Jonathan RaltonBlueMetal

Making Secured Content Discoverable in SharePoint

AgendaDefining the Problem

SharePoint Search

SharePoint Security

Cryptzone Security Sheriff

Solution Overview

Wrapping Up

Questions

ME

Jonathan RaltonSenior Information Architect

• SharePoint professional/consultant since 2005

• No coding!

• Focused on document management, content management, knowledge management…

• Search & Analytics

• User Experience Design

@jonralton

jonathanr@bluemetal.com

blog.jonralton.net

linkedin.com/in/jonathanralton

2014

YOU

What roles are you in?

What’s your SharePoint experience?

Defining the ProblemMaking Secured Content Discoverable in SharePoint

How do you let your users discover the content that

they cannot see?

How would someone know to ask for permission to examine something

if they don't know that it exists?

“Your role is to help foster safe behaviors,

control information access, and verify

ongoing compliance…

all without hampering creativity, productivity, collaboration, or other daily activities.”

August 2016

allowing open collaboration

controlling and protecting

information

• Research Institution

• History of innovation

• Chemists

• Engineers

• Researchers file documentation

• Experiments/Discoveries

• Chemical formulas and compounds, technical designs...

• Decades of documentation

• Pre-electronic formats scanned with OCR

• Curated by technical librarians

• With prior authorization, able to search repository and view documentation

• Past documentation is searchable/viewable

• Repository either completely locked or unlocked in its entirety

nypl.org

Tristan Fewings/Getty Images

Scenario Componentry

• Restricted content which requires authorization

• Openly searchable electronic index of the content along with qualitative information

• Discovery of relevant content

• Permission request form designed to match the requester’s attributes with appropriate material

• Review and approval process

• Assignment of tailored permissions

• Access controls remain in place throughout

Case Study Platform

SharePoint does this thing called

Content Management

SharePoint SearchMaking Secured Content Discoverable in SharePoint

SharePoint Search Architecture

SharePoint Search Architecture

Security Trimming

Results returned for your search query will not include any content that you do not have permission to consume.

LIMITATION

FEATURE

SharePoint SecurityMaking Secured Content Discoverable in SharePoint

What do we have to work with?

What do we have to work with?

Farm

Web Application

Content Database

Site Collection

Site List/Library

Item

Item

Site Collection

Site List/Library Item

Site List/Library Item

Content Database

Site Collection

Site List/Library Item

Web Application

Content Database

Site Collection

Site

List/Library

Item

Item

List/Library ItemSite Collection

Site

What do we have to work with?

Tenant

Site Collection

Site List/Library

Item

Item

Site Collection

Site List/Library Item

Site List/Library Item

Site Collection

Site List/Library Item

Site Collection

Site

List/Library

Item

Item

List/Library ItemSite Collection

Site

What do we have to work with?

Site Collections

Sites

Lists/Libraries

Folders

Document Sets

Items/Documents

Inheritance

Site 1

Site 1.1Site 1.1.1

Site 1.1.2

Site 1.2 Site 1.2.1

Site 1.3

Site 2Site 2.1 Site 2.1.1

Site 2.2Site 3

Inheritance

Site

Library A

Folder

Document A1

Document A2Document

A3

Library B

Document B1

Document B2

Library C

Document C1

Document Set

Document C2

Document C3Document

C4

Site Collections

Sites

Lists/Libraries

Folders

Document Sets

Who/What/Where?

Security SheriffMaking Secured Content Discoverable in SharePoint

Knowing how SharePoint Search and SharePoint Security work…

how would we architect different content and security groupings?

Managing SharePoint Security

How are organizations securing SharePoint content?

• Juggling inherited permissions on items and folders

• Maintaining multiple user groups

• Creating unique silos for specific sharing scenarios

• Settling for undesirable results• Hard to manage and maintain

• Complicated interactions

• Frustrated users/administrators

Managing SharePoint Security

What if we could dynamically secure SharePoint content?

• The ability to handle dynamic security in real time—user context, location, etc.

• The ability to secure documents when they are relocated or extracted from SharePoint

• The ability to leverage known information about both content and users to apply security

