Develop new guidance for using Sharepoint instead of Keybase

[chris-kuryak]

Problem statement

We received guidance from DevOps that we can no longer use Keybase for storing credentials. #8877 The guidance is to now use Sharepoint. As such, we want to provide guidance to our Engagement team members as to how to store and retrieve credentials moving forward.

What you need to know

• 8877 is the previous ticket showing this discovery

• ...

Acceptance criteria

• [x] Confirm with Jeremy/DevOps on any existing guidance beyond "Use Sharepoint"
• [ ] Write up guidance for Engagement Team in the Team Charter (Working Agreement) document
• [ ] Present/Align with Engagement team on this new guidance (17th min?)

[JosiahSiegel]

To be specific, the migration is to "CDC Teams". SharePoint and Teams share file storage, but the guidance is to make user credential sharing happen solely within an authorized environment, and Teams specifically is the easiest way to accomplish this.

As an example, we completed the migration of VPN profiles to "CDC Teams" recently. Different methods may be needed depending on the use case, but as long as the data sharing stays in Teams, you're good to go.

[snesm]

Sharing a secret with an individual (via CDC Teams) is probably different than storing secrets.

Further investigation into our usage is warranted and may lead to additional discussion with the CDC.

[chris-kuryak]

@MikaelahD13 I think we can mark this as blocked/pending on the Engagement board more guidance from DevOps on STORING secrets (not SHARING secrets).

[chris-kuryak]

@snesm Thank you for the follow-up on this ticket. Please let us know of any guidance regarding STORING SECRETS since we can no longer use Keybase for that purpose.

[JosiahSiegel]

@chris-kuryak @snesm It's the same as mentioned with Teams. For example, VPN profiles are stored in a private CDC Teams channel and available throughout:

[chris-kuryak]

Thanks @JosiahSiegel --

I just learned that Teams and Sharepoint share a document structure. I didn't know that, so thanks for the info!

Is there any specific guidance on HOW those secrets should be stored in the document structure? I mean any specific guidance on security on a file?

When creating a document, it asks for a sensitivity label, and there are several sub-categories. Any guidance on which we need to use?

[JosiahSiegel]

you can use the label that grants access to the smallest needed audience. Anything under "Restricted Use" should be adequate.

[chris-kuryak]

Thanks @JosiahSiegel !

For awareness to all team members, we also received this guidance from CDC via email:

No, Keybase isn’t authorized for use on CDC networks.

Teams is a perfectly viable solution for sharing through private channels. Training on Teams may be a beyond my expertise, but the M365 team has made an entire website with some very good guides/training on sharing files through private Teams channels:

• Teams FAQs | M365 | OCIO (cdc.gov)
• How to use Private Channels in Teams.docx (sharepoint.com)
• Create and use private channels - Microsoft Support

[chris-kuryak]

@MikaelahD13 I think we can share the following guidance with folks on our team, and ask if they have any feedback/concerns.

1. Create a document/file with the secret in Sharepoint Engagement > Private folder
2. Label file with "Restricted Access" or "Highly Sensitive"
3. Share only with the people who need access to that document

[snesm]

@MikaelahD13 please use label "Highly Sensitive" and "Recipients Only"

[chris-kuryak]

Per @snesm amending the proposed guidance:

1. Create a document/file with the secret in Sharepoint Engagement > Private folder
2. Label file with "Highly Sensitive" and "Recipients Only"
3. Share only with the people who need access to that document

[chris-kuryak]

Engagement team has concerns. Sent to Patrick to approach in Mon engr sync.