Just because your enterprise search application indexes all of your organization's information doesn't mean you get to see it all when you carry out a search. An important feature of enterprise search applications is ensuring people can only see the information they have authorization to see. Enterprises are full of secrets, often related to a particular customer, project or technology. In some cases, the secret is commercially sensitive information which could be used to affect the share price.
Managing enterprise search security therefore is a challenging blend of technology and corporate governance.
Early Binding and Late Binding Using Access Control Lists
One fundamental element of the technology side is an access control list (ACL), which defines the access permissions for a piece of information. "Early binding" is where authorization data from the ACL is indexed with the piece of information when it is added to the server. This is also referred to as "index time" security. When you begin a search you will only be querying the information the ACL recognizes you have permission to see. Because ACL is incorporated into the index, any changes to the ACL may require undertaking a partial or even complete re-index.
"Late binding" runs a query against the complete index, but then matches the results against the ACL tables to display only the information the person conducting the search is authorized to see. For this reason, it is also known as "query time" security. The flexibility to quickly implement changes in this case is offset by possible delays in query response times.
The security matching processes are quite complex. I would recommend an excellent series of posts by Paul Nelson, which give a clear explanation and the pros and cons of each. ACLs sit outside the search application and so it can be a challenge finding a workable compromise between ACLs developed for other enterprise applications and the requirements of search application.
Related Article: How Secure Is Your Search?
Protective Marking Schemes
Most organizations take a complementary route to information security known as protective marking. (Goldsmiths, University of London provides an example (pdf).) Documents are classified based on whether they can be shared externally (and if so, with whom), are for internal use only, are for employees in specific roles only or are confidential to specific individuals. In an ideal world, the protective marking would appear as a water-mark on each page of the document. Unfortunately, all too often the circulation list is defined as an email group on the assumption that no one would ever share the document beyond the group. That defies human nature!
Making protective marking and ACL lists meet in the middle is always a challenge.
Related Article: 5 Levers of Digital Workplace Governance
Be Aware of These Enterprise Search Security Implications
Security measures can result in unintended and unexpected consequences, including:
- Employees with high levels of expertise may work on sensitive projects, so a search for expertise may not identify their expertise in this area.
- Team members may search for information ahead of a meeting and then find their colleagues do not have access to the same documents.
- Making changes to ACLs might take longer than is desirable when employees move into new roles and responsibilities as a response to COVID-19 impacts.
- Search team members may not have high enough levels of access security to establish when the apparent invisibility of a document is a security management issue.
- Analysis of search logs can be biased.
- Hit counts on facets and filters can be difficult to interpret, e.g. a facet may have a result count of 35 but only 20 results are shown.
- Different subsidiaries, locations or departments may have their own protective marking schemes, especially following a company acquisition.
Related Article: Intranet Search Is More Than a Technology Problem
Balancing Transparency and Security
This column only serves as an introduction to a complex and often political process. The information security management team usually makes the decisions about who sees what, not the search team. And these security teams are often so busy with the management of cybersecurity that internal ACL management falls low on their priority list. A search team should have a clear statement of policy and procedures to ensure a documented and integrated approach to ACL management is in place for search applications. In my experience, problems with ACL management are often a result of a lack of resources rather than a deliberate act of concealment.
Users should be able to view their authorization levels. A process should be in place to raise issues when information is unavailable, yet expected. This is important because what might seem like an ACL issue on the surface could be something more fundamental to index and query management.
My thanks to Miles Kehoe, New Idea Engineering, for his comments on a draft of this column.
Learn how you can join our contributor community.