Enterprise Search Security Requirements
The 2014 AIIM Search and Discovery Survey Highlights Enterprise Search Security as a Major Concern.
Search Technologies was pleased to be a sponsor of this year's AIIM (American Institute of Information Management) survey into attitudes to search and discovery. The survey was completed by more than 400 individuals, the majority working for large organizations. One of the cited results stated:
72% of respondents cited security concerns as either a "show-stopper", or a "major concern."
Only 3% said that it was not really an issue for their organization. Underlying this concern is the fear that enterprise search will allow unauthorized users to find content that they should not see.
Enterprise search systems do not, of course, control access security. Instead they should, as a minimum, fully reflect all of the access controls imposed by the source repositories (content management systems, email, file shares, databases, etc.).
Today, this can be achieved using any of the leading search platforms. The search system should not show results to users who do not have at least read-access rights to the indicated document. Further, no indication of any kind, for example through results or navigation option counts, should be given.
Where multiple repositories are involved, implementing security can be somewhat complex, as the various groups and roles from each repository must be unified into a single schema for filtering out unauthorized results. In many organizations, the most sensitive documents are kept in repositories with particularly complex security regimes (for example, Documentum, Lotus Notes, IBM Connections, or SharePoint 2013 - Search Technologies specializes in implementing secure connectors for these circumstances).
In some circumstances, organizations will go above and beyond fully reflecting document ACLs. For example, certain words such as "salary" can be blocked at query time.
Enterprise Search Can Help Fully Enforce Security
Enterprise search systems can also play a positive role in helping to find potential security leaks, such as documents about sensitive subjects that have been assigned inappropriately open access rights. Some organizations maintain a list of product and project names that are monitored for potential leakage. If a document mentioning "project X" becomes searchable by a user with average security rights, an administrator can be automatically notified.
- The technology already exists to create highly secure enterprise search systems
- Search is also an excellent tool for monitoring for potential security infringements
- In most cases all that is missing is implementation experience and expertise, that's where Search Technologies can help.
If you are interested in the details, read our blog Everything you ever wanted to know about Search Engine Security. Or, if you have specific concerns about search security, our audit service could be what you are looking for.