When the Jericho forum launched its Identity Commandments earlier this year, one of the key concepts discussed was entitlement.
Currently for most organisations, access to information is done through a simple user name and password. Once entered, the user has access to all the information they require. In the future, this will not be sufficient, there will be other attributes that need to be taken into account; which device is the user using, where are they, how are they connected.
The use of these additional attributes will enable better security driven by the data and the application rather than just by the user.
These rules don't have to apply only to applications; other resources can also be brought into an entitlement framework. For example a printer could have a rule that ensures that only people in a specific area of a building can use it. This rule-driven access is what we mean by entitlement.
There are a number of steps to prepare for entitlement, and although solutions are available today, they are bespoke, more "standard" solutions will be appearing in the not too distant future.
However, the steps to prepare for entitlement are still useful today.
1. Inventory resources
2. Decide resource sensitivity
3. Decide resource trust classification
4. Develop rules for resource access
5. Document required claims and related sttributes
6. Identify list of required sttributes
7. Prioritise attributes based on resource value/risk
8. Identify attribute sources and attribute providers as they become available
Asset management solutions should have a comprehensive list of assets and a data loss prevention (DLP) programmes will classify information based on sensitivity. Identity and access management (IAM) should help define levels of trust as well as access - entitlement will become an extension of these discovered properties with some additional attributes and rules.
Think about cloud computing, the consumerisation of IT and even third party contractors. All of these will have an effect on a company's data and all introduce new threat possibilities that should be addressed. Perhaps specific data sources should not be available if you are using a smartphone, or perhaps specific functionality should be disabled.
This may sounds like overkill, but the Jericho commandments are designed to look to the future, when collaboration is at a different level to today. Currently IAM systems are organisation-centric and while it is possible to connect multiple IAM systems together it becomes very messy, very quickly and virtually unworkable. The future needs a simpler system, one which is resource centric, where data has a say in who can access it, and there isn't an a priori need for complete "actual" user information.
Guy Bunker, Jericho Forum Board Member