Our security department has identified some SharePoint 2010 site collections need to restrict to users of some security groups. The requirement is to restrict the users belong to some security groups to access selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. There are some options and the NextLabs Entitlement Manager for SharePoint seems to be a good fit to resolve this security requirement as indicated in my previous blog.
After several weeks POC engagement with NextLabs consultants, we have completed all the test cases. The tool seems to accomplish our requirement. There are some limitations such as web service support for this product but those do not seem to be the showstoppers. Here is the summary of the key benefits, key features, key test cases with results, and key enhancements requested.
1. Key Benefits - NextLabs’ Entitlement Manager for SharePoint is a content aware Entitlement Management solution that provides the capability to authorize, classify, enforce and audit enterprise resources across Microsoft SharePoint. This solution allows large enterprises to enjoy secure internal/external collaboration while helping them achieve obligatory compliance, protecting data both on and off the SharePoint Environment. The key benefit is listed below. You could refer the previous blogon the details.
- Compliance for Obligatory Regulations
- Increases Enterprise-wide Adoption of SharePoint
- Extends and Enhances SharePoint Security
- Fast and Easy to Manage Solution
- Significantly Reduces Management Cost
- Improves Time to Value
2. Key Features - Entitlement Manager for SharePoint is the only complete solution in the industry that fulfills the four crucial processes (Authorization, Classification, Enforcement and Audit) needed for effective Entitlement Management, applying fine grained adaptive and intelligent authorization policies for a multitude of resources, accessed via any and all channels, supporting a broad range of functionality. You could refer the vendor site for the details on each feature.
- Adaptive and Intelligent Authorization Policies
- Built-In Content Aware Data Classification
- Most Comprehensive SharePoint Enforcement
- Centralized Audit Persistent Protection of Data
3. Key Test Cases with Results - NextLabs’ solutions support our compony’s goals through policy based information access controls, information distribution controls and robust audit and compliance capabilities. This Proof of Concept will focus NextLabs’ deep, rich set of tools and controls on a variety of business situations that reflect the everyday activities of compony’s users who access restricted data. Key areas addressed by the POC include the following:
- Robust policy construction through an easy-to-use graphical user interface based on XACML standards.
- Ease of integration with user information repositories for use in policy construction, including Active Directory and SharePoint.
- Ease of integration with SharePoint for rapid deployment of enforcement point with the need to develop custom code.
- Allow only approved users to access restricted data.
- Audit user activity to ensure compliance and protection of restrictive information.
Here are all passed test cases through he POC.
A. NextLabs Deployment and Integration
- Deploy Control Center, Policy Studio and Complaint Enterprise for SharePoint - This activity demonstrates NextLabs capability to support the deployment of the policy administration point (Control Center), policy decision point and policy enforcement point onto a standard compony Systems server platform (Windows 2008 R2) and SharePoint MOSS 2010 Server.
- Enroll users from Active Directory and SharePoint - This activity demonstrates NextLabs’ capability to import data from an external LDAP repository and SharePoint into Control Center and create a policy based on user identity information..
B. NextLabs Policy Management
This section demonstrates the role delegation, workflow, management, and policy auditing functionality of NextLabs’ Control Center solution.
- Role based access control - This activity demonstrates Nextlabs' ability to assign different Control Center roles based upon the user's function within compliance organization.
- Policy Workflow - This activity demonstrates Nextlabs' policy workflow that is part of the Control Center solution.
- Create restricted access policy using Policy Studio - This activity demonstrates Nextlabs' ease of use to create robust policy using customer business use cases. NextLabs' Policy Studio management that is part of the Control Center Policy Studio.
- Revision History Reporting - This activity demonstrates Nextlabs' policy revision management that is part of the Control Center solution.
- Server and Enforcer Health Status and Monitoring - This activity demonstrates Nextlabs' ability to provide server and enforcer health status, configuration and policy deployment status through the Control Center Administrator GUI.
C. NextLabs Entitlement
Only allow authorized users to access restricted information - This activity demonstrated NextLabs ability to deny access to restricted document libraries or list libraries to certain users even if they are authorized access to those libraries/lists by SharePoint. In this cases it is determined based on restricted AD group definition. We have tested the following scenarios.
- Explore view
- Microsoft Outlook
- Microsoft SharePoint Designer
- RSS feeds
- Search security trimming
The following several test cases failed but there are not blockers at this point. You could refer to my previous blogs on the issues.
- SOAP access
- REST access
- API access - Any server API does bot apply security policy
- SharePoint calendar through Outlook security support - this does not seems to be protected
- Customized WCF web services not inside SharePoint not supported
D. NextLabs Compliance Reporting
Compliance Auditing and Reporting - This activity will demonstrate NextLabs’ robust reporting features for generating activity and audit reports for compliance.
4. Key Enhancements Requested and Roadmap - The enhancements we requested at this point are around features, performance, and maintainability. Here is the summary.
- FAST search security trimming support - May be included in Q3 2013 depends whether Microsoft provides ISecurity API
- SOAP web services security support - Planed in Q4 2012
- REST web services security support - Planed in Q4 2012
- SharePoint Calendar through Outlook security support - Need to esculate to vendor
- Performance improvement to select users from policy controller - Planed in Q4 2012
In summary, although there are some issues on NextLabs SharePoint entitlement manager product, it does seem to satisfy our current SharePoint deny access security requirement. We are working with security team to see whether we should move forward implementing this in our environment.
We have more findings such as secure site collection and block users using properties.