ITAR Compliant Data Exchange

(1)

(2)

WebSpace Customers

Aerospace & Defense Manufacturing

High Tech & Contract Manufacturing

Automotive Manufacturing

Medical/

Pharmaceutical

Services/

Oil & Gas/Other

(3)

ITAR & EAR Regulations

 The International Traffic in Arms Regulations (ITAR) and the Export

Administration Regulations (EAR) were established by the U.S. Dept. of State to control the export of defense‐related technology and services.p gy

 Specifically, all information and material related to ITAR Controlled

Technology must be safeguarded from access by non‐U.S. persons unless a special license or exemption is obtained from the Dept. of State.

special license or exemption is obtained from the Dept. of State.

 WebSpace was architected from its inception (with funding from DARPA and input from the NSA) to provide a “Private Cloud” environment for secure, ITAR‐compliant content management and multi‐company collaboration ITAR compliant content management and multi company collaboration.

(4)

WebSpace Platform = “Private Cloud” Solution

 Each WebSpace server is dedicated to a single host company and their designated trading partners

 Security model and hosting infrastructure specifically designed by leading

 Security model and hosting infrastructure specifically designed by leading aerospace and automotive manufacturers to support multi‐company project teams.

 Improves program execution while helping maintain ITAR compliance thru

 Improves program execution while helping maintain ITAR compliance thru rapid deployment of secure, online project repositories.

 Low administrative overhead and economical subscription‐based licensing d l

model.

 Outstanding track record of reliability and support

(5)

Core Platform Functionality

 Secure multi‐company project areas for cross‐firewall file sharing

 Document lifecycle management with enforced electronic approvals

 Action Item Manager

 Discussion forums

 Robust Reporting

 Full‐Text Search Engine with Security Filtering

 Flexible Administration Features

 Workflow‐driven eForms

(6)

3‐Tier Architecture

Fi ll 2

Fi ll 1 Firewall 2

Firewall 1

DMZ Data Center DMZ

Data Center

(or Customer Intranet)

Web Tier Database Tier Application Tier

Internet Internet

Remote Users Web Tier

Database Tier Application Tier

HTTPS over Port

Port Users

Apache or IIS Web Server Application

Server with Java Servlet Engine

ll d R i Oracle or

MS SQL Server

HTTPS over Port 443 6802

1521 or 1443

called Resin

Active Directory Server (On‐premises

installations only.) • J2EE Application

• Supports all modern browsers

• You Host or We Host – You Decide

(7)

Physical Security – Data Center

 $100M SAS‐70 Type II Certified Co‐Location Facility owned by AT&T with state‐of‐the‐art security, fire suppression, and backup power systems.y, pp , p p y

 On Internet backbone with fiber connections to all major telecom providers

 Strict physical access controls to facility, with no access to cages by non‐U.S.

persons.

 24/7 server monitoring and intrusion detection

 Nightly incremental tape backups and weekly full backups Encrypted backup

 Nightly incremental tape backups and weekly full backups. Encrypted backup tapes moved to off‐site Iron Mountain storage facility every 30 days.

 Dedicated hardware and storage for our enterprise clients. Complete

ti f d t i id d E t d t i h t

segregation of your data is provided. Easy to move your data in‐house at any time.

(8)

Authentication

 Username and password authentication

 Password options include:

 Minimum and Maximum Password Agesg

 Password length and format requirements

 Account lockouts after a configurable number of failed login attempts

A i d i i f fi bl d i f i i i

 Automatic account deactivation after a configurable duration of inactivity

 Optional “Forgot Password” function with configurable “Password Hint” options

 Ability to force re‐authentication upon approval of a workflow assignment.

 Customers who install WebSpace on premises can sync WebSpace user directory with Active Directory and optionally enable single sign‐on with their AD server.

 WebSpace also supports “mixed mode” authentication whereby internal users are

authenticated against Active Directory and external users are authenticated via WebSpace authenticated against Active Directory and external users are authenticated via WebSpace

 WebSpace can also be customized for customers that require 2‐factor authentication (i.e.

username/password + FIPS 140‐2 certified hardware token or biometric device).

(9)

Data Transmission

 WebSpace guarantees the integrity of all data, content and messages during transmission &

storage.

 Cyclic Redundancy Checking (CRC), Digital Certificates and 1024‐bit SSL encryption protects data and insures it hasn’t been corrupted during transmission.

(10)

Email Notifications

 Users are alerted to new documents, document revisions,

task assignments and discussion threads via email notifications.

