Trust, but verify

Once, back in the 1990s, I hosted an invitation-only party for my magazine at a trendy bar in Boston. My assistant arranged it all, including hiring a bouncer, whose frightening size was surpassed only by his scary disposition. When I arrived, somewhat late and without a pass, the bouncer blocked my path. I pointed to my picture on the invitation in his hand, but he just shrugged and said, “You don’t look like you.”

Although the girth and personality need not be similar, I believe that the growing population of “delegated administrators,” or data gatekeepers, should have the same innately skeptical nature as that Boston bouncer. Because when you hand over the keys to your data to someone outside IT, you want that person to be extremely selective about who gets to see what data, when and why.

Assigning gatekeeper duties to non-IT workers isn’t new. With the advent of networked PCs and the Web, virtually all data entry work moved from IT to end users, and new data permissions had to be part of that change.

These gatekeepers distribute data rights for certain applications inside and, increasingly, outside companies. Say a new employee or manager is hired. The data gatekeeper has to decide what level of data access they get. Or a disgruntled employee is fired. The data gatekeeper turns off his access immediately. The job is usually undertaken by a specific individual inside an organization who adds those duties to his regular tasks. But from IT’s perspective, that person’s job is a process that can make or break the usefulness of an application. The responsibilities of the data gatekeeper have to be under IT’s control and should be restricted to specific applications for a defined group – not the entire user population.

Take access rights. You could design and write a program that connects a biometric database to the corporate HR application to identify users and verify their roles in the company. Next, you could develop a Q&A program to determine which applications those people need. Those results could then be pushed into a database that ties applications to job functions. The three could then be linked to serve up the right software to the right individual.

Most companies don’t go to that kind of trouble and expense because it’s far more efficient to simply have a trusted person – your systems administrator – give workers access rights. But even your sysadmin can’t make the best decisions when it comes to access rights for your customers or other people within your supply chain.

That’s why Avnet Inc., a global distributor of high-end computer and network systems in Phoenix adopted this data gatekeeper approach for its Channel Connection application. Hundreds of value-added resellers that acquire products from Avnet use Channel Connection to access real-time data on orders, credit status and other information.

Dave Stuttard, vice-president for applications solutions in Avnet’s computer marketing group, says IT staffers don’t have the level of information about customers to determine who would be best suited to access the Channel Connection application, so Avnet trusts its sales staff to sign up customers and assign them rights to the numerous application modules inside Channel Connection. As data gatekeepers, the salespeople are trusted to make the decisions about who else can be trusted.

But Avnet also heeds that old Russian proverb: Trust, but verify. Every salesperson’s recommendations must be approved by an Avnet sales operations manager.

Once given access, the customers designate a data gatekeeper (approved by Avnet), who has broader data-access privileges. For example, as employees’ roles change, a customer’s data gatekeeper can update the system to swap one user’s rights for another.

The extension of trust through the data gatekeeper process is essential to making this kind of application work outside a company. But equally vital is having a solid security system in place. Avnet uses Directory Smart, a secure LDAP database from OpenNetwork Technologies in Clearwater, Fla. Stuttard says the product’s single sign-in feature makes it easy for users to navigate through the multiple application modules, which means customers actually use the program. And its database gives the data gatekeeper control “down to the page level” by assigning a user’s role and privileges, he says.

Of course, a customer’s data gatekeeper can’t change his company’s access rights. Only Avnet’s staff can do that. Because, as Avnet knows, the benefits of having someone watch the gate can quickly vanish when your trust is placed in the wrong hands.

Mark Hall is Computerworld (U.S.)’s opinions editor. Contact him at