How to create a secure efficient extranet user experience

Download How to create a secure efficient extranet user experience

Post on 11-Nov-2014

2.690 views

Category:

Technology

3 download

DESCRIPTION

Jeremy Thake, SharePoint MVP and AvePoint Enterprise Architect, will introduce why organizations leverage extranets, share the common issues found in customers extranet environments, and discuss the advantages and disadvantages with the available approaches for authentication and topologies. Jeremy will then illustrate the importance of instilling appropriate governance for extranets built upon SharePoint to ensure that the common issues identified are mitigated, including guidance on what processes can be put in place to ensure a better user experience.

TRANSCRIPT

  • 1. Governing your Extranet for a better userexperienceJeremy Thake, Enterprise Architect

2. Jeremy Thake Enterprise Architect AvePoint SharePoint MVP since July 10 Founded SharePointDevWiki.com Co-founder of NothingButSharePoint.com Speaker at MS TechEd 2009/10, SPC 11 jeremy.thake@avepoint.com gplus.to/jthake @jthake www.linkedin.com/in/jeremythake 3. Agenda What is an extranet? Common issues with extranets Authentication Sources Extranet topologies Enforcing processes 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 4. What is an Extranet? 5. What is an extranet? Controlled access from external networks Typically walled areas of content Access by internal and external users via authentication Mixture of published read only content for reference shared collaboration content accessibleinternally/externally to company 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 6. Examples Software Partner extranet manuals, software, blogs discussion forums Engineering Partner extranet Collaborating on documents Project plans, meeting minutes, agenda etc. Software Customer extranet Portal for various systems: helpdesk, sales 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 7. Common issues with Extranets 8. Onboarding Creating new users 1 to 1 Shared accounts ECAL licensing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 9. Managing users Forgotten passwords Access requests Expiring accounts Claims 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 10. Internal content Content collaborated and managed internally Making published versions available securely Internal users aggregated view Data sensitivity issues Auditing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 11. Branding & Navigation Purposely looks different from internal content Cross site collection navigation Internal users have to look in Intranet & Extranet 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 12. Authentication sources 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 13. Active Directory Existing AD with in OU with internal users Most organizations wont agree with this Existing AD but isolated in OU Some organizations wont like external users in internal AD External AD with one way trust Some wont like even trust Office 365 federated 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 14. Claims Based Auth Forms Based Authentication (FBA) Azure ACS (Live ID, Google, Facebook) ADFS 2.0 Office 365 Microsoft Online ID 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 15. Extranet topologies 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 16. Edge firewall 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 17. Edge firewallPros Cons Simplest solution Security model complex Inside Corporate network One site for both internal/external Sensitive docs visible Single firewall separates corporate network from the internethttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 18. Back-to-back perimeter 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 19. Back-to-back perimeterPros Cons Isolated to single farm Additional n/w gear req. External user access is Single firewall separatesisolated to perimetercorporate network from thenetworkinternethttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 20. Back-to-back perimeter with cross-farm services 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 21. Back-to-back perimeter with cross-farm servicesPros Cons Isolation from corporate Additional SP farm req. Network traffic isolation Additional n/w gear req. Prevents sensitive doc leaks Two way trusts req. for Shared services managedsomecorporate No mechanism to publish content internal to externalhttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 22. Back-to-back perimeter with content publishing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 23. Back-to-back perimeter with content publishingPros Cons Isolation from corporate Additional SP farm req. Network traffic isolation Additional n/w gear req. Prevents sensitive doc leaks Two way trusts req. for Shared services managedsomecorporate Content management Ability to publish content complexfrom internal to external No two-way content sync (read-only)http://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 24. Split back-to-back 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 25. Split back-to-back or stretched farmPros Cons SQL stored in corporate n/wDomain trust required Complex architecture Interfarm comms in 2 n/w One site for bothinternal/external Sensitive docs visiblehttp://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 26. Split back-to-back optimized for content publishing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 27. Split back-to-back optimized for content publishingPros Cons SQL stored in corporate n/w Domain trust required Ability to publish content Complex architecturefrom internal to external Interfarm comms in 2 n/w Content management complex No two-way content sync (read-only)http://technet.microsoft.com/en-us/library/cc263513.aspx 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 28. Office 365 SharePoint Online 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc. 29. Office 365 SharePoint OnlineProsCons Quick to setup Additional costs of Provisioning users outsidesubscriber modelAD Some features not available No supported OOTB contentpublishing 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 30. Enforcing processes 31. New content area Site collection or sub site provisioning Site templates, service level agreements Security model Grant users direct permissions Add users to preexisting SharePoint Groups Add users to preexisting AD Groups Grant a claim direct permissions Chargeback 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 32. Provisioning New User SharePoint requires you to create User first Active Directory requires IT to create user Open ID sources can be created by user Once created Can authenticate Request authorization Turn on Manage Access Request in Site Permissions Better approach Request Form same as User x Tick what roles required, or list projects working on 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 33. Security audits Viewed content By user By third party organization Transmittals Accessible content See what they can see Out of the box audit data pruned after 60 days DocAve Auditor allows retention of audit data 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 34. Publishing content to Extranet Content Deployment one-way Can be set on published flag Content Deployment APIs history of issues AvePoint Replicator Allows replication of content on business rules 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 35. Decommissioning content area Lifecycle of content areas Project finish Unused areas based on activity on site Records Management compliance DocAve Archiver can archive site collections 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 36. Decommissioning user Audits on whether Users still at company Enforce external companies notify of people leaving Enforce a report is signed each month to confirm Password expiry enforces is alive check Need add-on to enable this 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc. 37. Q&AJeremy Thakewww.NothingButSharePoint.comjeremy.thake@avepoint.comgplus.to/jthake@jthakewww.linkedin.com/in/jeremythake 38. References Extranet topologies Planning an Extranet Environment for Office SharePointServer Michael Noels presentation (technical) Dan Holme SharePoint Governance, Part I: Architecting SharePoint for Scalability and Enforceable Governance SharePoint Governance, Part II: Automating SharePoint Governance and Management 2011 AvePoint, Inc. All rights reserved. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,without the prior written consent of AvePoint, Inc.