How does it work?
So say a new hire is coming onboard. Their manager submits a request via this workflow portal, which collects their name and their start date and their title and their department and all the other stuff. The second they hit submit, many things occur, one of which is the user's first name and last name are put into Google Apps and an account is automatically created. And that account is created in a particular sub-org, which you might call in Active Directory a group. A sub-org based on the role.
Simultaneously, in Zendesk a ticket is created which is routed to our help desk contractor, who can then create the laptop, create the smartphone and create the iPad, because we give all three out. Once that account is created in Google Apps and a profile is established for that person, our IAM vendor sees there's a new hire and automatically provisions every app that that user should have. So let's say for that particular profile the user is allowed to use 21 apps. So the IAM vendor creates all those accounts and obfuscates all the passwords.
Once that's done the user is given the equipment when they start and they have to log into each one to establish a certificate. From then on, as long as two of their three devices are within three feet of each other, the two devices become trusted.
How will you roll it out?
We hope to have the first pilot group here at company in place by June, essentially sooner, but we're giving ourselves until June. But the whole thing will roll out to the company by Dec. 1. The flip side to this, of course, is that once you have access and there's trust going on, the next piece will be, "OK. So you've got trust, but what can you actually see?" And that's where the second piece comes in, the part that addresses document ontology and classification.
So we're going through a big effort now to ascertain just exactly what in our company we care about securing. And when we stepped back and thought about it, we realized that less than 1% of our approximately 2 million documents could actually harm us if they were released.
Now that's still a lot of documents, but once you've identified a class of document, it's not so much about going backwards and securing them, it's more about going forward. If a document fits this type of profile then this is what happens to it and people that need to see it are invited to it; the document never actually leaves our cloud. If I have a document I want you to see and work on, I can't actually email it to you. I can't put it on your USB drive or I can't email it to you as an attachment. But, I can invite you to it, and once you come to it everything you do is audited.
Sign up for CIO Asia eNewsletters.