Users in Motion

JaneManagerProject A

AdamDeveloperProject A

JoeAnalyst

Project B

Coffee Shop

Consultant

Enterprise Headquarters

Office 365 /SharePoint Online

SharePoint 2016

SharePoint 2013

Security needs to depend on content and context,

accommodating all SharePoint files in motion

Files in Motion

Implement consistent policies throughout hybrid environments

Tailor protection to the file’s location and contents

Secure SharePoint files even after they leave the premises

Example – Security Rules

1. External Contractors must never see documents classified as Internal

2. Users must have a higher security clearance than the document’s classification to gain access

3. Project documents should only ever be accessed by project team members

4. Unclassified documents are hidden to all but the creator until they have been classified

5. External Contractors must never share documents outside of the company

6. Top Secret documents may only reside in headquarters (use secure viewer when away from office)

7. Confidential documents must be encrypted and protected against copy, download, and print outside of office

Example – Employee Onsite

Diana

HeadquartersFull Clearance

Project AOffice 365 /

SharePoint Online

SharePoint 2016

∆ Top Secret - Encrypt on Download

Internal - Allow

Project A - Allow

× Project B - Deny

Confidential - Allow

Download - Allow

Sharing - Allow

Print/Copy - Allow

Example – Employee Remote

Jane

Coffee ShopFull ClearanceProject A & B

Office 365 /SharePoint Online

∆ Top Secret - Secure View Only

Internal - Allow

Project A - Allow

Project B - Allow

∆ Confidential - Encrypt

∆ Download - Encrypt

∆ Sharing - Limit

× Print/Copy - DenySharePoint 2016

Example – Contractor

Adam

External Contractor

Limited ClearanceProject A

Office 365 /SharePoint Online

SharePoint 2016

× Top Secret - Deny

× Internal - Deny

Project A - Allow

× Project B - Deny

∆ Confidential - Encrypt

∆ Download - Encrypt

∆ Sharing - Limit

× Print/Copy - Deny

Security Sheriff

What a user sees when viewing and searching for files

Whether a user can open, export,

or copy a file

What actions are enabled in the

Office 365 ribbon

If a file is encrypted when saved, copied, or

emailed

Real-time permissions determine…

If a file should be emailed

If a user must view the file securely

DEVICE TIME

CUSTOMATTRIBUTES

SECURITY CLEARANCE

LOCATIONGROUPPERMISSIONS

User Properties

CUSTOM ATTRIBUTES

DATE

SITE PERMISSIONS

AUTHOR

LOCATION

File Properties

Security Sheriff

Security Sheriff dynamically adjusts file security based on real-time comparison of user context and file content to make sure that users view, use, and share files

according to your industry and business’ regulations and policies.

Locate and classify all data on-premises and in the cloud, encrypt or quarantine

when required, and report status to stakeholders.

Trusted users can collaborate on any device and in any location, knowing that all data is secure, even when it

leaves the company.

Classification CollaborationPolicies and permissions are managed

by admins who know the policies, users and data, thereby reducing cost and

frustration.

Administration

Solution OverviewMaking Secured Content Discoverable in SharePoint

Solution Overview

Goals

• Expose for consumption the right content to the right people based on prior authorizations

• Expose for discovery all of the content to everyone so that they may request authorization(s)

Hurdles

• OOTB SharePoint Search behavior

• OOTB SharePoint security model

Solution Componentry

Security Sheriff

• Column Mappings

• User Properties

• Dynamic Access Rules• What can they access?

• How long can they access it for?

Custom Development

• Service Account executes search query ‘elevated privileges’

• UX components

• Requesting permission form and workflow

Rights Management Services

• Encrypted

• Protection against copy/paste

• Selective protection for print

SharePoint

• Security Rules configuration list• Approvals

• Expirations

• Metadata on documents

• Continuous Crawl

Scenario Componentry

• Restricted content which requires authorization

• Openly searchable electronic index of the content along with qualitative information

• Discovery of relevant content

• Permission request form designed to match the requester’s attributes with appropriate material

• Review and approval process

• Assignment of tailored permissions

• Access controls remain in place throughout

By leveraging SharePoint’s native capabilities and augmenting with available technologies

(and a tiny bit of fanciness)…

The right people get access to the right contentat the right time.

Wrapping UpMaking Secured Content Discoverable in SharePoint

Hidden content can become discoverable…

while remaining secure.

This not the only way to approach this

problem, and this solution may not be

appropriate for every organization.

Key Takeaways

SharePoint Search out of the box will only deliver results to you for

which you already have permission to view.

Combining dynamic security and search augmentation

is a great answer to the problem.

Key Motivators

Content is arguably more secure when it is selectively exposed

for discovery.

People are less frustrated when they can be pre-approved to view

new content based on their role/domain, etc.

There is a big difference between exposing content for discovery and

exposing content for potential exploitation.

You’d better get it right the first time.

allowing open collaboration

controlling and protecting

information

@jonralton

jonathanr@bluemetal.com

blog.jonralton.net

bluemetal.com

cryptzone.com

cryptzone.com/products/security-sheriff

QuestionsMaking Secured Content Discoverable in SharePoint

Additional InformationMaking Secured Content Discoverable in SharePoint

Modern technology, craftsman quality.

We’re an interactive design and technology architecture firm matching the most experienced

consultants in the industry to the most challenging business and technical problems facing

our clients. Founded August 2010, and as of October 2015, we are an Insight company.

About BlueMetal

7 | YEARS IN OPERATION

5 | LOCATIONS

6 | SERVICE AREAS

4 | INDUSTRY SPECIALIZATIONS

Proud Global Microsoft Partner of the Year

Winner – Microsoft Global Mobile App Development Partner of the Year Award, 2017Winner – Microsoft Global IoT Partner of the Year Award, 2016

Finalist – Microsoft Intelligent Systems Partner of the Year Award, 2015Finalist – Microsoft Collaboration and Content Partner of the Year Award, 2015

Trusted Advisor of Trusted Brands

Modern Technology, Craftsman Quality

Intelligent Customer

Applications

Modern Workforce

Applications

Real-Time Business

RETHINKING HOW COMPANIES CONNECT WITH THEIR

CUSTOMERS

FRICTION-FREE TOOLS TO MAXIMIZE EMPLOYEE EFFECTIVENESS

DIGITAL TRANSFORMATION DRIVEN BY INFORMATION

About Cryptzone

PRODUCTSACCOLADES

Secure Access

AppGate ®

The Software-Defined Perimeter Company• Over 100 Employees• Over 450 Customers • Worldwide HQ in Boston, USA

− Additional offices in the UK, Sweden and Australia

Recognized by Gartner and Forrester as one of the key players in the SDP

market

HIGHLIGHTS

Data Security

Web Compliance