Epok Poses Alternative For Managing User Access

Epok, a Bethesda, Md.-based startup, recently rolled out version 4.0 of Trusted Data Exchange (TDX), which it describes as a platform for managing user-access rights to specific sets of data.

In a world dominated by stricter requirements derived from the Sarbanes-Oxley Act and Homeland Security regulations that limit who can access data, there is a need for a different approach to identity rights management, said Ayman Hariri, president and CEO of Epok.

Epok was founded after Hariri acquired digital identity technology from Seattle-based Cordance, formerly known as OneName.

"The rise of Web services and the consequent breakdown of control has created a requirement for new levels of enterprisewide data control and security," Hariri said. "In most data-access models—including services-oriented architecture (SOA)—as accessibility to data increases, control decreases. Conversely, TDX 4.0 implemented in an SOA provides the highest levels of data controls, even as additional Web services are deployed across the organization."

TDX works by providing object labels around classes of data and then managing who has access to use those data objects across multiple applications. This allows IT organizations to limit access to very specific sets of data, rather than relying on user-based permission schemes that are limited to specific files and database tables.

In addition, keeping track of changes to users is more difficult than figuring out which departments need access to particular data sets.

Given the uniqueness of Epok's approach, standards play a big role in making sure TDX interoperates on as many levels as possible, Hariri said.

Accordingly, version 4.0 complies with Web Services-Interoperability Organization Basic Profile 1.1, which seeks to ensure interoperability with other Web services.

TDX 4.0 also complies with the Oasis Extensible Resource Identifier 1.0 standard for data modeling, identification and labeling of the enterprise business objects. Support for Security Assertion Markup Language-based authentication and authorization, as well as support for LDAP 3.0, are also included in version 4.0, according to Epok.

Proving that TDX can be deployed without creating undue network latency looks to be an early challenge for Epok, said John Freeman, principal of Mycroft, a New York-based VAR that has deployed secure, directory-enabled identity-management infrastructures for numerous Fortune 100 clients.

"Anything that does this type of inspection puts such a huge overhead in the delay of the network conversation that it's almost unusable when faced with a lot of traffic," Freeman said. "So it looks like with Epok, you'll still need to build your applications to use it instead of letting [TDX] just stand out there and sniff away."

But Freeman added that any performance latency caused by TDX might be reduced though the use of a hardware accelerator.

Still, Freeman believes Epok brings something positive to the identity-management market with TDX. "I think these guys are right on target as to where provisioning is going," he said.

The concept of TDX resonated well with other integrators that tackle security and identity rights management on a daily basis.

Nick LaForgia, director of L4 Networks, a network and security VAR in Arlington, Va., said his first impression of Epok's approach to identity rights management was just as positive. "I can see the Epok approach working well, particularly in a financial network model," LaForgia said. "For example, if I'm a clearinghouse for all sorts of user-access feeds, I may use a federated ID management tool or secure single-sign-on technology, but they wouldn't be customized to the content being used. Epok strikes me as a way to user sign-on with specific content in mind."

Pricing for TDX starts at $75,000 per CPU.