Balancing information sharing with information security

In my previous blog entry I mentioned the need to balance information sharing with information security. This is a particularly hot topic for our government and military customers, where they are dealing with a number of challenges:

1) The need for improved information sharing across agencies and coalition missions
2) New internet technologies that make it easier to share information
3) A desire for more openness in government

To enable effective and secure information sharing, military organizations have historically relied on classification markings. These markings make it possible to quickly identify information sensitivity and determine proper handling. For example, a document may be marked as CONFIDENTIAL//REL TO USA, CAN, GBR. This determines who can read the document, and how it should be protected.

The same principles can be applied in SharePoint, where it's possible to add classifications using SharePoint columns and content types. (Users can also add classifications using a tool like Titus Labs Document Classification.) These classifications can be used to control document access wherever those documents reside in SharePoint.

The end result is that you can now share documents securely, and open up your SharePoint environment in ways that you might not have considered before. Here are a couple examples from conversations I've had with customers:

1) A coalition-based military organization wants to have a master SharePoint repository, with replicated sites that show only certain documents for certain users.
2) A military university wants to make documents available to its students on SharePoint, but wants to prevent non-NATO country students from accessing certain documents.

In both these cases, Titus Labs Metadata Security for SharePoint can be used to achieve the goals of the organization. Provided that the documents have metadata (such as classification), you can control access while providing enhanced information sharing for your users.

If you want to read more about using classification markings for information sharing, have a look at this white paper that I wrote.

-Lara

Feedback from the SharePoint conference

I've heard nothing but great reports from the SharePoint conference in Las Vegas. Sounds like it was a very valuable event for both users and vendors, and I wish I could have been there!

While Charlie recovers from his post-show weekend in Vegas, I'm going to write a couple of the blog entries for this week. I thought this would be a good time to review the SharePoint products that Titus Labs offers, since the blog has new readers from the conference.

The feedback I've heard is that two of our products in particular generated a lot of interest at the show:

1) Titus Labs Metadata for SharePoint: This product lets you easily control access to SharePoint documents based on metadata. With this method, you can provide item level security without having to set up permissions for individual documents. Military and government customers in particular find this useful because it lets them balance the needs of information protection with information sharing (the topic of a blog post later this week).

2) Titus Labs PDF Control for SharePoint: This product automatically converts Office documents in SharePoint to PDF. This is great when you want some people to have access to the original Office version, and others to have access only to the PDF. It's also very useful if you need to convert Office documents to PDF for archiving.

There was also lots of interest in our free Document Converter for SharePoint promotion. This product lets you automatically convert Office 97-2003 format documents to Office 2007 format, including bulk conversion. Charlie and the team also answered many questions about our Document Marking for SharePoint product, which adds watermarks and classification markings to Office documents.

We'll soon have more exciting news to share about new SharePoint releases due out this winter. Charlie has been working with many customers to gather feedback about enhancements and new features, and I'm sure he has more ideas after attending the conference. We're also looking forward to hearing his thoughts on SharePoint 2010, so stay tuned for more posts on that in the coming weeks.

-Lara

Using SharePoint 2010 Content Organizers

Well, today is the last day here at the Microsoft SharePoint conference.  It's been a busy week.  Being at the show you can feel the momentum Microsoft has built with SharePoint.  There is a tremendous community of skilled SharePoint developers, administrators that have bought into the SharePoint platform. SharePoint 2010 will propel this another step forward.

For SharePoint 2010, Mcrosoft has introduced a couple of new methods for getting files and metadata into SharePoint,  so I thought I would make that my topic today.

When first getting started with SharePoint, organizations often want to migrate infromation stored on file shares up into SharePoint.  In addition, they would like to populate some metadata with the files transferred into SharePoint.  The metadata can be used for search, security, or retention.  In SharePoint 2010 Microsoft has introduced a new feature called the Content Organizer.  The Content Organizer is a way to route new files into the appropriate folder, document library, records center etc. The content organizer allows you to specify rules so that when files enter the drop-off folder or library, rules are applied to route the files to the correct location.

