With the latest release of MindLink Anywhere version 20.2, we introduced the multi-tenant instant messaging ethical wall capability. The ethical wall feature allows one-to-one and multi-party interactions between users to be partitioned following customizable rule-sets. In this blog post, I’m going to talk about the purpose of ethical walls, how it applies to chat and Skype for Business and describe how it works in practice with MindLink Anywhere.
What is an Ethical Wall?
An ethical wall is a system that is designed to prevent the sharing of information between specific parties or individuals. This could be a system that restricts the sharing of medical records to protect doctor-patient privacy, or a non-disclosure agreement to avoid a conflict of interest, or in this case, user-partitioning in a chat system to ensure compliance and data privacy.
How does Ethical Walling work in Chat?
In a chat system, particularly where there are multiple organisations connected, it is important to consider which users can communicate with each other, whether certain interactions are compliant or desirable and the associated level of risk sensitivity. In cases where compliance is in doubt or there is considerable risk, it would be diligent to partition users and limit specific interactions between users on a chat system.
With MindLink Anywhere, users are partitioned using user attributes. Following custom rule-sets that define user permissions, the MindLink server uses a rule-based engine that retrieves user attributes from a third-party server and evaluates which users are permitted or denied from interacting.
The Use of Ethical Walling in Federation
Ethical walls can control which users are permitted to join chat rooms or chat with other users. In the case of inter-organizational collaboration, user permissions can be clearly defined using white/blacklists and through user attributes. With partitions in place individual organizations can maintain a degree of data privacy in situations that require multiple parties to collaborate.
In a federated or multi-tenant chat system one determining attribute for user partitioning could likely be the organization name of which the user is a member. If the user’s attribute matches the rule, then they are whitelisted for interactions between internal users. If the user's attribute does not match, they are denied interaction on the chat system.
Permissions can be managed at a more granular level by leveraging other attributes and introducing new rule-sets. For example, users between Company A and Company B are restricted from interacting with each other, unless they are managers and assigned to the same project. In this case, there would be a rule that allows users that have the attribute of ‘Manager’ and where ‘Project’ is the same, to interact.
To add to the example above, users from Company C are to carry out some of the project works however, they are only to read the chatroom announcements made by Company A and B rather than participate in the discussion. Here, there would be another rule allowing users with matching attributes (from Company C and involved in the project) to join the chatroom yet restrict them from sending messages.
Ethical Walling for Skype for Business
As the Ethical Walling capability is integrated with the MindLink server, using MindLink Anywhere as the client to access Skype for Business creates an effective ethical walling system between areas of the user estate.
Ethical Walling in MindLink Anywhere
With the MindLink Anywhere server connected to your attribute server and custom rule-sets defined, users logging onto Skype for Business using MindLink Anywhere will be partitioned. Interactions between users such as, visibility in the search results, exchanging basic Presence information, Instant Messaging and Multiparty Messaging will be permitted or denied based on the whitelist and blacklist controls.
To illustrate, Company X and Company Y are federated chat partners. 'User 1' works for Company X and 'User 4' works for Company Y. The pre-defined rule states that Company X users cannot interact with Company Y users, unless they both have an even or an odd number in their username.
From the picture, we see that the ‘Odd user’ can only see users that have an odd number in their username, similarly the ‘Even user’ can only see users that have an even number in their username. Although both ‘Odd’ and ‘Even’ user partitions are connected to the same chat system, the ethical wall prevents users from interacting between the partitions.
The innovation behind this capability is that, in contrast with Skype for Business where Ethical Walls work at the SIP layer, in MindLink Anywhere, the ethical wall is overlaid at the chat application layer. This results in a much better user experience and, architecturally, a clear policy enforcement layer. Innovating how the ethical wall is implemented let's us deliver a next-generation, web-based multi-tenant chat service on top of your underlying chat system.