This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.
To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.
Identity Infrastructure support
IRM technology's effectiveness is dependent on the effectiveness of the underlying identity framework which is used to identity the creators and consumers of information. This is of course a good and bad aspect i.e. If the underlying identity gets compromised then there is a potential breach of even IRM protected information .. On the other hand the linkage to underlying identity infrastructure means that identity management could be centralized.
This criterion for evaluation of IRM technology is critical from an adoption perspective.
There are various methods by which an identity of the creator and consumer within an IRM system can be established. Lets list down the various methods in order of increasing maturity i.e.
1. Crudest way : Creation of a fresh identity for the IRM system itself : This is the crudest mechanism of managing identity for the IRM system in which all users of the IRM system would effectively be forced to create a new identity. The identity creation process could be "managed" i.e. a referral / approval system could be followed for creating / approving identities.
2. Less crude way : "Public" providers of identity without verification : In this method the identity of an individual is the one povided to him by a third party identity provider like Open ID, Google, Facebook or Yahoo. The common factor amongst all these identity providers is that they are all "unverified" identities i.e. None of these identity providers actually verify the identity of the individual before creating a user for him / her. In effect there is nothing which prevents Tom Moody from creating a login in the name of Barack Obama on any of these identity providers. Establishing a "trust" relationship with an identity system managed by a different enterprise also falls within this category.
3. Mature way but with some "holes" :"Public" providers of identity with verification : In this method the identity of the individual is the one provided to him by a third party identity provider but this identity provider actually does some kind of verification. Mobile phone numbers & digital signatures are examples of identities where there is some element of verification (in most countries) albiet by a third party. This "verification" will prevent Tom Moody from getting a digital signature in the name of Barack Obama and also will also prevent his mobile phone number from being listed in Mr. Obama's name. The good way of establishing identity in this manner is that this identity is trusted by the "government" and therefore legally irrefutable.
4. Mature way : Private identity establishment using an existing "external" system in use by the enterprise : Most enterprises today already interact with "external" entities like vendors (vendor / e-tendering portal), customers (customer portal / online banking system), partners, auditors, lawyers, board members etc. using some transactional / workflow system. The IRM system could use the identity already established by these systems so that the creator / consumer does not need to remember / manage another identity and is able to interact with the enterprise using the identity that he already has. The underlying transactional / workflow systems already have some method of verification and therefore this system of identity management is fairly mature. There are also existing processes in most enterprises for managing the identities within these systems and therefore there is no overhead of identity management due to the IRM system.
5. Mature way : Private identity establishment using an existing "internal" system in use by the enterprise : This is similar to the previous method except that in this case the system is largely internal facing i.e. for employees. The most dominant example of this is Microsoft Active Directory and other similar identity infrastructures. In most cases there are existing processes for managing the identities within this system and therefore again there is no process overhead due to the IRM system.
A good IRM system should
1. Allow different methods of establishing identities
&
2. Provide flexibility to the enterprise to change the identity infrastructure at a later point of time
In most cases a combination of multiple methods of establishing identities needs to be used. In typical scenarios the identity infrastructure requirement will look as follows :
Example 1
1. For employees : Microsoft AD (Should support forest, trusted relationships, sub-domains etc.)
2. For vendors : Vendor portal
3. For customers : Creation of identity based on email addresses
Example 2
1. For employees : Using Lotus Notes identity system (Directory Server)
2. For customers : Online banking system
3. For temporary consultants and auditors : Creation of identity based on email addresses
Overall the need for having a built in identity federation framework within the IRM system is critical to ease the adoption of IRM technology.
Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us for any such requirements.
Posts
0 comments:
Post a Comment