePoint Online
SharePoint 2016
SharePoint 2013
Security needs to depend on content and context,
accommodating all SharePoint files in motion
Files in Motion
Implement consistent policies throughout hybrid environments
Tailor protection to the file’s location and contents
Secure SharePoint files even after they leave the premises
Example – Security Rules
1. External Contractors must never see documents classified as Internal
2. Users must have a higher security clearance than the document’s classification to gain access
3. Project documents should only ever be accessed by project team members
4. Unclassified documents are hidden to all but the creator until they have been classified
5. External Contractors must never share documents outside of the company
6. Top Secret documents may only reside in headquarters (use secure viewer when away from office)
7. Confidential documents must be encrypted and protected against copy, download, and print outside of office
Example – Employee Onsite
Diana
HeadquartersFull Clearance
Project AOffice 365 /
SharePoint Online
SharePoint 2016
∆ Top Secret - Encrypt on Download
Internal - Allow
Project A - Allow
× Project B - Deny
Confidential - Allow
Download - Allow
Sharing - Allow
Print/Copy - Allow
Example – Employee Remote
Jane
Coffee ShopFull ClearanceProject A & B
Office 365 /SharePoint Online
∆ Top Secret - Secure View Only
Internal - Allow
Project A - Allow
Project B - Allow
∆ Confidential - Encrypt
∆ Download - Encrypt
∆ Sharing - Limit
× Print/Copy - DenySharePoint 2016
Example – Contractor
Adam
External Contractor
Limited ClearanceProject A
Office 365 /SharePoint Online
SharePoint 2016
× Top Secret - Deny
× Internal - Deny
Project A - Allow
× Project B - Deny
∆ Confidential - Encrypt
∆ Download - Encrypt
∆ Sharing - Limit
× Print/Copy - Deny
Security Sheriff
What a user sees when viewing and searching for files
Whether a user can open, export,
or copy a file
What actions are enabled in the
Office 365 ribbon
If a file is encrypted when saved, copied, or
emailed
Real-time permissions determine…
If a file should be emailed
If a user must view the file securely
DEVICE TIME
CUSTOMATTRIBUTES
SECURITY CLEARANCE
LOCATIONGROUPPERMISSIONS
User Properties
CUSTOM ATTRIBUTES
DATE
SITE PERMISSIONS
AUTHOR
LOCATION
File Properties
Security Sheriff
Security Sheriff dynamically adjusts file security based on real-time comparison of user context and file content to make sure that users view, use, and share files
according to your industry and business’ regulations and policies.
Locate and classify all data on-premises and in the cloud, encrypt or quarantine
when required, and report status to stakeholders.
Trusted users can collaborate on any device and in any location, knowing that all data is secure, even when it
leaves the company.
Classification CollaborationPolicies and permissions are managed
by admins who know the policies, users and data, thereby reducing cost and
frustration.
Administration
Solution OverviewMaking Secured Content Discoverable in SharePoint
Solution Overview
Goals
• Expose for consumption the right content to the right people based on prior authorizations
• Expose for discovery all of the content to everyone so that they may request authorization(s)
Hurdles
• OOTB SharePoint Search behavior
• OOTB SharePoint security model
Solution Componentry
Security Sheriff
• Column Mappings
• User Properties
• Dynamic Access Rules• What can they access?
• How long can they access it for?
Custom Development
• Service Account executes search query ‘elevated privileges’
• UX components
• Requesting permission form and workflow
Rights Management Services
• Encrypted
• Protection against copy/paste
• Selective protection for print
SharePoint
• Security Rules configuration list• Approvals
• Expirations
• Metadata on documents
• Continuous Crawl
Scenario Componentry
• Restricted content which requires authorization
• Openly searchable electronic index of the content along with qualitative information
• Discovery of relevant content
• Permission request form designed to match the requester’s attributes with appropriate material
• Review and approval process
• Assignment of tailored permissions
• Access controls remain in place throughout
By leveraging SharePoint’s native capabilities and augmenting with available technologies
(and a tiny bit of fanciness)…
The right people get access to the right contentat the right time.
Wrapping UpMaking Secured Content Discoverable in SharePoint
Hidden content can become discoverable…
while remaining secure.
This not the only way to approach this
problem, and this solution may not be
appropriate for every organization.
Key Takeaways
SharePoint Search out of the box will only deliver results to you for
which you already have permission to view.
Combining dynamic security and search augmentation
is a great answer to the problem.
Key Motivators
Content is arguably more secure when it is selectively exposed
for discovery.
People are less frustrated when they can be pre-approved to view
new content based on their role/domain, etc.
There is a big difference between exposing content for discovery and
exposing content for potential exploitation.
You’d better get it right the first time.
allowing open collaboration
controlling and protecting
information
@jonralton
blog.jonralton.net
bluemetal.com
cryptzone.com
cryptzone.com/products/security-sheriff
QuestionsMaking Secured Content Discoverable in SharePoint
Additional InformationMaking Secured Content Discoverable in SharePoint
Modern technology, craftsman quality.
We’re an interactive design and technology architecture firm matching the most experienced
consultants in the industry to the most challenging business and technical problems facing
our clients. Founded August 2010, and as of October 2015, we are an Insight company.
About BlueMetal
7 | YEARS IN OPERATION
5 | LOCATIONS
6 | SERVICE AREAS
4 | INDUSTRY SPECIALIZATIONS
Proud Global Microsoft Partner of the Year
Winner – Microsoft Global Mobile App Development Partner of the Year Award, 2017Winner – Microsoft Global IoT Partner of the Year Award, 2016
Finalist – Microsoft Intelligent Systems Partner of the Year Award, 2015Finalist – Microsoft Collaboration and Content Partner of the Year Award, 2015
Trusted Advisor of Trusted Brands
Modern Technology, Craftsman Quality
Intelligent Customer
Applications
Modern Workforce
Applications
Real-Time Business
RETHINKING HOW COMPANIES CONNECT WITH THEIR
CUSTOMERS
FRICTION-FREE TOOLS TO MAXIMIZE EMPLOYEE EFFECTIVENESS
DIGITAL TRANSFORMATION DRIVEN BY INFORMATION
About Cryptzone
PRODUCTSACCOLADES
Secure Access
AppGate ®
The Software-Defined Perimeter Company• Over 100 Employees• Over 450 Customers • Worldwide HQ in Boston, USA
− Additional offices in the UK, Sweden and Australia
Recognized by Gartner and Forrester as one of the key players in the SDP
market
HIGHLIGHTS
Data Security
Web Compliance