Managing security trimming in enterprise search applications is both a technical challenge and an information management challenge. Reading a recent post from Microsoft on security management has prompted me to once again consider the information management challenges, something that Microsoft rather glides over.
The initial challenge is who makes the decisions on what information is confidential to which employees. This should be set out in what is often referred to in the UK as a Protective Marking policy which is owned by the Information Risk Manager. Goldsmiths University of London provides a good example of such a policy, though it should have been reviewed in 2019 but clearly has not! A paradox of a Protective Marking Policy is that it should be transparent. If access to a document that is known to exist is not permitted through the search application then there should be a route for the employee to bring this to the attention of the Information Risk Manager for potential review of the policy with regard to the document.
Of course the problem is that not being able to find a document does not mean that it is confidential. There are just so many ways in which search can fail! But that is another issue.
The information security management team usually makes the decisions about who sees what, not the search team. And these security teams are often so busy with the management of cybersecurity that internal ACL (Access Control List) management falls low on their priority list. A search team should have a clear statement of policy and procedures to ensure a documented and integrated approach to ACL management is in place for search applications. In my experience, problems with ACL management are often a result of a lack of resources rather than a deliberate act of concealment.
Another common problem is that there is no information on a document about the extent to which it can be shared. Labels like “Confidential to marketing staff” are useless because who exactly is on the marketing staff, especially in a country operating in a different language and quite likely with a different divisional structure? In an ideal world, the protective marking would appear as a water-mark on each page of the document. Unfortunately, all too often the circulation list is defined as an email group on the assumption that no one would ever share the document beyond the group. That defies human nature! External documents may escape the control of information security all together because they come into the organisation via email and are then circulated to a group of people on an email list with information on security mentioned only in the body text of the email.
Security measures can result in unintended and unexpected consequences, including:
- Employees with high levels of expertise may work on sensitive projects, so a search for expertise may not identify their expertise in this area.
- Team members may search for and find information ahead of a meeting and then find their colleagues do not have access to the same documents.
- Making changes to (ACLs) might take longer than is desirable when employees move into new roles and responsibilities as a response to COVID-19 impacts.
- Do search team members have high-enough security clearance to check that employees who have permission are indeed able to find secure (and usually very important) documents
- Hit counts on facets and filters can be difficult to interpret, e.g. a facet may have a result count of 35 but only 20 results are shown. Are there 15 confidential documents?
- Different subsidiaries, locations/languages or departments may have their own protective marking schemes, especially following a company acquisition.
A final question for you. Has your Information Security policy been rewritten to support WFH and hybrid working?
Information security is just one element of information management. If you would like to have a list of 50 ways that you can improve information management in your organisation without any additional budget then download my handbook.
Martin White