Sam Alapati heads the IT Security practice at Miro Consulting. When it comes to the protection of proprietary information, whether an organization is a content provider or not, the issues are essentially the same, says Alapati. They include the following:
1. Identification: The fundamental thing is making sure that you have a system in place that helps you ensure that the person who is accessing your system is, indeed, the person who he or she says he or she is. That's the crux of the matter.
2. Provisioning: What are visitors to the site authorized to view or copy?
3. Access control: Once people come into your system, how are you tracking usage of your system to make sure they're using what they're supposed to be using?
4. An ID management system: Passwords should be tracked within a formal system and kept up-to-date as users and their authorizations change.
5. Auditing: Auditing may serve both internal needs in terms of ensuring that the appropriate people are looking at the appropriate things, as well as external requirements-PCI security standards for companies that accept credit cards, for instance.
Nick Nichols is with Novell's Identity Management Division and also serves as CTO for security for Novell. "In the past, from a security standpoint, it was viewed that everybody on the outside was bad and everybody on the inside was considered good, so we built rigid firewalls," says Nichols. "I think we've seen over the last number of years that that's not a sustainable model because there's just too much activity that needs to happen. We've got partners on the outside and we have employees that might be mobile." And, he adds: "You can't always trust everybody on the inside-insider threats are some of the most costly security breaches."
Eric Olden is the CEO of Symplified, a company that provides "identity management for the cloud." Olden describes four components that come into play when considering security issues-consumers, the site, the access control system, and the billing system. Traditionally, he says, these components were not necessarily developed in consideration of the impact on other components. However, he says, "We're seeing a renaissance in, of all things, billing!" Why? Because content providers have discovered a need to be more creative and, consequently, more complex in terms of the billing-related decisions and actions that their systems need to accommodate. For instance, he says, "They want to give away the first five or ten views of an article to anyone who shows up to their website and then, once they've seen that threshold of articles, then they need to register that user and move them from being anonymous to being [known]. This is where it becomes an identity management issue."
That's the first step, he says-to be able to somehow track that this person (whom you don't know anything about except for his or her device or IP address) has looked at 10 units of content, and before we show him or her the 11th, we need to register him or her. "Most media companies have had websites for a long time, but their access management systems weren't designed with this in mind," he says.
The next step, of course, is the ability to charge these individuals who are now known to you. "Now they enter the billing system and, in the billing system, you're going to have subscriptions, and you're going to have bundled, discounted and promotional offers.
In addition to the complexities-and opportunities-offered through various ways of bundling, unbundling, charging for, and offering free content, content owners are now also seeing demand for access to this information from multiple sources, not just computers. "Everyone wants to access content through multiple devices," says Olden. "The most obvious one is the iPad, and content is definitely being delivered to desktops, but we've seen cases where content needs to go into television; where there's no human that's logging in, it's a device that's the user. So there are a lot of things all being integrated here."