 Emails sent from the WebSpace server never contain attachments only links

 Emails sent from the WebSpace server never contain attachments, only links to reference documents. Anyone following such a link is first prompted to authenticate prior to gaining access to the document.

 All email notifications from server are logged

 Customer specific legal/disclaimer text can be added to both the email notifications and the login page to alert recipients of ITAR regulations.

 Upon first login, users must accept a “Click‐through Agreement” which can be modified to include customer‐specific terms of use.

(11)

User Management

 User Management on the WebSpace server can be:

1. Centralized and handled by one or more Server Admins who create separate companies on the server and add users to them.

on the server and add users to them.

2. Delegated across multiple Company Admins who can only administer users within their own company.

 U t i l l t d f i i t i

 User management is clearly segregated from permissions management in WebSpace.

 Server Administrators designate who can create and manage secure project areas containing ITAR and non‐ITAR data. The creator of a secure project area is called the Project Owner.

 The Project Owner retains sole control over what users are granted membership to their project area and what access rights each user has. (Even Server Admins do not gain

access unless explicitly invited.)

(12)

Restricted User Safeguard

 Server Administrators can flag non‐U.S. persons as Restricted Users and ban them from Restricted Projects containing ITAR data



Restricted users can not be inadvertently invited to

Restricted Projects by Project j y j Owners.



This provides a secondary

safeguard (beyond user access

permissions within a project

area) to prevent ITAR violations.

(13)

Company Visibility Settings

 Server Administrators can also establish whether users from certain companies have visibility to each other within a secure Project Area.

 When users from different companies are members of the same secure project area, it is not always appropriate for them to be aware of one another

not always appropriate for them to be aware of one another.

 In competitive bidding or other situations, protecting user identities is paramount. Company visibility settings can keep suppliers and customers anonymous within “competitive”

projects.

p j

(14)

Permissions Management

 Content access permissions can be granted to individuals or roles within a secure project area, and can be established all the way down to the individual document level if desired.

 Default permissions are set at the top level of a project and are then inherited by folders and sub‐folders within that project.

 Setting user permissions to “None” at the top level of a project insures that

 Setting user permissions to None at the top‐level of a project insures that

access rights must be explicitly set at the individual folder level (a best practice in ITAR data environments).

 A “Permissions” view on every folder document task list and eForm within the

 A Permissions view on every folder, document, task list, and eForm within the project quickly identifies what users and/or roles have access to that the selected object. This view includes each user’s company affiliation.

 A “Project Permissions Report” allows Project Owners to quickly identify what

 A Project Permissions Report allows Project Owners to quickly identify what information a user can see across all objects in the project. Report allows display of explicit permissions, inherited permissions, or both.

(15)

This Project Permissions Report makes it easy to determine what content users or roles have access to within the project.

(16)

Secure Linking

 A “Secure Link” function allows a document to be shared without changing its permission settings or the permissions of its parent folder.

 Simply paste a link to a document in another folder, and that link will point users to the latest revision of the source document without letting them see anything else in the parent folder.

Worth Noting Worth Noting

The “Links” view of a document lists all the links to the document that have been placed elsewhere on the server.

One or all of the existing links can be deleted from this view.

(17)

Auditing

 All user activity on the server is audited

 In the event that inadvertent access is granted to ITAR data or documents within a secure project area, robust audit reports allow admins to determine who

actually accessed, viewed, and/or downloaded the information (and when).

(18)

Audit Scenarios

 Verify when and who inadvertently uploaded a document to the wrong project or folder.

 Verify whether a non‐U.S. person actually accessed and viewed a document during a time when it was mistakenly made available to them.

 Verify which secure projects areas certain users have been granted membership to.

 Verify what permissions users or roles have within given project areas.

 Verify what users have actually logged into the server from various companies during a given time frame and determine what IP address they came from

during a given time frame and determine what IP address they came from.

 Verify how many distinct users have logged into the server during a given time period and what companies they are associated with.

 Verify how many active user accounts are currently enabled for each company on the server, and when each user last logged on.

(19)

Search Result Security Filtering

 A powerful full text search engine indexes documents immediately upon upload.

 Search results are filtered based on a user’s project memberships and document permissions. (Users see only results they have the right to view or download.)

(20)

Workflow‐Driven eForms

 WebSpace can configure easy‐to‐use eForms with associated workflows to automate the review and automate the review and approval of data export requests, system access

requests, or other processes.

 All requests processed through WebSpace can be reported on, allowing

l b l

real‐time visibility into pending approvals.

