Instead, access management has to be done at the source, so enterprises need to use tools like SharePoint or any of the many other information repository systems to control who gets access in the first place. That doesn't mean repository systems need to be the distribution points, of course — the repository simply needs to add the permissions to the documents based on whatever policies IT wants to set using the policy management tools of their choice. That way, if a document is emailed, its policy goes with it. That's much more secure than today's situation, where if anyone gets a document out of the managed repository, it's now free and clear of all policy attributes.
Dozens of vendors who do such policy-based management tools could adopt InfoTrust. They could also extend its capabilities in the same way that Apple's iOS and OS X use Microsoft EAS as the basic lingua franca for policy control but added APIs for more controls that third-party management tools could choose to enforce. That gives everyone a sufficient set of information management capabilities for the vast majority of their needs and lets vendors layer additional controls for the truly special ones. That model works well for EAS across iOS, OS X, Android, BlackBerry 10, and Windows Phone.
Likewise, identity management needs to be done at the source. That means InfoTrust needs APIs to communicate with existing enterprise identity management tools, such as Active Directory, to validate user permissions (and even existence) on documents for which password security alone is insufficient. Likely, the operating system will need to provide the local service that the app communicates with, and the OS will handle the server communications — similar to how EAS is implemented today. The use of documents with server-based identity protection will require an Internet connection to validate against the identity management server, but there's no way around that reality.
A plea to the tech industry: Make InfoTrust a reality
I strongly encourage Microsoft, Apple, and Google — the three platform and app vendors through which so much business data is acted on — to get together to develop the InfoTrust standard. Leading, progressive mobile and desktop security vendors such as MobileIron, Good Technology, AirWatch, Centrify, AppCentral, and Apperian should be key players. Perhaps one or two should even chair the effort due to their more neutral relationships with the platform vendors.
Traditional, backward-thinking vendors (such as those in the antivirus industry) should be kept at arm's length, at least in the initial stages. They've shown repeatedly that they can't get out of the broken defensive-perimeter trap.
IT keeps saying its security concerns are about protecting information. So, tech vendors, stop focusing on straitjacketing devices and apps and instead protect that valuable information wherever it is.
Sign up for CIO Asia eNewsletters.