Every organizations has its secrets, and at times it feels as if the secrets get around faster than "approved" information. But how many organizations look to their search application as a source of leaks?
Information security managers tend to focus on stopping external penetration into enterprise systems and pay far less attention to information management security. But without the proper permissions management, search applications can display a malevolent streak. Results lists display confidential information unless permissions are clearly established.
In theory this should be easy — organizations have multiple levels of document security (open, confidential, secret, etc.). But this is different than information security. Search applications require careful consideration of access permission levels.
Search Security Models
There are two basic models. In one, users can only search for information that they have permission to view. Often referred to as "early binding," this approach has a low impact on search latency. The second approach conducts the search across the entire index, but only display those results that match the user’s permissions. This can introduce significant latency as each result has to be matched to a permissions file.
Both of these approaches assume a rigorous approach to permissions management. As a consultant, I have lost track of the instances when someone sent me clearly confidential information in an email attachment. Nothing on the document indicated the information was confidential within the organization, but difficult situations could arise should I inadvertently mention something from the document to someone unaware of the information's existence.
Search vendors think that all information management problems can be solved by crawling and indexing everything in a federated search. Stephen Arnold recently wrote a very good analysis of the issues that arise when you break down information silos. Going forward, it could well happen that organizations can set up levels of access permission, but these are often at a server-level. That assumes that people understand where documents can be published. What is now an open access server might well be holding documents that are sensitive because of a lack of permission management in the past.
Permission management becomes even more complex when project collaboration is involved. A member of a project team could be granted access to information for the purposes of a project, but happens when the team member leaves the project and/or the project finishes? Rather than working on a file by file basis, organizations deal with this contingency in two ways: make everything open or keep everything closed. Keeping project outcomes totally confidential means that a later search will not confirm the existence of the project, which results in replicated work.
Queries and Logs
Two very specific permission management issues arise with search applications. Many applications provide auto-spell and auto-complete functions. Often, these are not security trimmed — either because no one worked through the implications or because of the significant impact on query response latency. Querying “Redundancy” and being offered “Did you mean redundancy Horsham?” might be one disclosure too far.
Another aspect of search security is the level of access permission of the people responsible for reviewing search logs. Again, without thinking through the implications, team members may view sensitive search terms that they do not have appropriate level of access permission for.
The List Gets Longer
A particular problem for companies in the defense and nuclear industries are the implications of export control licenses. Many organizations also have ethical firewalls to ensure that client-related information is managed with a high degree of care. This becomes a particular problem for social networks where an inadvertent reference to a person makes it possible to deduce the identity of a client.
Developing Permission Management Policies
As with so many aspects of search, developing permission access management policies requires IT, information security, search managers and business managers to come together to develop policies and set up review procedures and training. In my experience, information security staff may not have a good enough understanding of how search applications work and are being implemented. As a result, organizations put policies in place which cannot be implemented with the search technology, or the security team remains unaware of the granular level of permission management the technology offers.
Changes in personnel and in access permissions poses a major challenge for any permission management system. This is difficult enough within a single organization, but connections with suppliers and customers also have to be considered in a digital workplace. Much of the literature on permission management is targeted at IT professionals. Varonis offers a good starting point for a more general introduction with a business perspective.