Your Account
Community
Topics (Upcoming)
More |
View story
Corporate Access Control Management: How deep is your love for it?
http://www.bloglines.com/blog/Marcus-Lasance?id=28
Submitted by
LASANCE
9 months, 3 weeks, 6 days, 12 hours agoIn this paper I triedto do a digest of the different terms, so that when you are tired at the end of the day or have to do a quick preparation for an IAM workshop you can get the concepts straight in your head once more.
Do you agree with the definitions approach?
#1 - By ofuster, 9 months, 1 week, 12 days, 12 hours ago.
Marcus,
This is great. One thing I find interesting is the notion of security classification. In theory of course it makes a lot of sense but in practice it can be burdensome if not impossible to implement. What I mean is that classifications tend to change as security policies are such dynamic animals. One of the things that we have done with our SharePoint extranet product is to include the relevant agreement (actual text like an Non Disclosure Agreement) that exists between the organizations or departments wishing to share information. So when someone comes to see a particular site, document library or even document we flash the actual text that authorizes that access (again like the NDA) and ask the user to acknowledge. We can also ask them to enter their authorized purpose. This way we don't need to classify every single bit of content and of course we keep a detailed audit trail of all this. Think of it as bulk classification. A way to go back to legacy information (that was not previously classified) and share it but put the burden on the person accessing it to prove or state their "need to know". Audit is a powerful deterrent - just ask the IRS. If you want to read more about it visit our blog at http://research.epokinc.com/blog/ |
