The client was the Central IT Security department of a major pharmaceutical company.
The security group was undertaking a major programme of change to identity, access and related systems. The programme objective was to bring systems up to date and deliver services via the cloud in order to facilitate secure collaboration with partners and ongoing mergers and acquisitions activity.
Our brief was to select and deploy an Information Rights Management (IRM) service across the organisation that should be available to client staff and collaborators alike. The service was to be provided via the "cloud" in order to meet programme objectives. It was agreed that the solution should introduce no new "repositories" and should be primarily user managed.
What We Did
Initially we worked with a subject matter expert to identify the IRM requirements and to survey the products available in the market. Requirements were issued in the form of an RFI, the responses to which were used to develop a shortlist. Shortlisted vendors were invited to present their product and demonstrate its capabilities against a set of use cases. From this process a suitable product was selected.
No fully cloud-based product was available at the time therefore deploying the selected product as a cloud service posed a number of technical challenges:
Design a suitable cloud model within which the solution would deliver to requirements. A suitable external host was identified and appropriate security and data privacy verification carried out.
Integrate the product with the client's identity federation solution for single sign-on access for users. The vendor agreed to make appropriate changes to the product to deliver the required SAML integration.
Enabling access by partners and collaborators from outside the client's network. An external identity federation partner was selected to register and authenticate users accessing the system without the need for client provided identities.
With the technical issues of the deployment resolved, the main challenge for the project was service development and introduction. Rights management was a new concept for user departments, most of which perceived no pressing need for the service (primarily because adoption was voluntary and not mandated).
The first task was to ensure an accessible and fully supported service was developed such that user groups could manage the application themselves (for example in developing access "policies" and onboarding partner users) without recourse to a central administration function.
A series of classroom and self-learning training modules and videos were developed to promote good information practice and how to use the IRM service to achieve this.
The project obtained the sponsorship of senior managers who would champion the service within their departments.
This was backed up with a change to security policy to encourage use of such rights management.
We enlisted the support of complementary groups such as security and information management to promote the solution as a part of their regular contacts with users.
A campaign of general information was initiated using posters, newsletters and portal articles. This was supported by direct contact with target user groups in order to raise awareness.
The Information Rights Management service was deployed to time and budget.
The associated "service" was acknowledged by the client as one of the best of its type and became a template for subsequent cloud services.
Business adoption commenced to schedule and take-up grew steadily thereafter
Plans for extension of the service capabilities and scope were prepared and presented to the client.