Our security department has identified some SharePoint 2010
site collections need to restrict to users of some security groups. The
requirement is to restrict
the users belong to some security groups to access selected site collections
with sensitive information even these users have been granted the permission
through individual account, any AD groups, or email list groups. There are some
options
and the NextLabs
Entitlement Manager for SharePoint seems to be a good fit to resolve this
security requirement as indicated in my previous blog.
After several weeks POC engagement with NextLabs
consultants, we have completed all the test cases. The tool seems to accomplish
our requirement. There are some limitations such as web service support for
this product but those do not seem to be the showstoppers. Here is the summary
of the key benefits, key features, key test cases with results, and key enhancements
requested.
1. Key Benefits - NextLabs’
Entitlement Manager for SharePoint is a content aware Entitlement Management
solution that provides the capability to authorize, classify, enforce and audit
enterprise resources across Microsoft SharePoint. This solution allows large
enterprises to enjoy secure internal/external collaboration while helping them
achieve obligatory compliance, protecting data both on and off the SharePoint
Environment. The key benefit is listed below. You could refer the previous blogon the details.
- Compliance for Obligatory Regulations
- Increases Enterprise-wide Adoption of SharePoint
- Extends and Enhances SharePoint Security
- Fast and Easy to Manage Solution
- Significantly Reduces Management Cost
- Improves Time to Value
2. Key Features - Entitlement Manager for SharePoint is the only complete solution in the
industry that fulfills the four crucial processes (Authorization,
Classification, Enforcement and Audit) needed for effective Entitlement
Management, applying fine grained adaptive and intelligent authorization
policies for a multitude of resources, accessed via any and all channels,
supporting a broad range of functionality. You could refer the vendor site for the
details on each feature.
- Adaptive and Intelligent Authorization Policies
- Built-In Content Aware Data Classification
- Most Comprehensive SharePoint Enforcement
- Centralized Audit Persistent Protection of Data
3. Key Test Cases with Results - NextLabs’
solutions support our compony’s goals through policy based information access
controls, information distribution controls and robust audit and compliance
capabilities. This Proof of Concept will
focus NextLabs’ deep, rich set of tools and controls on a variety of business
situations that reflect the everyday activities of compony’s users who access
restricted data. Key areas addressed by
the POC include the following:
- Robust policy construction through an easy-to-use graphical user interface based on XACML standards.
- Ease of integration with user information repositories for use in policy construction, including Active Directory and SharePoint.
- Ease of integration with SharePoint for rapid deployment of enforcement point with the need to develop custom code.
- Allow only approved users to access restricted data.
- Audit user activity to ensure compliance and protection of restrictive information.
Here are all passed test cases through he POC.
A. NextLabs Deployment and Integration
- Deploy Control Center, Policy Studio and Complaint Enterprise for SharePoint - This activity demonstrates NextLabs capability to support the deployment of the policy administration point (Control Center), policy decision point and policy enforcement point onto a standard compony Systems server platform (Windows 2008 R2) and SharePoint MOSS 2010 Server.
- Enroll users from Active Directory and SharePoint - This activity demonstrates NextLabs’ capability to import data from an external LDAP repository and SharePoint into Control Center and create a policy based on user identity information..
B. NextLabs Policy
Management
This section demonstrates the role delegation, workflow,
management, and policy auditing functionality of NextLabs’ Control Center
solution.
- Role based access control - This activity demonstrates Nextlabs' ability to assign different Control Center roles based upon the user's function within compliance organization.
- Policy Workflow - This activity demonstrates Nextlabs' policy workflow that is part of the Control Center solution.
- Create restricted access policy using Policy Studio - This activity demonstrates Nextlabs' ease of use to create robust policy using customer business use cases. NextLabs' Policy Studio management that is part of the Control Center Policy Studio.
- Revision History Reporting - This activity demonstrates Nextlabs' policy revision management that is part of the Control Center solution.
- Server and Enforcer Health Status and Monitoring - This activity demonstrates Nextlabs' ability to provide server and enforcer health status, configuration and policy deployment status through the Control Center Administrator GUI.
C. NextLabs
Entitlement
Only allow authorized users to access restricted information - This activity demonstrated NextLabs ability to deny access to restricted document libraries or list libraries to certain users even if they are authorized access to those libraries/lists by SharePoint. In this cases it is determined based on restricted AD group definition. We have tested the following scenarios.
- Browser
- Explore view
- Microsoft Outlook
- Microsoft SharePoint Designer
- UNC
- webDav
- RSS feeds
- Search security trimming
The following several test cases failed but there are not
blockers at this point. You could refer to my previous blogs on the issues.
- SOAP access
- REST access
- API access - Any server API does bot apply security policy
- SharePoint calendar through Outlook security support - this does not seems to be protected
- Customized WCF web services not inside SharePoint not supported
D. NextLabs Compliance Reporting
Compliance
Auditing and Reporting - This activity will demonstrate NextLabs’ robust
reporting features for generating activity and audit reports for compliance.
4. Key Enhancements Requested and Roadmap - The enhancements we requested at this point are around features, performance, and maintainability. Here is the summary.
- FAST search security trimming support - May be included in Q3 2013 depends whether Microsoft provides ISecurity API
- SOAP web services security support - Planed in Q4 2012
- REST web services security support - Planed in Q4 2012
- SharePoint Calendar through Outlook security support - Need to esculate to vendor
- Performance improvement to select users from policy controller - Planed in Q4 2012
In summary, although there are some issues on NextLabs SharePoint entitlement manager product, it does seem to satisfy our current SharePoint deny access security requirement. We are working with security team to see whether we should move forward implementing this in our environment.
We have more findings such as secure site collection and block users using properties.
No comments:
Post a Comment