Message In a Bottle – Identity and Access Management in the SharePoint World
For a long time, identity and access management (IAM) has been something outside the world of most implementations. Who you are, and what you can do, have stayed almost entirely within the walled garden of SharePoint farms.
Over the past few years, however, SharePoint’s been spilling out of its bottle – into the cloud and into engagement with users and systems outside the realm of on-premises data centers, networks, and Active Directory. IAM is no longer something done for “other” enterprise systems, but important to consider as new usage comes into SharePoint, and as SharePoint apps and content are extended outside the traditional farm.
I was considering this most recently while attending the IAPP (International Association of Privacy Professionals) luncheon in Boston a few weeks ago. Three related points became clear for me:
1. Where’s the breach? The big data problem
Identity is really a composite of who we say we are, where we are, what we are doing. Is there a “real” self? Moving beyond the metaphysical and psychological complexities, identity is an abstraction. I mean, do you know I’m writing this, or is someone else on my Outlook right now? [This post began as an email.]
If I take a subsequent action, like discrediting Microsoft in a blog post, does that shift your perception of who I really am? If someone else comes onto a Tweet Jam under my ID @cmcnulty2000 and impersonates me flawlessly, so that no one knows, what’s the difference?
Right or wrong, identity security as a composite of claims and behaviors is seen in systems as diverse as the TSA no fly list and the selection process for courtside seats at Madison Square Garden. (Hint, the MSG folks look at lot of seemingly random things – influence, social networks, fame, appearance — to figure out who’s entitled to those tickets.)
What you do, how you behave in the end determines as much about your entitlement as who you say you are. There’s a lot to be mined in predictive analytics and machine learning about weighted values of accumulated claims. Not all claims are created equal, and need to be considered in the broader context of all inferred attributes along with our oldest security claims, passwords.
A broad, poly-identity approach to security needs to be balanced carefully against individual privacy.
Consider three facts:
- Someone bought a house at 123 Main Street in North Boston, MA (no such place) on May 15 for $500,000 [Online real estate site]
- Someone secured financing with a social security number 123-45-6789 in North Boston on May 15 for $500,000 [administrative agency filing]
- John Smith lives at 123 Main Street [Facebook]
These facts used to live in disparate paper records or databases. Each of these facts, if disclosed, might not be a huge breach. But the ability of big data to publish, mine and correlate these facts means that the combination itself – John Smith’s SSN is 123-45-6789 – has been breached.
But in a global world, who’s responsible? Zillow? A county registrar of deeds? All of the above? No single entity disclosed that combination – making control of low-level identity ingredients even more potent.
2. Is there a right to be forgotten?
Recent court decisions from the European Court of Justice – the highest court in the EU – has affirmed a fundamental right to be “forgotten”. Under the ruling, individuals can petition search engines in the EU to block or remove search results deemed inaccurate, obsolete or irrelevant.
Might this take root in the US? Probably not. The US has a strong common law tradition of privacy rights – from Justice Brandeis’ “right to be left alone” through Griswold to HIPAA. However, there is no fundamental understanding that data about a person belongs to that person. On the contrary, the strongly perceived protections for free speech and free press in the Bill of Rights acts as an effective bar to most such restraints. In short, we may want privacy, but we’re uncomfortable with controlling what other people are allowed to say.
3. SharePoint as IAM
We’re at an interesting time for SharePoint and Office 365. SharePoint lives in a much more connected world. We need to rely on more outside attributes (claims) to tell us how to secure information in SharePoint. Likewise, user attributes in SharePoint are a great potential source for providing claims to other applications on SharePoint or beyond. SharePoint can’t live alone inside its bottle forever.
At HiSoftware, we’re eager to explore this new role for SharePoint as an IAM provider through our KMWorld Trend-setting product, Site Sheriff. The latest version, announced last week, leverages dynamic access, deny rules and an agentless secure viewer to allow a wide variety of secure sharing scenarios and keep confidential information in SharePoint without complex permissions. It uses business logic – document metadata, user/device/location properties and more – to create powerful rules that allow or deny access to selected content, or limits users to use a secure, clientless viewer. Using Site Sheriff, site administrators can adjust the user interface to trim ribbons and menus and remove selected options such as download a copy, email and editing properties without changing item permissions. Site Sheriff’s fine grained security and identity-aware, metadata-driven access rules help organizations simplify site management and increase ROI.
Read more about the latest version of Site Sheriff.