A site administrator can define a content organizer that will route new documents based on metadata.  For example, all files tagged as "Finance" could be routed to a Finance document library, and all documents tagged as HR could be routed to an HR document library. In addition, if files have been tagged as "Archive"  they could be routed to a Records Center.  Using metadata with the Content Organizer feature provides a myriad of document management possibilities. It's a great way to migrate a large number of file share documents up into appropriate libraries or folders in SharePoint 2010.  If you have files that have never been tagged with metadata you can use a tool like the Titus Labs Shell Extension, or you could use the new File Classification Infrastructure that is part of Windows 2008 R2 as explained in one of our earlier posts.

In order to turn on a Content Organizer go to Site Settings, pick Content Organizer Rules and create your rules. When creating a rule you can use any of the metadata fields associated with the file. You can also have the content organizer automatically create subfolders inside a /Pages library if the target location is getting too big. Here is a look at one of the screens.

In addition to bulk uploading files shares into SharePoint using the Upload Multiple Documents method, Microsoft will also be providing a script which can be used to automate the process of moving file shares into SharePoint. This can also be used with SharePoint 2007.

Microsoft Embraces Metadata in SharePoint 2010

I'm at the Microsoft SharePoint conference this week and it's all about SharePoint 2010.  It seems to be a huge release for Microsoft with a wide range of new features for end-users, IT pros and developers.  I took in the general keynotes yesterday and then finished the day at the "ECM for the Masses" presentation.  Because our focus is on metadata I was especially pleased with this last presentation that started to dig into all of the new metadata features and how they can be used for document and information management.

Microsoft is really embracing the use of metadata in SharePoint 2010.  There are a number of new features that help the user generate valid metadata and help users more effectively search and filter information in SharePoint based on this metadata.  I won't be able to cover all the new stuff here, but will be covering this in more detail over the coming weeks and months.

I guess the most important new feature is what Microsoft is calling Managed Metadata Services.  This is a service that can be activated via Site Settings that allow organizations to define their metadata structure and the metadata that is valid for use within SharePoint.  This defined taxonomy can be hierarchical if it fits the organization.  Users can quickly navigate the tree when creating content to assign relevant metadata. The Managed Metadata Service is an Enterprise service.  A configured metadata service can be used to provision metadata across multiple farms in the organization.  As single document ibrary can consume from multiple metadata providers.

The metadata can be assigned to documents both within SharePoint, but also directly within Office 2010 documents using the properties features in Office 2010 Backstage. Within the properties in Backstage a user can click on a SharePoint custom column name (e.g Project) and then navigate the metadata tree to assign the properties.

In addition to the managed metadata service, Microsoft is also embracing folksonomies or ad-hoc metadata in SharePoint 2010.  Users can add their own tags to information.  This can be done in document libraries but also in the new social media features such as wikies, blogs etc. SharePoint will keep track of these tags and make them available next time a user wants to assign a tag.  SharePoint tracks all these add-hoc tags as well as the managed metadata in what they are calling "SharePoint Keywords".

So what is so great about all of these new metadata features?  Well it's how they can be used that's powerful.  Microsoft has introduced the concept of "navigators" in SharePoint 2010 that will allow users to find information very quickly.  These navigators can appear in a left hand pane of SharePoint. By clicking on metadata tags or by navigating a metadata hierachy in the navigator, the user can narrow down the scope of the information they are looking at in SharePoint.  For instance the user could navigate to Finance metadata, and then perhaps to mergers, to find all of the documents that have been tagged as "merger" in the document library.  This is great stuff for e-discovery also.

Well. that's it for now.  More to come later this week...Charlie

SharePoint Conference - One Week to Go to Free Software

We are one week away from the start of the SharePoint Conference in Las Vegas.  By all indications (early sellout) it looks like it will be an extremely successful event.  We are just finishing up our preparations for our participation in the show.  This will be our first time at the conference.  We will have a booth in the exhibitor area.  It will be a bit of a coming out for us as we will be making people aware of all the new SharePoint applications we launched this year. We look forward to seeing you at the show.

