Classification Improvements
|
Information classification feature
This page describes Information classification midPoint feature.
Please see the feature page for more details.
|
|
Planned feature
This feature is planned feature.
This feature is roughly designed and it was evaluated as feasible.
However, there is currently no specific plan when it will be implemented, because there is no funding for this development yet.
In case that you are interested in supporting development of this feature,
please consider purchasing midPoint Platform subscription.
|
Introduction
Classification and clearance management is part of midPoint since 4.8.3. Current implementation is based solely on pre-existing concepts of meta-roles and policy rules. The basic functionality works, however it is not very convenient. Perhaps the most obvious problem is a lack of visibility and user-friendliness.
Improvements
We need to improve:
-
There is no visibility, the classifications (labels) are not easy to see, even when they are assigned directly. We need to do:
-
Find a prominent place to display the classifications (labels), e.g. in object details header.
-
Display classifications in object details panels, perhaps as top-level item in the panel submenu.
-
Display application classifications (maybe role classficiation) on important places when the application/role is displayed. E.g. show classification level in approval dialog, to provide information to approver.
-
Better visibility of pre-define "Privileged Access" classification - even if assigned indirectly. We want to highlight roles that include privileged access.
-
Compute classifications for roles, using inducements. See Compliance Design Notes for discussion.
-
-
Error messages and overall presentation of policy rule violations. Current error message looks like:
No assignment exists for role 09360ff0-d506-4751-b13f-4e01422693ac (after operation)Overall, the presentation of policy rule violations should be re-thought and significantly improved.
-
Improve policy rule structure and operation. Currently, we are using
hasNoAssignmentpolicy constraint. It works, but the notation is not very intuitive. It should be changed to be more likeexclusion, with similar behavior. PerhapshasNoAssignmentshould be changed torequirement, or even better, new flexiblerequirementconstraint should be added in addition to existinghasNoAssignment. CurrenthasNoAssignmentconstraint triggers too aggressively. E.g. even in case where both classified role and clearance are removed.the policy rule prohibits the operation even though it is legal. -
Show classifications (labels) in application list (view), add new column. How to compute value of that column? This is likely to be quite a common requirement.
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 5.8: Information security in project management
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.25: Assessment and decision on information security events
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 6.3: Information security awareness, education and training
-
ISO/IEC 27001 6.5: Responsibilities after termination or change of employment
-
ISO/IEC 27001 6.6: Confidentiality or non-disclosure agreements
-
ISO/IEC 27001 8.19: Installation of software on operational systems
-
ISO/IEC 27001 8.27: Secure system architecture and engineering principles