Document security: Safe words
- Article 8 of 33
- SC Magazine, March 2007
Choosing the right content management system is crucial to keeping your digital files secure. But it's only the first step. Rob Buckley reports.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
Ever since the arrival of the PC, the paperless office has been a dream for many. Convert everything that was on paper to a digital equivalent and you can reduce storage requirements, locate and search through text with ease and make copies you can send to anyone, anywhere, provided they have a computer.Moving away from paper has its problems, however, many of which are rooted in the very ease of access that make them so attractive to users.
Much of the debate on enterprise document security has focused on content management systems. The terminology around these can be confusing: document management systems are typically used for paper as well as digital documents, while web content management systems only look after websites. Some attempts have been made to come up with all-encompassing terms, such as enterprise content management (ECM) systems. Yet even these leave out records management, the part of the process that's concerned with retention and deletion.
Whatever term is used, ECM systems are principally the middle part of the information lifecycle management (ILM) process, as storage vendors have chosen to describe it. The ECM can look after the storage and security surrounding a digital document once it's been loaded in. But the document still needs to be created and might be archived out of the ECM towards the end of the lifecycle. So other forms of security are needed.
“The first thing I recommend is looking at the lifecycle of information and how it's distributed,” says Niek Ijzinga, managing consultant for information security and project manager for LogicaCMG's Security Competence Centre. “Then you can see how to control that lifecycle. That's not just a technical issue, although you need the right software to support it.
”It's also about business processes and cultural issues. It's nonsense to introduce ECM when you don't even know what information you're going to be storing in it,“ he points out.
Document are usually either created electronically within desktop applications or scanned in from a hard copy. Whether other types, for example emails and web pages downloaded by end-users, need to be included in the document management system is something each organisation needs to consider as part of its ILM audit. Compliancy requirements could well mandate that all these kinds of documents need to be stored and an audit trail kept. Transaction information is often a singular concern of financial services companies.
Digital documents are an easy prospect from the outset. Most ECMs come with plug-ins for standard applications, such as Microsoft Office and Lotus Notes, that force users to store new documents with appropriate permissions and metadata in the ECM. Paper documents make matters harder. These will usually be scanned in-house. There is, of course, the initial consideration of who has access to what kinds of documents, since some post might be confidential and only certain members of staff may be cleared to see it.
Finding the right solution
Then comes the question of which system to use. Smaller companies will often find that the average ECM, even something relatively modest such as Microsoft's SharePoint Services, which are built into Windows Server 2003, is overkill for their needs. More powerful ECMs with a full gamut of security mechanisms and features, such as those available from OpenText, IBM, EMC, Oracle/Stellent or Interwoven, will be way outside their budgets and management capabilities. Few choose to spend the time and consultancy money necessary to implement open-source systems such as Nuxeo or Alfresco.
Often, bespoke implementations or simple systems that take advantage of the permissions of a standard file server can be a viable, if cumbersome, alternative. However, these won't offer most of the high-end ECMs' standard tools - such as workflow, versioning, preventing the creation of multiple instances of the same document, indexing, audit trails and business rules. Security in the more basic systems can be lax as well: certain file servers will only provide permissions for individual directories, not for each individual document, for example.
A sufficiently sophisticated document management implementation will be able to put the output from the scanner directly into the ECM, attaching metadata, setting permissions and adding an audit trail as soon as it is created. Since most scanning software performs optical character recognition to capture text and make it searchable when saved, PDF tends to be the file format of choice at this stage. This means other security measures can be added, such as digital signatures and password protection.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages