What are the Identity and Access Management Considerations?
- Updated On 19 Oct 2020
- 2 Minutes To Read
Access to data in Circles protected by SecureCircle can be controlled based on identities provided from two sources: direct email-based invitations to Circles and Active Directory/LDAP systems. Both sources can be used simultaneously. The following are considerations when determining how and when to use each.
Active Directory/LDAP Integration
If Active Directory/LDAP is already used within an organization to manage identity and access to resources, integrating SecureCircle with the Active Directory/LDAP service provides significant advantages for the following reasons.
- Data access control can be managed using Active Directory/LDAP just by adding and removing users to and from Security Groups. Administrators do not learn new processes/workflows since it is not necessary to manage data access through the SecureCircle Administrative UI.
- Security is based on current login, rather than on the device itself. The user is required to provide an Active Directory/LDAP-authenticated login in order to access data, even if the device itself is compromised.
- Existing data access policies (e.g., on file servers) can be used as a blueprint for creating and configuring Circles.
- If using Active Directory, rollout can be done seamlessly through Group Policy or your choice of software distribution/management system.
- SecureCircle Agent installation is silent and does not interfere with the end user in any way.
The SecureCircle Server accesses the Active Directory/LDAP service via the LDAP protocol, either via plain LDAP or over TLS/SSL (LDAPS). The SecureCircle Server needs only the ability to read group objects from the service as group membership will be provided via a secure, trusted module on the endpoint OS. In many cases, this means the SecureCircle Server will only ever make a single query to the Active Directory/LDAP service since the relevant groups seldom change, except for group membership, which isn't queried by the server.
Direct Email-based Invitations
Direct email-based invitation should be used for all non-Active Directory/LDAP users capable of running the SecureCircle Agent that should have access to data protected in a Circle. SecureCircle Administrators/data custodians invite a user to one or more Circle by simply by inputting their email address. The user then receives an invitation email with a link that allows them to download the SecureCircle Agent and install it on their devices. Once installed on a device, the end user receives another email prompting them to confirm ownership of the device by clicking on another link.
The following are example scenarios of when to use direct email-based invitations.
- An organization does not use Active Directory/LDAP for user identity and access management.
- A user external to an organization that is not in Active Directory (e.g., third party contractor, customer with whom frequent secure collaboration is needed) needs frequent access to data protected in a Circle.