• Collaboration
• Communities of practice
• Content management
• CRM
• Culture
• E-learning
• Enterprise search
• Intranets & portals
• Taxonomies

• News
• Events

Feature

posted 10 Apr 2007 in Volume 1 Issue 4

Restricted access

A masterclass looking at the importance of search security in law firms. By Tony Bland, Linklaters

It is often assumed that users want to search for data inside their business using something like Google. Information workers with a big need for tracking down information will ask for a simple interface and the same speed as the world’s favourite page crawler. It can be frustrating when consumer search sets expectations like this, but it happens in many areas of technology and the logic doesn’t always work; take mobile phones, for example. Consumers have come to expect megapixel cameras thrown in but many corporates see them as a risk and set their buying policy accordingly. BlackBerry, after releasing its new Pearl phone with a camera, has reacted to feedback and last month removed it from its latest model, the 8800. Wherever you look on the technology spectrum there is often a disconnect between the expectations for consumer and business technology, and one of the key areas of difference is security.

That disconnect has led many users to install desktop-search engines on their PCs and create a personal index of data. Desktop-search technology started as a quick way of searching personal e-mail and now most of the desktop tools extend to indexing file systems and other shared areas as well. Google Desktop even provides users with the ability to index and search across two or more computers but, interestingly, this is only achieved by sending copies of the files from the computers to Google’s servers. The risk with this feature is that it is often enabled at time of installation but, unless enterprise policies are used, it cannot be turned off across all the PC’s in an organisation. Nevertheless, Google has won the hearts of many users who can often describe their entire requirement as being simple and fast. So why do public search engines make it easier? Try typing ‘Why is the sky blue?’ into your favourite crawler and you’re likely to get several-million results. The search engine only has to put one or two good articles in the top ten to be useful, but it is difficult to translate this into a business context because of the difference in the depth of content and in particular, the expectations for security. From a technology perspective, public search engines connect mainly to one kind of resource – websites – and don’t have to deal with the kind of different systems usually installed in a business, which could be anything from a client-relationship management system to content management to custom-built database applications.

The importance of search security
So what is the importance of search security and what challenges lie in defining and implementing appropriate solutions? Well, first of all it is important to note that real business data gets stored in a search index, so a piece of information that might be thought to be only accessible using the host system might be presented as part of the results to a user’s innocent search query. Security is becoming more critical because there is a growing need to provide enterprise-wide information access to all users globally. This need includes legacy applications, often targeted as silos, which could be exposed and leveraged more. Search engines can help with this because of their ability to overcome licensing and presentation issues associated with legacy architectures. Search is also moving beyond traditional documents to data, records and rich media. What this means is items like human-resources records, corporate videos and confidential information could be at risk of ending up in the results of a search when they are added to indexes and made available. Exposing more content and making it available globally is good, but as more of it comes online the level of apprehension over who might see it increases and so do the potential consequences.

The demand for portals and integrated content applications is increasing where users are moving away from purpose-specific applications toward composite views, business dashboards and role-based access. The integration of these kinds of data sources presents issues for search because usually, the security models from the various systems are not identical. Regulatory controls are important too. With new controls on securities trading, privacy and corporate governance, the focus is being turned inside businesses to see how the data in question can be secured. Education programmes also need to be designed to inform users and help them comply with regulations; discovery and education about various controls is not an easy process because so often the regulations can conflict with each other.

Considering what is important also requires thinking outside of the firm towards clients, partners and other organisations or individuals who come into contact with, and search for, information. Security is a basis of trust in the relationship with clients who will expect, and ask for, appropriate levels of protection for sensitive information. It is good for businesses to demonstrate just how this is achieved. These regulatory factors together with demand for integrated content applications are driving the need to secure information, not just in the application, but in the search, too.

Addressing the issues
The challenges to providing a solution begin with understanding:

• The level of risk the business wants to mitigate;
• How confidential the information being made available is;
• The consequences if it was given to the wrong people.

Finding a project sponsor who can articulate this requirement early on is vital. Early collaboration between people who understand the compliance issues and the technology will help too. What many firms find out, and often late on in a project, is that requirements vary from country to country and directives like the Data Protection Act are difficult to reconcile with other rules which need to be adhered to.

Building a secure search implementation requires a robust technology strategy and understanding of the policy requirement. The difficulties here relate to the differences in security implementations between systems and the level of performance needed. Search performance is directly related to two things: the depth and breadth of content and how tight the security model is. More stringent security will lead to slower performance as the search engine waits for host systems to confirm that the user is authorised to see the information. Other approaches (see Box 1) include ACL caching, where a user’s security credentials are cached within the search index. This can result in faster searches but has potential for changes in credentials to lag behind the host system. Not all search vendors agree on what the best model is. Autonomy favours the high scalability of caching but can offer more than one approach, other vendors prefer real-time checking but not many can offer more than one solution.

There are many useful considerations which can help to build a secure search solution:

• Centralise and reduce the number of data stores you have;
• Reduce the number of systems in use if possible;
• Implement retention policies across systems and storage;
• De-duplicate data;
• Minimise the number of search technologies in your organisation.

The most important consideration is to plan for security up front and not later on in the project – workarounds are never the best option for security. Watch out for the hype from search vendors because they do differ in their thinking and be brave and get the debate going at the most senior level in your organisation.

Tony Bland is information services strategy manager at international firm Linklaters. He can be contacted at tony.bland@linklaters.com

Box: Three models for security in search