 Reporting also provides

h l f f ll

historical verification of all completed requests.

(21)

Task Manager

 A powerful Task Manager within each secure project area allows tasks/action items to be assigned and managed across your distributed project team. Tightly integrated with the document repository, tasks can contain linked reference attachments and can be used to collect critical document deliverables by assigned due dates. Tasks can be created

manually or can be imported from a template, and each task can have one or more approvers who must approve the task prior to completion.

A dashboard view shows real time task status information and allows for rapid task editing in a

spreadsheet‐like user interface.

(22)

Exporting Projects

 Upon the termination of a project or program managed in

WebSpace, it’s important to be able to export your project data in a neutral format.

 For a professional services fee, WebSpace project meta data can be exported in a .xml file along with all project documents in an associated .zip file and shipped to customer on DVD or USB drive.

 Included on DVD or USB drive is a basic data browser that allows you to search and browse the XML project data file outside the system.

 Fee based on current hourly professional services rate.

 If needed the exported XML project file can be imported back into the

 If needed, the exported XML project file can be imported back into the production server at a later date.

 Note: Any project export file re‐imported back into WebSpace will be stripped of its previous membership list and access permissions Users will stripped of its previous membership list and access permissions. Users will need to be re‐invited to the project after import and granted the appropriate access rights.

(23)

ITAR Best Practices – 2 Approaches

Option 1

 Flag all Non‐U.S. Persons on your server as “Restricted” Users.

 Store/share ITAR data only within “Restricted” WebSpace Project areas. Restricted W bS P j t l t l ff li it t R t i t d U

WebSpace Projects are completely off‐limits to Restricted Users.

 Simple to administer, but prevents you from having a mix of U.S. and non‐U.S. persons in the same Project.

 No risk of granting the wrong document access rights to a Non‐U.S. Person within a Project.

i Option 2

 In lieu of using the Restricted user flag, Server Admin(s) should group all Non‐U.S.

persons in the WebSpace User Directory within special Departments/Organizations under each Company listing.p y g

 Each WebSpace Project Owner should then create a “U.S. Persons” and a “Non‐U.S.

Persons” role within their Project. To grant someone project membership, they should be added to one of these two roles from the WebSpace User Directory.

 Project Owners should use these roles to establish folder access permissions within their Project.

This approach requires a few more administration steps, but it allows for a mix of U.S. citizens/greencard

(24)

ITAR Best Practices (Option 1) Restricted Projects/Users

Server Admin: Sets up Companies, Departments, and Users.

All Non‐U.S. Persons are flagged as “Restricted” users by the server Admin. Once flagged as “Restricted” they can never be added to a “Restricted” project area on the server.

WebSpace Server

be added to a Restricted project area on the server.

Company A Company B Company C

Organization/Department

User 1 – Unrestricted User 2 – Unrestricted

User 3 – Unrestricted User 4 – Restricted

User 5 – Unrestricted User 6 – Restricted

Project X

Project X (Restricted Project Area) Project Owner: Creates

“Restricted” project area with Organization/Dept.

within Company A

Organization/Dept.

within Company B

Organization/Dept.

within Company C

folder structure to contain ITAR data. Project Owner is prevented from inviting any users to their project who have been flagged as

“Restricted” by the Server Admin.

Project Members:

User 1 User 2 User 3

Company A Company B Company C

User 5

ITAR Docs ^User 2

(Read‐Only) User 1

(Read‐Write)

User 3 (Read‐Write)

User 5 (No Permission)

(25)

ITAR Best Practices (Option 2)

Unrestricted Projects

Server Admin: Sets up companies and users and groups all users in each company within Organizations/Departments.

These groupings are used to segregate individuals based on their U.S. citizenship/greencard status.

WebSpace Server

their U.S. citizenship/greencard status.

Company A Company C

Company Admins:

The Server Admin can assign company‐specific admins to assist with user management.

U.S. Persons User 1

Non‐U.S. Persons User 4

U.S. Persons User 5

Non‐U.S. Persons User 7

U.S. Persons User 8

Non‐U.S. Persons User 10 Organization/Department Organization/Department Organization/Department

User 2 User 6 User 9 User 11

Project X

Project X (Unrestricted Project Area) U.S. Persons Project Role

Project Owner: Creates

“Unrestricted” project area and invites both U S and Non‐U S Non‐U.S. Persons Project Role

Project Members:

User 1 User 5 User 4

j invites both U.S. and Non‐U.S.

Persons to their project by browsing companies setup by Server Admin.

j

User 7 User 11