Displaying site information security classification on every page using a custom SPFx extensions — Part I

April 21, 2018 0 By bernierh

Value proposition

As an independent consultant, I get to work with a lot of organizations in both public and private sectors. Most deal with various levels of security classification.

Governance is always a hot topic with SharePoint. Most understand the importance of governance; some shrug it off as a “we’ll deal with it when it becomes a problem” — which is never a good idea, as far as I’m concerned.

But what if we could make applying governance in SharePoint a lot easier? So easy, in fact, that it would be more painful to deal with it when it becomes a problem.

That’s what I hope to do with this series of blog articles: demonstrate easy ways to introduce some level of governance using new enabling technologies — like SPFx web parts, extensions, and site scripts.

My goal is not to duplicate the work of Microsoft and others; I may use a very simple approach in this first blog to keep the example easy to understand, but I fully intend on leveraging out-of-the-box Office 365 features like Data Loss Prevention (DLP) features.

I hope you’ll stick with me for the journey!

Information security classification

Information security classification or information classification is a step in the process of managing information. There are people who are way smarter about this topic, and there is a whole ISO 27001 standard on the topic, so I’ll avoid a detailed explanation.

…But I’ll definitely throw in a gratuitous graphic. I guess my time McKinsey & Company rubbed off on me.

Managing classified information typically consists of 4 steps:

  • Asset inventory: finding out what kind of information your organization has, and who is responsible for it.
  • Information classification: identifying how sensitive the information is. How bad would it be if this information was leaked, it’s integrity compromised, etc. There is no one way to classify information — it depends on your organization size, industry, country, etc. The most frequently use examples are:
    • Confidential: top confidentiality level
    • Restricted: medium confidentiality level
    • Internal use: lowest level of confidentiality
    • Public: everyone can see the information
  • Information labelling: you kinda need to tell your employees how the information is classified so that they can handle it properly.
  • Information handling: where you define rules and processes around how to handle the information.

This article will focus on the information handling part of the process.

Microsoft’s information classification

Microsoft internally classifies their information as follows:

    • High Business Impact (HBI): Authentication / authorization credentials (i.e., usernames and passwords, private cryptography keys, PIN’s, and hardware or software tokens), and highly sensitive personally identifiable information (PII) including government-provided credentials (i.e. passport, social security, or driver’s license numbers), financial data such as credit card information, credit reports, or personal income statements, and medical information such as records and biometric identifiers.
    • Moderate Business Impact (MBI): Includes all personally identifiable information (PII) that is not classified as HBI such as: Information that can be used to contact an individual such as name, address, e-mail address, fax number, phone number, IP address, etc; Information regarding an individual’s race, ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual orientation, commission or alleged commission of offenses and court proceedings.
    • Low Business Impact (LBI): Includes all other information that does not fall into the HBI or MBI categories.

A while ago, Microsoft also released on GitHub some cool solution to apply their classification on SharePoint sites.  They also have a great case study that shows how they approached classification on their own content.

So, since I want to keep things simple, I’ll use HBI, MBI, and LBI classification labels in my example. You can use your own classification if you want.

Using SPFx extensions to add a header

If you read my equally long post on creating SPFx extensions, you’ll know that you can use SPFx extensions to do cool things on every page of a site. To keep this example really simple, I’ll create a header that reads the site’s property bag and displays a very simple Office Fabric UI Message Bar indicating the site’s classification. It isn’t going to be particularly pretty, but we can improve on looks later.

The bar will say “This site is classified as [LBI|MBI|HBI]. Learn more about the proper handling procedures.”, but you can make it say whatever is appropriate for you.

Here is what the HBI header will look like:
HBI header

The MBI header:
MBI header

And the LBI header:
LBI header

In the next article, we’ll start writing the code.

 

Value proposition

As an independent consultant, I get to work with a lot of organizations in both public and private sectors. Most deal with various levels of security classification.

Governance is always a hot topic with SharePoint. Most understand the importance of governance; some shrug it off as a “we’ll deal with it when it becomes a problem” — which is never a good idea, as far as I’m concerned.

But what if we could make applying governance in SharePoint a lot easier? So easy, in fact, that it would be more painful to deal with it when it becomes a problem.

That’s what I hope to do with this series of blog articles: demonstrate easy ways to introduce some level of governance using new enabling technologies — like SPFx web parts, extensions, and site scripts.

