Database Security, Audit, Privacy and Support Blog

The identity management community might be interested in taking this survey - “Digital Identity Survey: Identity Authentication”:

“This survey is intended to evaluate individuals' views and opinions on digital identities, specifically in terms of methods of authenticating one's identity. It should take approximately 15-20 minutes. The results will allow us to guide researchers as they design and implement digital identity management technologies. All information collected in this study will be completely anonymous and kept strictly confidential. Data will be stored securely and made available only to the research team, managed by Dr. Annie Antón and Dr. Julie Earp from North Carolina State University. This research is funded by NSF ITR grant #0428554 jointly with Purdue CERIAS.”

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Web 2.0 is eventually going to have an impact on Enterprises, at least in terms of collaborative tools. Employees, familiar with Web 2.0 mash-up tools, social network tools, etc., (because they use them in their “private lives” …) will gradually find these tools (and related approaches) more and more relevant and useful also in their day-to-day work, in organising their information, generating content and sharing it with other colleagues. This will have an impact on enterprise collaborative solutions. It is already happening …

However, collecting and organising information within enterprises is subject to business rules, security and privacy constraints. Depending on the level of confidentiality, people’s roles and current stages of business activities (e.g. a Merge & Acquisition process, a security/audit review, a product development, etc.), different “views” and “perspectives” on information need to be provided to different employees for specific reasons. Generated and collected information can be unstructured or only partially structured.

Whilst collaborative and mash-up tools on the web might only need simple access control (or no security at all), a quite different story applies for enterprises. These tools and solutions needs to be “adapted” and re-thought in an Enterprise context.

I am still looking for additional use cases and business cases for Identity 2.0 in enterprises (see here and here …): however I think that there is an opportunity and a role for “Content-Aware Access Policies” and “Content-Aware Access Control” for Web 2.0 collaborative solutions in enterprises.

Content-Aware Access Policies define fine-grained access control constraints on information (for example collected in enterprise collaborative/mash-up tools), by keeping into account different types of content, its actual content and contextual parameters (users, their role, system information, etc.). They reflect business, security and privacy constraints directly on valuable information and content. Part of these policies can be defined directly by people (employees) generating “content” and coupled to this content. In this scenario, the definition of access policies becomes itself the result of social/collaborative networks (in enterprise contexts).

Content-Aware Access Control is driven by these policies: it is not only about allowing (or denying) access to a piece of information (as a whole entity), but can provide fine-grained views and perspectives on this information by processing and manipulating the content.

I think there is an opportunity in exploring models and criteria to express these policies and enforce them with “appropriate” access control systems – by leveraging and extending existing Web 2.0 collaborative solutions. I am very interested in knowing your views and comments on this.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

I came across this article by ITWeb (South Africa), called “ID Management Survey call for entries”, highlighting the fact that “The Tshwane University of Technology has constructed an identity management survey, and is inviting public participation to aid with its research”.

The identity management Community might be interested in contributing to this survey. NOTE: I didn’t find any link form this University to the survey web site, but the survey site provides some contacts to ask questions to.

The article says that “The faculty of ICT aims to use the results of the survey to develop a generic implementation model for identity management in the financial sector.” The survey web site also says that “This will help identify to what extent different organisations agree on what identity management entails, as well as what the requirements are for implementing an identity management solution”.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---