Identity Rights Manager Boasts More Sophisticated Approach

Epok, a Bethesda, Md.-based startup, on Monday rolled out version 4.0 of Trusted Data Exchange (TDX), which it describes as a platform for managing user-access rights to specific sets of data.

Epok was founded after its president and CEO, Ayman Hariri, acquired digital identity technology from a vendor named Cordance, formerly known as OneName, Seattle, according to Epok spokespeople.

TDX works by providing object labels around classes of data and then managing who has access to use those data objects across multiple applications. This allows IT organizations to limit access to very specific sets of data, rather than relying on user-based permission schemes that are limited to specific files and database tables. In addition, keeping track of changes to users is more difficult than figuring out which departments need access to particular data sets.

Hariri said that in a world dominated by stricter requirements derived from Sarbanes-Oxley and Homeland Security regulations that limit who can access data, the need for a different approach to identity rights management has arrived.

"The rise of Web services and the consequent breakdown of control has created a requirement for new levels of enterprisewide data control and security," Hariri said. "In most data-access models, including services-oriented architecture (SOA), as accessibility to data increases, control decreases. Conversely, TDX 4.0 implemented in a SOA provides the highest levels of data controls, even as additional Web services are deployed across the organization."

Proving that TDX can be deployed without creating undue network latency looks to be an early challenge for Epok, said John Freeman, principal of Mycroft, a New York-based VAR that has deployed secure, directory-enabled identity management infrastructures for numerous Fortune 100 clients.

"Anything that does this type of inspection puts such a huge overhead in the delay of the network conversation that it's almost unusable when faced with a lot of traffic. So it looks like with Epok, you'll still need to build your applications to use it instead of letting [TDX] just stand out there and sniff away," said Freeman, who added that any performance latency caused by TDX might be reduced though the use of a hardware accelerator.

Still, Freeman believes Epok brings something positive to the identity management market with TDX. "I think these guys are right on target as to where provisioning is going," Freeman said.

The concept of TDX resonated well with other integrators who tackle security and identity rights management on a daily basis.

Nick LaForgia, director of L4 Networks, a network and security VAR in Arlington, Va., said his first impression of Epok's approach to identity rights management was just as positive. "I can see the Epok approach working well, particularly in a financial network model," LaForgia said. "For example, if I'm a clearing house for all sorts of user-access feeds, I may use a federated ID management tool, or secure single-sign-on technology, but they wouldn't be customized to the content being used. Epok strikes me as a way to user sign-on with specific content in mind."

Industry standards supported by TDX include support for Web services protocols defined by the Web Services Interoperability consortium, the Extensible Resource Identifier standard created by OASIS, SAML and LDAP 3.0.

Pricing for TDX starts at $75,000 per CPU, according to Epok.

Dan Neel contributed to this report.