What are the Identity and Access Management Considerations?
  • 19 Oct 2020
  • 2 Minutes To Read
  • Print
  • Share
  • Dark
    Light

What are the Identity and Access Management Considerations?

  • Print
  • Share
  • Dark
    Light

Access to data in Circles protected by SecureCircle can be controlled based on identities provided from two sources: direct email-based invitations to Circles and Active Directory/LDAP systems. Both sources can be used simultaneously. The following are considerations when determining how and when to use each.

Active Directory/LDAP Integration

If Active Directory/LDAP is already used within an organization to manage identity and access to resources, integrating SecureCircle with the Active Directory/LDAP service provides significant advantages for the following reasons.

  • Data access control can be managed using Active Directory/LDAP just by adding and removing users to and from Security Groups. Administrators do not learn new processes/workflows since it is not necessary to manage data access through the SecureCircle Administrative UI.
  • Security is based on current login, rather than on the device itself. The user is required to provide an Active Directory/LDAP-authenticated login in order to access data, even if the device itself is compromised.
  • Existing data access policies (e.g., on file servers) can be used as a blueprint for creating and configuring Circles.
  • If using Active Directory, rollout can be done seamlessly through Group Policy or your choice of software distribution/management system.
  • SecureCircle Agent installation is silent and does not interfere with the end user in any way.

The SecureCircle Server accesses the Active Directory/LDAP service via the LDAP protocol, either via plain LDAP or over TLS/SSL (LDAPS). The SecureCircle Server needs only the ability to read group objects from the service as group membership will be provided via a secure, trusted module on the endpoint OS. In many cases, this means the SecureCircle Server will only ever make a single query to the Active Directory/LDAP service since the relevant groups seldom change, except for group membership, which isn't queried by the server.

Direct Email-based Invitations

Direct email-based invitation should be used for all non-Active Directory/LDAP users capable of running the SecureCircle Agent that should have access to data protected in a Circle. SecureCircle Administrators/data custodians invite a user to one or more Circle by simply by inputting their email address. The user then receives an invitation email with a link that allows them to download the SecureCircle Agent and install it on their devices. Once installed on a device, the end user receives another email prompting them to confirm ownership of the device by clicking on another link.

The following are example scenarios of when to use direct email-based invitations.

  • An organization does not use Active Directory/LDAP for user identity and access management.
  • A user external to an organization that is not in Active Directory (e.g., third party contractor, customer with whom frequent secure collaboration is needed) needs frequent access to data protected in a Circle.
Was This Article Helpful?