Universal controls

Last updated

Universal controls is a term used within information risk management and information risk assessment (auditing) to represent an information control that can be enforced across multiple applications, systems, or platforms. Universal controls are based on a universal policy language, such as XACML.

Risk management Set of measures for the systematic identification, analysis, assessment, monitoring and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Broadly speaking, a risk assessment is the combined effort of 1. identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment ; and 2. making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors. Put in simpler terms, a risk assessment analyzes what can go wrong, how likely it is to happen, what the potential consequences are, and how tolerable the identified risk is. As part of this process, the resulting determination of risk may be expressed in a quantitative or qualitative fashion. The risk assessment is an inherent part of an overall risk management strategy, which attempts to, after a risk assessment, "introduce control measures to eliminate or reduce" any potential risk-related consequences.

XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.


Business users and policy analysts can define one set of policies and procedures, then apply it consistently throughout the enterprise, across user identity, roles, business context, time, locations, and dynamically-created groups. The same information controls are rapidly deployed across multiple resources, spanning multiple enterprise systems. Universal controls, built on a 4GL business language, integrate and interoperate within existing network and security infrastructure, and with current directory services used to manage users and information assets. Without having to modify user workflows, the end result delivers protection during data handling and disclosure to prevent data loss, and conflicts of interest when data is shared, across heterogeneous networks.

Companies can use universal controls to protect data in a consistent way across multiple storage sources—such as, file servers, application data stores, and web-based portals and sites—and across multiple end point devices, for example, desktop or laptop PCs, USB and CD drives, portable devices, and printer and file servers. A single set of universal policies control access, handling, and sharing of information by understanding various actions: standard file operations, printing, e-mail and IM attachment, Web and FTP upload, or sharing on intranet portals or sites, for example. Once deployed, business policies are continuously enforced, including across laptops and portable devices when mobile or operating remotely, whether they are attached to the network or not.

Real-time, context-based, universal enforcement

Regardless of the different data sources, end points, and applications and systems a company has deployed, universal controls can monitor information activity across an enterprise, and evaluate business conditions against attempted data access and handling in real time. Based on policy evaluation results, universal controls can actively prevent unauthorized or inappropriate data use, educate users in real time about information activities, automate procedures to assist users, and so forth. This real-time enforcement takes account of business context, such as time of day or day of the week, the application used to access data or open a document, a user's identity or role, the user or device location, and so on.

As an example: A policy may allow a defined class of users to access, copy or print sensitive company data, but only while using an approved spreadsheet application and only during regular business hours; in other situations, activity is automatically denied and/or users are warned. Once deployed, this policy can protect its target data regardless of the end point type or location, the operating system running, or whether the device is attached to the network or not.

Flexibility of open architecture

For universal controls to be effective, they generally require an open architecture, such as SOA interfaces, Web services, and open APIs. Controls must be easily able to be readily integrated with already existing, deployed commercial or custom applications. Plug-and-play third-party Policy Enforcement Points (PEPs) can be created through integrating a Policy Decision Point (PDPs) with devices, systems and applications for applying universal controls.

Open architecture is a type of computer architecture or software architecture intended to make adding, upgrading, and swapping components easy. For example, the IBM PC, Amiga 500 and Apple IIe have an open architecture supporting plug-in cards, whereas the Apple IIc computer has a closed architecture. Open architecture systems may use a standardized system bus such as S-100, PCI or ISA or they may incorporate a proprietary bus standard such as that used on the Apple II, with up to a dozen slots that allow multiple hardware manufacturers to produce add-ons, and for the user to freely install them. By contrast, closed architectures, if they are expandable at all, have one or two "expansion ports" using a proprietary connector design that may require a license fee from the manufacturer, or enhancements may only be installable by technicians with specialized tools or training.

The Common Open Policy Service (COPS) Protocol is part of the internet protocol suite as defined by the IETF's RFC 2748. COPS specifies a simple client/server model for supporting policy control over Quality of Service (QoS) signaling protocols. Policies are stored on servers, and acted upon by Policy Decision Points (PDP), and are enforced on clients, also known as Policy Enforcement Points (PEP). There are two models of COPS: The Outsourcing Model and the Provisioning Model, considered from the view of the client or PEP.