My goal is not to duplicate the work of Microsoft and others; I may use a very simple approach in this first blog to keep the example easy to understand, but I fully intend on leveraging out-of-the-box Office 365 features likeData Loss Prevention (DLP) features.

I hope you’ll stick with me for the journey!

Information security classification

Information security classification or information classification is a step in the process of managing information. There are people who are way smarterabout this topic, and there is a whole ISO 27001 standard on the topic, so I’ll avoid a detailed explanation.

But I’ll definitely throw in a gratuitous graphic. I guess my time McKinsey & Company rubbed off on me.

Managing classified information typically consists of 4 steps:

  • Asset inventory: finding out what kind of information your organization has, and who is responsible for it.
  • Information classification: identifying how sensitive the information is. How bad would it be if this information was leaked, it’s integrity compromised, etc. There is no one way to classify information — it depends on your organization size, industry, country, etc. The most frequently use examples are:
    • Confidential: top confidentiality level
    • Restricted: medium confidentiality level
    • Internal use: lowest level of confidentiality
    • Public: everyone can see the information
  • Information labelling: you kinda need to tell your employees how the information is classified so that they can handle it properly.
  • Information handling: where you define rules and processes around how to handle the information.

This article will focus on the information handling part of the process.

Microsoft’s information classification

Microsoft internally classifies their information as follows:

  • High Business Impact (HBI): Authentication / authorization credentials (i.e., usernames and passwords, private cryptography keys, PIN’s, and hardware or software tokens), and highly sensitive personally identifiable information (PII) including government-provided credentials (i.e passport, social security, or driver’s license numbers), financial data such as credit card information, credit reports, or personal income statements, and medical information such as records and biometric identifiers.
  • Moderate Business Impact (MBI): Includes all personally identifiable information (PII) that is not classified as HBI such as: Information that can be used to contact an individual such as name, address, e-mail address, fax number, phone number, IP address, etc; Information regarding an individual’s race, ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual orientation, commission or alleged commission of offenses and court proceedings.
  • Low Business Impact (LBI): Includes all other information that does not fall into the HBI or MBI categories.

A while ago, Microsoft also released on GitHub somecool solution to apply their classification on SharePoint sites.  They also have a great case study that shows how they approached classification on their own content.

So, since I want to keep things simple, I’ll use HBI, MBI, and LBI classification labels in my example. You can use your own classification if you want.

Using SPFx extensions to add a header

If you read my equally long post on creating SPFx extensions, you’ll know that you can use SPFx extensions to do cool things on every page of a site. To keep this example really simple, I’ll create a header that reads the site’s property bag and displays a very simple Office Fabric UI Message Bar indicating the site’s classification. It isn’t going to be particularly pretty, but we can improve on looks later.

The bar will say “This site is classified as [LBI|MBI|HBI]. Learn more about the proper handling procedures.”, but you can make it say whatever is appropriate for you.

Here is what the HBI header will look like:
HBI header

The MBI header:
MBI header

And the LBI header:
LBI header

Ready? Let’s get coding!

Creating the SPFx extension solution

  1. Using the command line, create a new project directory
md classification-extension
  1. Change the current directory to your new project directory
cd classification-extension
  1. Launch the Yeoman SharePoint Generator:
yo @Microsoft/sharepoint
  1. When prompted for the solution name, accept the default classification-extension.
  2. For the baseline package select SharePoint Online only (latest).
  3. When asked Where do you want to place the files? accept the default Use the current folder.
  4. When asked if you want to allow the tenant admin the choice of being able to deploy the solution to all sites immediately respond Yes (unless you really want to deploy it to every single site manually).
  5. When asked for the type of client-side component to create select Extension.
  6. Select Application Customizer when asked aboutWhich type of client-side extension to create.
  7. Almost there. For Application Customizer name, use ClassificationExtension. Keep this name to less than 40 characters always.
  8. For Application Customizer description, enter Displays the site’s information security classification.
  9. What the miracle that is Yeoman creating the project for you. It’ll take a few minutes. Eventually, it’ll say Congratulations! Solution classification-extension is created. Run gulp serve to play with it!. We’re not quite ready, yet.
  10. Let’s launch Visual Studio Code and open the new project you created. From the command line, type:
code .

§§cs§§