Originally published on 10 Dec 2010 at ECM Gov Blog.
The latest WikiLeaks release and subsequent media storm has caused me to think about the role that ECM plays in content security. When all of our records were on paper, they were easily lost, compromised, copied, and destroyed. However, in the digital age, when we have the option of storing that same content in digital form we have the ability to add multiple layers of security to our content to keep it secure, organize and find content that is misplaced, and identify who is accessing our content. Below are eight ways to keep your content secure and prevent it from being easily compromised:
- Physical controls are the first step towards securing your content. For instance, ensure that locked doors prevent access to servers by unauthorized personnel. Encrypt storage drives, especially on Laptops and other mobile devices to ensure the security of your data even if you lose physical custody. Keep secure networks separate from unsecured, and prevent users from carrying recordable devices in the vicinity of sensitive data.
- Best practices will prevent many other data breaches. This starts with two lists: authorized users and everyone else. If a user doesn’t need access, then they shouldn’t have it. Creating groups of authorized users via a network directory service (i.e. LDAP or Active Directory) allows the administrator to apply these groups to some content containers and not to others (more on this in #4 below.)
- Audit Logs allow an organization to keep their authorized users honest, or identify when they have accessed content that they shouldn’t have. With an Audit Log, you may view all the records that a user accessed during a period of time; alternatively, you may choose to audit a group of sensitive records and view who is accessing them. For the user, just knowing that their actions are being audited may be enough to ensure they remain ethical.
- Container-level security is similar to a locked file cabinet. You may have all kinds of documents in the file cabinet, but without a key you cannot access any of it. This would allow you to store personnel records financial documents in the same room, but secure access to each container with separate keys. In an ECM system, you can create a list of authorized users for records as part of the Best Practice from item #2 above, and then apply that list to a container in the ECM system, granting access to one container and restrict access to other containers.
- Document/file-level security enables granular flexibility in your security policy. In the paper world, once I unlock the container I can look at every type of content in the drawer. With ECM, you are able to grant access to the container as a whole and then grant or deny access to certain types of records within. For instance, the HR container may include financial, benefits, training, and disciplinary documents, but an individual user may be restricted to accessing only the training and benefits documents. This flexibility in access security allows for effective security policy that enables productivity without having to compromise best practices.
- Transmission encryption allows us to secure our content as it is being retrieved as well as when it is stored. We may have physically secured our computers, encrypted the storage locations, and followed best practices when we authorized access to content, but then lose control of the content to a malicious party who is capturing traffic on our network. By using Secure Socket Layer (SSL), Transport Layer Security (TLS), and/or Advanced Encryption Standard (AES) we can deliver the content from the storage location to the client without risking compromise along the way.
- Redaction of Personally Identifiable Information (PII) and other sensitive information allows us to grant access to content without exposing information unnecessarily. Perhaps you remember a certain federal agency that inadvertently exposed a redacted PDF, and within minutes the redaction was removed by enterprising hackers. That is not what I consider redaction; I would call that masking. Even in the paper world, it may be possible to view the redacted information under a black marker. In the ECM world, an effective redaction would convert the record into an image format, and then apply the redaction by overwriting the pixels of the sensitive information. In other words, the sensitive information no longer exists in the digital file because those pixels are replaced by the redaction itself. This redacted document may be stored in one container controlled with a broad list of authorized users. The original, un-redacted version could be stored in a separate container with a more exclusive list of authorized users, simultaneously protecting and preserving the original record.
- Certification via Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) at Evaluation Assurance Level 2+ through the National Information Assurance Partnership (NIAP) provides peace of mind. This certification, developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) provides a rigorous testing schema to ensure that the ECM system’s security works as designed. Not many vendors have passed this test, but those that have can say that they have passed a critical assessment of system security administered by the two foremost authorities on the subject.
In light of the latest news surrounding WikiLeaks, it is more important than ever to ensure our records are secure. This requires careful planning and regular review of an organization’s policies and security model. By following best practices for server and network administration, physical security, and transport encryption, an ECM system’s integrity will then be dependent on the ethics of its authorized users. By designing your system security model on a need-to-know basis (and ensuring that the ECM system is capable of enforcing the security model) many breaches can be prevented. Through vigilant system auditing, most users will be encouraged to remain ethical while unethical users and malicious system access may be discovered early enough to prevent a catastrophic breach. The last thing any of us want to see is our organization or agency exposed in the news due to less than adequate content security.