With universal controls, companies that manage information risks benefit from:

See also

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.

Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization rather than individual users. Such organizations include businesses, schools, interest-based user groups, clubs, charities, and governments. Enterprise software is an integral part of a (computer-based) information system.

Related Research Articles

A web portal is a specially designed website that brings information from diverse sources, like emails, online forums and search engines, together in a uniform way. Usually, each information source gets its dedicated area on the page for displaying information ; often, the user can configure which ones to display. Variants of portals include mashups and intranet "dashboards" for executives and managers. The extent to which content is displayed in a "uniform way" may depend on the intended user and the intended purpose, as well as the diversity of the content. Very often design emphasis is on a certain "metaphor" for configuring and customizing the presentation of the content and the chosen implementation framework or code libraries. In addition, the role of the user in an organization may determine which content can be added to the portal or deleted from the portal configuration.

In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC).

Authorization is the function of specifying access rights/privileges to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff are normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer Software and other Hardware on the computer.

A management information system (MIS) is an information system used for decision-making, and for the coordination, control, analysis, and visualization of information in an organization; especially in a company.

Data Management comprises all disciplines related to managing data as a valuable resource.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

Enterprise content management (ECM) extends the concept of content management by adding a time line for each content item and possibly enforcing processes for the creation, approval and distribution of them. Systems that implement ECM generally provide a secure repository for managed items, be they analog or digital, that indexes them. They also include one or more methods for importing content to bring new items under management and several presentation methods to make items available for use.

An enterprise portal, also known as an enterprise information portal (EIP), is a framework for integrating information, people and processes across organizational boundaries in a manner similar to the more general web portals. Enterprise portals provide a secure unified access point, often in the form of a web-based user interface, and are designed to aggregate and personalize information through application-specific portlets.

Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

Attribute-based access control (ABAC), also known as Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes. This model supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the request, the resource, and the action. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data.

Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices.

In information systems, applications architecture or application architecture is one of several architecture domains that form the pillars of an enterprise architecture (EA).

Cloud computing form of Internet-based computing that provides shared computer processing resources and data to computers and other devices on demand

Cloud computing is the on demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. The term is generally used to describe data centers available to many users over the Internet. Large clouds, predominant today, often have functions distributed over multiple locations from central servers. If the connection to the user is relatively close, it may be designated an edge server.

OpenAM open source access management platform

OpenAM is an open-source access management, entitlements and federation server platform. It was sponsored by ForgeRock until 2016. Now it is supported by Open Identity Platform Community.

XenClient is a desktop virtualization solution from Citrix that runs secure virtual desktops on endpoint devices. Desktops are run locally, without hosting applications or the operating system in a datacenter. It consists of a Type-1 Xen client hypervisor and a management server, which provides features such as centralized provisioning, patching, updating, monitoring, policy controls, and de-provisioning. It enforces security through features including AES-256 full disk encryption, VM isolation, remote kill, lockout, USB filtering, and VLAN tagging. XenClient supports use cases such as disconnected operation on laptops, limited connectivity environments, and other use cases where use of local execution is desired and centralized management is required.

The Host Based Security System (HBSS) is the official name given to the United States Department of Defense (DOD) commercial-off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect, and defend the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc's ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).

Bring your own device (BYOD)—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)—refers to the policy of permitting employees to bring personally owned devices to their workplace, and to use those devices to access privileged company information and applications. The phenomenon is commonly referred to as IT consumerization.

Cloud management is the management of cloud computing products and services.

Data-centric security is an approach to security that emphasizes the security of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. Data-centric security also allows organizations to overcome the disconnect between IT security technology and the objectives of business strategy by relating security services directly to the data they implicitly protect; a relationship that is often obscured by the presentation of security as an end in itself.

Unified access management (UAM) refers to an identity management solution. It is used by enterprises to manage digital identities and provide secure access to users across multiple devices and applications, both cloud and on-premise. Unified access management solutions provide a single platform from which IT can manage access across a diverse set of users, devices, and applications, whether on-premise or in the cloud.