One question looms large in the boardroom: Is our privacy policy relevant?
When discussing identity management, how the gathered data is used should be addressed. The Curion and Business Layers products
focus on managing employee identities within a corporation, but ID management shouldn't end there. A broader ID management
strategy incorporates managing the identity of customers and business partners as well.
Most privacy policies look great on paper, but enforcing them is based almost exclusively on the honor system. Should employees
in the shipping department have unfettered access to client data such as credit card numbers? In a perfect world, they would
only have access to the subset of data -- the shipping information -- relevant to their job: in essence, a data firewall.
Recent events have underscored that the honor system doesn't work at the corporate level. IBM took note of this problem and
released TPM (Tivoli Privacy Manager) in late 2002.
TPM integrates with J2EE applications and LDAP data sets, enforcing a privacy policy on top of the core application and limiting
the data available to the user based on his or her credentials and the rules in the overall policy. TPM is outfitted with
an auditing and reporting engine, allowing for a very granular view of what data is flowing where, pinpointing the account
used to access, view, or modify that data. Although achieving this goal may be possible in a rudimentary fashion by coding
the rules directly into the core application, managing privacy policies at the code level is all but impossible. Add the onus
of keeping up with changes to the corporate privacy policy, and the problem proves even more difficult. But if a dataset is
protected at a layer well above the code, the problem becomes manageable. TPM does this and adds the ability for non-IT personnel
to manage the policies and generate reports and audit trails. All the bases are covered -- the data firewall becomes a litigation
firewall.
Tivoli Privacy Manager is a companion product to TIM (Tivoli Identity Manager) and TAM (Tivoli Access Manager). IBM declined to participate in a review (a new release of TIM and TAM is set for June),
but provided us with a TPM demo instead. The demo focused on a Web storefront application, highlighting the integration of
TPM and the J2EE storefront application.
When implementing TPM, an administrator draws parallels between the entity Java beans that define sensitive data and the privacy
policies' structure on the appropriate use of that data. By defining roles for accounts and user groups within TPM, certain
portions of the datasets returned to the user are blocked based on his or her privilege level. TPM can be implemented as an
enforcement engine or simply used as an auditing tool to assess the current state of policy adherence.
(For more on identity management and privacy, return to "Does identity management clash with privacy?")
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