For people who visit us at the show we'll be giving away for free our Document Converter for SharePoint software. This software automatically converts Office 97-2003 documents to Office 2007 format when the documents are saved or uploaded into a SharePoint library.  This can be useful for anyone migrating to Office 2007.  It allows you to bulk convert large numbers of documents to Office 2007 format simply by dropping them into a SharePoint library.  Drop by and get the code which will allow you to download this software from our website.

The conference is also a coming out for SharePoint 2010.  There will be a number of metadata and taxonomy improvements in 2010 and I look forward to some detailed sessions on these topics. As you would expect we will also be giving demonstrations of all of our software during the show. See you at the show!

SharePoint Security - Inheritance - Good or Bad?

The standard SharePoint security model is primarily based on the concept of inheritance. Any time a new object such as a document library or list is created, the object automatically inherits the security permissions of its parent.  For example, if we create a new document library in a site, the document library will inherit all the security permissions of the site.    This is different from the way a lot of security works. Security experts prefer an environment that has no permissions associated with a new object like a document library.  In that model, you start with a clean slate and assign permissions that are appropriate for the object.  Let’s look at the major advantages and disadvantages of SharePoint’s inheritance based security:

Advantages

1.    Extremely easy to setup.  When you create a new document library, you are off to the races.  No special security configuration is needed.  This is strength in small distributed SharePoint implementations where the group shares everything and security is not a big concern.  In this type of environment simplicity and speed are the most important factors.

2.    It is always possible to break the inheritance and assign specific permissions for an object.  So, in addition to being very easy to setup, it is also flexible enough that you can tailor permissions for certain objects which require special security.

3.    Any change to a permission in the parent site is automatically applied to any child sites.  This means I only need to make a security change in one place and that change will be automatically applied to all the child sites.

4.    Does not require special administrator training on security.  You don’t need a security expert to setup SharePoint.  Your standard SharePoint administrator can handle all the security tasks.

5.    Inheritance can cascade down several levels.  If you have a folder created in a document library, which is part of a site, the permissions can flow down to the folder and all of the documents in the folder automatically.

Disadvantages

1.    Because it is so easy to setup, many SharePoint administrators don’t even think about security permissions.  This can lead to situations where certain sensitive information saved to SharePoint can be inadvertently compromised.

2.    Permission inheritance assumes that permissions for a particular document library should be the same as permissions for all the other document libraries.  This is often not the case as some document libraries may contain more sensitive information.

3.    This model is hard to administer if you want to change permissions. If you don’t want to inherit the permissions there is no way to stop the inheritance.  You still need to break the inheritance from the parent object and then go in and manually remove all the permissions that are not appropriate.  This can be a very time consuming task.  The only situation where you can say that you don’t want to inherit permissions is for a sub-site.  It would be nice if you could do this with other objects like document libraries and lists.

4.    There is a lack of tools for administrators if an organization does not want to use inheritance. Setting up unique permissions for libraries and documents is difficult and time consuming.  Maintaining these unique permissions is even more difficult.  How does an administrator know which libraries or documents have unique permissions?  There are no reports which provide this information.  As a result it is very hard to track and maintain objects which have unique permissions which may need to be changed at some point.

To learn more about standard security for SharePoint document libraries and inheritance check out my SharePoint Security video on YouTube.

Charlie

Other Useful SharePoint Metadata Blog Posts

Here are some other blog posts that cover SharePoint metadata that I've found useful:

Top 10 SharePoint Metadata Tips for 2008 - Part I

Top 10 SharePoint Metadata Tips for 2008 - Part II

Updating Metadata on Files in SharePoint: Low Cost, High Reward

IDC Survey Says Metadata Management Important in SharePoint

Using metadata instead of folders

Use Quick Parts to Display Metadata fields

Enjoy the weekend reading!