> it's not really clear (despite definition) what a community or organization is
To make the parent’s point more obvious for people who are not used to a large enterprise context, concretely for example, at my workplace (which I would consider typical of a large organization) there are:
1) Regular employees and contractors who are employed by the main employer.
2) Employees who work for different legal entities from the main employer, have different sso domains handling their auth (and email domains for systems that do sharing protections via email) but are “really” part of the same company for security purposes. Think say people who came in as part of a merger but for various reasons their legal entity and brand needs to stick around so they have different auth, email etc.
3) People who work for actually different companies, have the same sso domains handling handling their auth and the same email domain as people in bucket 1 because we’ve given them logins and are working on sensitive security stuff (think: vendors and vendor contractors in the security or legal space)
4) People who work for actually different companies, have the same sso domains etc as bucket 1 and are not working on sensitive security stuff (think: vendors and vendor contractors everywhere else)
…and people sometimes move between groups 3 and 4 on a project by project basis. Notice all of these are “bound by common policies set by the organization” so all of them are in the “organization” for TLP at least by the second part of the definition, but 2,3 and 4 but don’t share a common affiliation by formal membership so are not part of the “organization” for the first half of the TLP definition.
So if I get a TLP:Amber document, who am I allowed to share it to? I should be sharing it to some of 1, 2 and 3 on a need to know basis. Most automated permission systems will allow me only to share it easily only with people in 1 and 3 or 4, and since people can move between 3 & 4 based on assignment it’s hard to know (and pretty much impossible to tell automatically) if some degree of access violation has occurred. People in 2 are generally sool if we’re trying to share things and I’m not prepared to handwave through the scary-looking “are you sure you want to share this with person x who isn’t from our org?” Boxes.
Basically explicit enumeration is just going to be way better any time you want to be doing this type of thing in the real world.
To make the parent’s point more obvious for people who are not used to a large enterprise context, concretely for example, at my workplace (which I would consider typical of a large organization) there are:
1) Regular employees and contractors who are employed by the main employer.
2) Employees who work for different legal entities from the main employer, have different sso domains handling their auth (and email domains for systems that do sharing protections via email) but are “really” part of the same company for security purposes. Think say people who came in as part of a merger but for various reasons their legal entity and brand needs to stick around so they have different auth, email etc.
3) People who work for actually different companies, have the same sso domains handling handling their auth and the same email domain as people in bucket 1 because we’ve given them logins and are working on sensitive security stuff (think: vendors and vendor contractors in the security or legal space)
4) People who work for actually different companies, have the same sso domains etc as bucket 1 and are not working on sensitive security stuff (think: vendors and vendor contractors everywhere else)
…and people sometimes move between groups 3 and 4 on a project by project basis. Notice all of these are “bound by common policies set by the organization” so all of them are in the “organization” for TLP at least by the second part of the definition, but 2,3 and 4 but don’t share a common affiliation by formal membership so are not part of the “organization” for the first half of the TLP definition.
So if I get a TLP:Amber document, who am I allowed to share it to? I should be sharing it to some of 1, 2 and 3 on a need to know basis. Most automated permission systems will allow me only to share it easily only with people in 1 and 3 or 4, and since people can move between 3 & 4 based on assignment it’s hard to know (and pretty much impossible to tell automatically) if some degree of access violation has occurred. People in 2 are generally sool if we’re trying to share things and I’m not prepared to handwave through the scary-looking “are you sure you want to share this with person x who isn’t from our org?” Boxes.
Basically explicit enumeration is just going to be way better any time you want to be doing this type of thing in the real world.