ITAR Compliant Data Exchange Managing ITAR Data Across Collaborative Project Teams
WebSpace Customers Aerospace & Defense Manufacturing High Tech & Contract Manufacturing Automotive Manufacturing Medical/ Pharmaceutical Services/ Oil & Gas/Other 2
ITAR & EAR Regulations The International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) were established by the U.S. Dept. of State to control the export of defense related technology and services. Specifically, all information and material related to ITAR Controlled Technology must be safeguarded from access by non U.S. persons unless a special license or exemption is obtained from the Dept. of State. WebSpace was architected from its inception (with funding from DARPA and input from the NSA) to provide a Private Cloud environment for secure, ITAR compliant content management and multi company collaboration. 3
WebSpace Platform = Private Cloud Solution Each WebSpace server is dedicated to a single host company and their designated trading partners Security model and hosting infrastructure specifically designed by leading aerospace and automotive manufacturers to support multi company project teams. Improves program execution while helping maintain ITAR compliance thru rapid deployment of secure, online project repositories. Low administrative overhead and economical subscription based licensing model. dl Outstanding track record of reliability and support 4
Core Platform Functionality Secure multi company project areas for cross firewall file sharing Document lifecycle management with enforced electronic approvals Action Item Manager Discussion forums Robust Reporting Full Text Search Engine with Security Filtering Flexible Administration Features Workflow driven eforms 5
3 Tier Architecture Data Center (or Customer Intranet) Firewall 1 Firewall 2 DMZ Internet DatabaseTier Application Tier Web Tier Port 1521 or 1443 Port 6802 HTTPS over Port 443 Remote Users Oracle or MS SQL Server Application Server with Java Servlet Engine called Resin Apache or IIS Web Server Active Directory Server (On premises installations only.) J2EE Application Supports all modern browsers You Host or We Host You Decide 6
Physical Security Data Center $100M SAS 70 Type II Certified Co Location Facility owned by AT&T with state of the art security, fire suppression, and backup power systems. On Internet backbone with fiber connections to all major telecom providers Strict physical access controls to facility, with no access to cages by non U.S. persons. 24/7 server monitoring and intrusion detection Nightly incremental tape backups and weekly full backups. Encrypted backup tapes moved to off site Iron Mountain storage facility every 30 days. Dedicated hardware and storage for our enterprise clients. Complete segregation of your dt data is provided. d Easy to move your data dt in house at any time. 7
Authentication Username and password authentication Password options include: Minimum and Maximum Password Ages Password length and format requirements Account lockouts after a configurable number of failed login attempts Automatic account deactivation i after a configurable duration of inactivity i i Optional Forgot Password function with configurable Password Hint options Ability to force re authentication upon approval of a workflow assignment. Customers who install WebSpace on premises can sync WebSpace user directory with Active Directory and optionally enable single sign on with their AD server. WebSpace also supports mixed mode authentication whereby internal users are authenticated against Active Directory and external users are authenticated via WebSpace WebSpace can also be customized for customers that require 2 factor authentication (i.e. username/password + FIPS 140 2 certified hardware token or biometric device). 8
Data Transmission WebSpace guarantees the integrity of all data, content and messages during transmission & storage. Cyclic Redundancy Checking (CRC), Digital Certificates and 1024 bit SSL encryption protects data and insures it hasn t been corrupted during transmission. 9
Email Notifications Users are alerted to new documents, document revisions, task assignments and discussion threads via email notifications. Emails sent from the WebSpace server never contain attachments, only links to reference documents. Anyone following such a link is first prompted to authenticate prior to gaining access to the document. All email notifications from server are logged Customer specific legal/disclaimer text can be added to both the email notifications and the login page to alert recipients of ITAR regulations. Upon first login, users must accept a Click through Agreement which can be modified to include customer specific terms of use. 10
User Management User Management on the WebSpace server can be: 1. Centralized and handled by one or more Server Admins who create separate companies on the server and add users to them. 2. Delegated across multiple Company Admins who can only administer users within their own company. User management is clearly l segregated tdfrom permissions i management in WebSpace. Server Administrators designate who can create and manage secure project areas containing ITAR and non ITAR data. The creator of a secure project area is called the Project Owner. The Project Owner retains sole control over what users are granted membership to their project area and what access rights each user has. (Even Server Admins do not gain access unless explicitly invited.) 11
Restricted User Safeguard Server Administrators can flag non U.S. persons as Restricted Users and ban them from Restricted Projects containing ITAR data Restricted users can not be inadvertently invited to Restricted Projects by Project Owners. This provides a secondary safeguard (beyonduser access permissions within a project area) to prevent ITAR violations. 12
Company Visibility Settings Server Administrators can also establish whether users from certain companies have visibility to each other within a secure Project Area. When users from different companies are members of the same secure project area, it is not always appropriate for them to be aware of one another. In competitive bidding or other situations, protecting user identities is paramount. Company visibility settings can keep suppliers and customers anonymous within competitive projects. 13
Permissions Management Content access permissions can be granted to individuals or roles within a secure project area, and can be established all the way down to the individual document level if desired. Default permissions are set at the top level of a project and are then inherited by folders and sub folders within that project. Setting user permissions to None at the top level of a project insures that access rights must be explicitly set at the individual folder level (a best practice in ITAR data environments). A Permissions view on every folder, document, task list, and eform within the project quickly identifies what users and/or roles have access to that the selected object. This view includes each user s company affiliation. A Project Permissions Report allows Project Owners to quickly identify what information a user can see across all objects in the project. Report allows display of explicit permissions, inherited permissions, or both. 14
