Identity and, hence, identity and access management (IAM) technology, is a key component to effectively managing...
content security. Unstructured content presents the enterprise with challenges when it comes to an IAM program, and there are ways to address those challenges.
Enterprise management has become increasingly complex due to the growth in the variety of identity types; the number and type of corporate computer systems; adoption of the cloud and cloud-based services; demands to access content from a variety of devices, including mobile; and the broad demands of digital transformation. Figure 1 gives a visual perspective of the dimensions of the IAM problem space.
Identity and access management, simply put, is about facilitating the right identities to have access to the right resources at the right times, and for the right reasons. There are two essential elements to this facilitation: technology products that provide management with capabilities relating to identities, systems and content assets, and a governance framework that informs and guides appropriate policies, processes and procedures.
IAM technology products focus on four categories of service: authentication services, authorization services, user management services and directory services. Figure 2 illustrates these services, and the key capabilities these services provide.
An example of an IAM use case is employee integration. A new hire will need a login identity with which he can authenticate himself and gain access to the organization's computer systems. The employee identity will also need to be given authorization to the designated content within the permitted systems; for example, to specific customer accounts in a customer relationship management (CRM) system. Finally, during the tenure of employment, the employee user identity must be managed, including password changes and role changes, if the employee is promoted or potentially moved between business units and teams.
The governance framework will need to contain policies, such as how often an employee should change their password, processes for new hires, or the termination process and procedures.
A mature IAM technology product will allow policies and processes to be automated in order to drive efficiency and reduce the risk of noncompliance. It will also provide reporting and auditing services, and support related security disciplines, including security information and event management and data loss prevention.
Unstructured content can present specific challenges in the enterprise when organizations consider protecting that content with IAM technology processes. The following are some of those challenges:
- Content is likely to be scattered across several computer systems, unlike structured content, which is typically stored in nominated business systems, such as ERP or CRM. Computer systems for unstructured content will include line of business systems; shared file systems across complex folder structures; content management and collaboration systems, where there is often more than one to choose from; and personal file systems. The computer systems used by the business for storing and sharing unstructured content will often not be authorized by the company, and are typically comprised of services such as Box, ShareFile, Dropbox, Google Drive and Slack. Additional risks are created by these services, as login identities and content permissions are maintained outside of the formal company processes.
- Content is unlikely to be systematically classified and categorized with agreed-upon sensitivity levels. System authorization mechanisms are unlikely to relate to those sensitivity levels.
- Content is readily copied and replicated across systems, exacerbating the problem.
- Content is rarely owned by formalized content owners, and is unlikely to be systematically managed as a corporate asset.
Implementing an identity and access management program to protect both structured and unstructured content will require a multifaceted approach. Additional considerations for unstructured content include the following:
- Developing a content inventory that maps where content is stored.
- Creating a classification scheme or taxonomy that includes a definition for content sensitivity level.
- Identifying content owners as guardians of sensitive content, and determining user roles and authorizations relevant to a type of content and its sensitivity.
- Creating governance policies to inform users how sensitive content should be handled.
- Leveraging auditing tools to scan content to determine embedded Social Security numbers, credit card numbers and other data likely to violate compliance regulation if shared inappropriately.
- Defining lifecycles to support the cradle-to-grave management of content. This will help contain content growth by reducing redundancy and unnecessary long-term storage.
- Rationalizing the number of unstructured content systems and developing a strategy for external content sharing systems, as well as a policy for unauthorized systems.
- Implementing metadata security technologies that couple classification schemes and taxonomies with system authorizations. This approach provides the ability to protect content irrespective of the physical container structuring, and it protects content as it is moved around physical containers.
Typical research estimates indicate around 80% of the content stored in enterprises is unstructured. Organizations need to pay heed to this when looking to implement a holistic IAM program to protect all its content assets.
Rethinking IAM strategy
Enterprise content management shapes unstructured content
Interest in unstructured data analysis grows