Tightening Information Access with Reader Field Security
The Problem:
Uncontrolled access to sensitive data
An independent product safety certification organization with worldwide facilities needed to tighten the access to their client product inspection application databases. Their legal department wanted to ensure that outside contractors only had visibility to records assigned to them or to their inspection center (IC) while continuing to provide internal employees with access to all records in the system. They were looking for a low cost solution that was compatible with their Lotus Notes-based process.
The Analysis:
Picking the best alternative
The product safety certification process is centered on single system that manages client product inspections on a global scale. This integrated application houses millions of subscriber information and history documents in nine databases that can be accessed by all internal employees and contractors. The individual inspection centers (IC’s), located throughout the world, are responsible for coordinating and documenting field inspections using this information.
The inspection application was using replication formulas to manage data that was downloaded (replicated) to laptops of field representatives – employees or contractors – assigned to specific IC’s. The formulas, used with the downloading process, were designed to ensure that users could only replicate a subset of data that specifically related to their needs. Although this was an effective means to manage the size and replication times of local databases, it fell short when it came to protecting the confidentiality of their clients. Under the current system, any user could change or remove the replication formula, or directly access the server to see all records that exist in the databases.