This Project Permissions Report makes it easy to determine what content users or roles have access to within the project. 15
Secure Linking A Secure Link function allows a document to be shared without changing its permission settings or the permissions of its parent folder. Simply paste a link to a document in another folder, and that link will point users to the latest revision of the source document without letting them see anything else in the parent folder. Worth Noting The Links view of a document lists all the links to the document that have been placed elsewhere on the server. One or all of the existing links can be deleted from this view. 16
Auditing All user activity on the server is audited In the event that inadvertent access is granted to ITAR data or documents within a secure project area, robust audit reports allow admins to determine who actually accessed, viewed, and/or downloaded the information (and when). 17
Audit Scenarios Verify when and who inadvertently uploaded a document to the wrong project or folder. Verify whether a non U.S. person actually accessed and viewed a document during a time when it was mistakenly made available to them. Verify which secure projects areas certain users have been granted membership to. Verify what permissions users or roles have within given project areas. Verify what users have actually logged into the server from various companies during a given time frame and determine what IP address they came from. Verify how many distinct users have logged into the server during a given time period and what companies they are associated with. Verify how many active user accounts are currently enabled for each company on the server, and when each user last logged on. 18
Search Result Security Filtering A powerful full text search engine indexes documents immediately upon upload. Search results are filtered based on a user s project memberships and document permissions. (Users see only results they have the right to view or download.) 19
Workflow Driven eforms WebSpace can configure easy to use eforms with associated workflows to automate the review and approval of data export requests, system access requests, or other processes. All requests processed through WebSpace can be reported on, allowing real time visibility bl into pending approvals. Reporting also provides historical verification of all completed requests. 20
Task Manager A powerful Task Manager within each secure project area allows tasks/action items to be assigned and managed across your distributed project team. Tightly integrated with the document repository, tasks can contain linked reference attachments and can be used to collect critical document deliverables by assigned due dates. Tasks can be created manually or can be imported from a template, and each task can have one or more approvers who must approve the task prior to completion. A dashboard view shows real time task status information and allows for rapid task editing in a spreadsheet like user interface. 21
Exporting Projects Upon the termination of a project or program managed in WebSpace, it s important to be able to export your project data in a neutral format. For a professional services fee, WebSpace project meta data can be exported in a.xml file along with all project documents in an associated.zip file and shipped to customer on DVD or USB drive. Included on DVD or USB drive is a basic data browser that allows you to search and browse the XML project data file outside the system. Fee based on current hourly professional services rate. If needed, the exported XML project file can be imported back into the production server at a later date. Note: Any project export file re imported back into WebSpace will be stripped of its previous membership list and access permissions. Users will need to be re invited to the project after import and granted the appropriate access rights. 22
ITAR Best Practices 2 Approaches Option 1 Option 2 Flag all Non U.S. Persons on your server as Restricted Users. Store/share ITAR data only within Restricted WebSpace Project areas. Restricted WbS WebSpace Projects are completely ltl off limits it to Restricted t dusers. Simple to administer, but prevents you from having a mix of U.S. and non U.S. persons in the same Project. No risk of granting the wrong document access rights to a Non U.S. Person within a Project. In lieu of using the Restricted user flag, Server Admin(s) should group all Non U.S. persons in the WebSpace User Directory within special Departments/Organizations under each Company listing. Each WebSpace Project Owner should then create a U.S. Persons and a Non U.S. Persons role within their Project. To grant someone project membership, they should be added to one of these two roles from the WebSpace User Directory. Project Owners should use these roles to establish folder access permissions within their Project. This approach requires a few more administration steps, but it allows for a mix of U.S. citizens/greencard holders and non U.S. citizens/greencard holders in the same Project while maintaining proper access control. 23
ITAR Best Practices (Option 1) Restricted Projects/Users WebSpace Server Server Admin: Sets up Companies, Departments, and Users. All Non U.S. Persons are flagged as Restricted users by the server Admin. Once flagged as Restricted they can never be added to a Restricted project area on the server. Company A Company B Company C Organization/Department User 1 Unrestricted User 2 Unrestricted Organization/Dept. within Company A Organization/Department User 3 Unrestricted User 4 Restricted Organization/Dept. within Company B Organization/Department User 5 Unrestricted User 6 Restricted Organization/Dept. within Company C Project Members: Project X (Restricted Project Area) Company A Company B Company C User 1 User 2 User 3 User 5 Project Owner: Creates Restricted project area with folder structure to contain ITAR data. Project Owner is prevented from inviting any users to their project who have been flagged as Restricted by the Server Admin. ITAR Docs User 1 User 2 (Read Write) (Read Only) User 3 (Read Write) User 5 (No Permission) 24
ITAR Best Practices (Option 2) Unrestricted Projects WebSpace Server Server Admin: Sets up companies and users and groups all users in each company within Organizations/Departments. These groupings are used to segregate individuals based on their U.S. citizenship/greencardstatus. Company A Company Admins: The Server Admin can assign company specific admins to assist with user management. Company C Organization/Department Organization/Department Organization/Department U.S. Persons Non U.S. Persons U.S. Persons Non U.S. Persons U.S. Persons Non U.S. Persons User 1 User 4 User 5 User 7 User 8 User 10 User 2 User 6 User 9 User 11 Project Members: ITAR Docs Project X (Unrestricted Project Area) U.S. Persons Project Role User 1 User 5 User 4 U.S. Persons Role (Read Write) Non U.S. Persons Project Role Non U.S. Persons Role (No Permission) User 7 User 11 Project Owner: Creates Unrestricted project area and invites both U.S. and Non U.S. Persons to their project by browsing companies setup by Server Admin. Uses Project Roles to control access rights to specific folders containing ITAR data. Non ITAR Docs U.S. Persons Role (Read Write) Non U.S. Persons Role (Read Write) 25