When Data Met Identity

My two favorite worlds – data and identity management – are predictably starting to collide in overt ways. Over the past decade, we’ve seen slow, but mostly steady, progress forward with a variety of identity management initiatives. The data world has moved exponentially faster and more explosively. As we grapple with the growth of personal data across an array of collection devices (including mobile devices) and storage mechanisms (including the cloud), identity management will be seen as the key fundamental enabler that it truly can be.

We live in a world of networked ecosystems. There will be two primary considerations for the maintaining the vibrancy of those ecosystems, and the communities, exchanges, and analytics that are done therein:

  • the ability to uniquely establish an identity (for a wide variety of purposes, including ecommerce, health care, analytics, information sharing, banking, etc. etc.) and
  • the ability to limit access to personal or sensitive data to only those with a legitimate need to access and use it

The ecosystems by nature have porous, extended boundaries. But many people belong to a variety of ecosystems, and the networked nature of the internet should allow us to glide effortlessly among these different environments. We’re not there yet, but technologies such as master data management and multi-factor authentication (among many) will help networked communities to thrive by creating trust, building interoperability across systems, promoting reliability and integrity, improving processes, and controlling security and privacy.

Beyond technologies however, strong governance processes and trust frameworks must be developed and implemented, to continue to foster the trust, privacy, and reliability of the system of systems.

Advertisements

Data Security – Crossing the Chasm

If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.

But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.

For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.

Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.

The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:

  • enable data to be leverage and re-purposed appropriately, to
  • build trust in processes and policies around information sharing and re-use, and, to
  • increase confidence in policy enforcement

I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.

Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.

This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.

Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.