Open chris-kuryak opened 3 weeks ago
To be specific, the migration is to "CDC Teams". SharePoint and Teams share file storage, but the guidance is to make user credential sharing happen solely within an authorized environment, and Teams specifically is the easiest way to accomplish this.
As an example, we completed the migration of VPN profiles to "CDC Teams" recently. Different methods may be needed depending on the use case, but as long as the data sharing stays in Teams, you're good to go.
Sharing a secret with an individual (via CDC Teams) is probably different than storing secrets.
Further investigation into our usage is warranted and may lead to additional discussion with the CDC.
@MikaelahD13 I think we can mark this as blocked/pending on the Engagement board more guidance from DevOps on STORING secrets (not SHARING secrets).
@snesm Thank you for the follow-up on this ticket. Please let us know of any guidance regarding STORING SECRETS since we can no longer use Keybase for that purpose.
@chris-kuryak @snesm It's the same as mentioned with Teams. For example, VPN profiles are stored in a private CDC Teams channel and available throughout:
Thanks @JosiahSiegel --
I just learned that Teams and Sharepoint share a document structure. I didn't know that, so thanks for the info!
Is there any specific guidance on HOW those secrets should be stored in the document structure? I mean any specific guidance on security on a file?
When creating a document, it asks for a sensitivity label, and there are several sub-categories. Any guidance on which we need to use?
you can use the label that grants access to the smallest needed audience. Anything under "Restricted Use" should be adequate.
Thanks @JosiahSiegel !
For awareness to all team members, we also received this guidance from CDC via email:
No, Keybase isn’t authorized for use on CDC networks.
Teams is a perfectly viable solution for sharing through private channels. Training on Teams may be a beyond my expertise, but the M365 team has made an entire website with some very good guides/training on sharing files through private Teams channels:
@MikaelahD13 I think we can share the following guidance with folks on our team, and ask if they have any feedback/concerns.
@MikaelahD13 please use label "Highly Sensitive" and "Recipients Only"
Per @snesm amending the proposed guidance:
Engagement team has concerns. Sent to Patrick to approach in Mon engr sync.
Problem statement
We received guidance from DevOps that we can no longer use Keybase for storing credentials. #8877 The guidance is to now use Sharepoint. As such, we want to provide guidance to our Engagement team members as to how to store and retrieve credentials moving forward.
What you need to know
8877 is the previous ticket showing this discovery
Acceptance criteria