Paper trap

Document management systems are finally reaching critical mass in the Middle East - but many firms are still ignorant of the risks associated with making their data so widely available

Tags: Canon Middle EastData leakageEMC CorporationSymantec CorporationUnited Arab EmiratesXerox Emirates L.L.C.
  • E-Mail
Paper trap
More pics ›
By  Imthishan Giado Published  July 4, 2009 Arabian Computer News Logo

The world of document management systems does not reek of excitement. One of the more mundane parts of the IT machine, it typically involves converting a company's physical documents through scanning into digital form and today extends to all forms of correspondence within the organisation, including collaborative documents. These records can then be disseminated through a firm, while the physical copies are archived till their date of permanent disposal.

But it's easy to forget that something as mundane as a piece of paper could bring down an individual, company, a government or even an entire country. It's not the piece of paper but what's written (or drawn) on it - and most importantly, who sees that information. As such, the security aspect of these systems is often one that's ignored - at the peril of enterprises.

Dan Smith, general manager for integrated marketing for the Middle East and Africa at document veterans Xerox, names the key elements towards ensuring that documents are sufficiently secure: "You've got the input into document management and you've got the security around that. If you're taking sensitive documents and the information that's sensitive in hard copy documents, how do you actually get it into a digital format and consider the security aspects around that in terms of the handling, images and transmission, including tagging of the information as well.

"You've then obviously got the security issues around the storage. So where does it reside, are you using access levels that are tied to user accounts or are you increasing the security levels from that perspective? How do you back it up, how do you ensure the fidelity of the documents? Then obviously, you've got the retrieval. So it's three elements: input, storage, and retrieval. There are security issues around each aspect of those," he continues.

Florian Zenner, regional director for EMC Middle East, north and west Africa for content management and archiving suggests another attack vector. He believes many companies should take care to vet the outsourcing parties who carry out the conversion.

"You have companies that are working closely with EMC that come in and digitise large volumes of data. One of the security concerns here is obviously exposing your data to a third party company. If you have very sensitive data - especially government and military data - they would not allow a third party company to come in, they could acquire the software licences and do it themselves," he says.

The Telco example is particularly relevant. The very definition of the term security means to protect something of great value. Yet naturally, not every single document produced by an enterprise is of equal, mission-critical value and necessarily demands the most stringent security measures. To go back to Xerox's blueprint, retrieval is a key element of the ideal document management system and if security becomes so complex that it prevents easy retrieval - and in fact hinders the process of dissemination of information - then the system has failed the needs of the organisation.

Rather than letting technology decide the document's importance, Xerox's Smith says that this stage demands the human touch: "It really starts up-front with the user. We as vendors can ensure that the technology is in place to keep the document secure but the levels of security or the differentiation between different documents has to be established by the user."

One might easily assume that this need to build additional system measures simply adds to the already burgeoning - and daunting - overhead faced by the IT manager and his or her staff. But that, says Smith, should not be the case, although it sometimes is. Instead, the IT team should be focusing on replicating the overall enterprise architecture within the document management system.

"Office automation is about exactly that - automating the processes that you have. But to start off with, you need to ensure that the processes and the requirements from your business are very clearly defined so that you don't automate errors into your processes. We have a global services division who works with enterprises and government organisations to ensure that they use validated approaches to setting up processes and scanning repositories to ensure they don't just bake in the issues that they have to start off with,"

For Azam Dabbagh, managing director of vendor, International Computing Solutions, getting the processes right from the start is crucial: "With the dynamic business demands of today, security cannot be built in a static way based on pre-set field. Instead, security designs should remain dynamic and should be changed by the business user rather than the IT administrator so that therefore a business procedure should be designed to enable the authorised business user to determine the security policy."

Dabbagh's product lines focus on a technique known as text mining, which allows organisations to do searches based on the content of the actual document as opposed to predefined key fields. The capability to do the same for Arabic documents is also something which he says is strongly requested by regional enterprises - and in short supply.

Anthony Harrison, server and storage management expert at Symantec, agrees, saying enterprises also need to consider their labour overhead when formulating policies.

"Throwing more people at the problem just increases that level of complexity. You've got to keep them trained and in certain circumstances, they have to be security vetted. The more people you have in our operations, the greater the cost. Our operation has always been about optimisation through better use of tools for consistency and making sure that you can prove that things are being done the same way every time," he maintains.

Security is often about far more than just what controls you can impose. It also encompasses such oblique aspects as actual physical facility security, which Harrison claims is an area that many enterprises fall down in.

"Often, companies have to open up offices to a large number of contractors. Do what extent do you allow them access to your systems? Some people segregate them in terms of Wi-Fi access. Other people, if you go into a conference room where there's a network port - what policies do you have in place for stopping somebody plugging in their computer? Does that give them access to any domain resources that you have there? Once people are physically inside your premises, there's still a risk. You need to have the right mechanisms in place to make sure that you have the means to prevent access to unauthorised users," he warns.

Even limiting access permissions is not always a panacea, he adds: "If you are a fileserver administrator, you can give access to individuals, to groups. If you have the admin password for that server or for that domain, there's an awful lot of places, you can go through and find information where people don't expect you to do it.

"There was one example where we were looking at a fileshare location where all of the directors kept their expense reports - very sensitive information. We asked: Who had access to the information? The directors said: ‘The 12 of us and our assistants.' We showed them a report showing that there was actually something like 300 people who had read access to that particular folder. So often, people assume that the only people that can see information are the ones they've explicitly given access to - but there's a lot of implicit access as well that people aren't aware of," he states.

So it's clear that there are a number of areas where document management security can use improvement. But the good news is that most of the technology already exists. Audai Altaie, senior product manager at Canon Middle East has some ideas.

"Encryption in the form of passwords on documents can be all the way down the word level and that's what you should look for when purchasing a system. You should have a history of documents that can track the changes from the first to the last page, while your wireless should be encrypted also so that nobody can hack into your network if it's a wireless one," he proposes.

"One of the Lebanese banks purchased our scanners for one purpose only - fingerprint security. Another vertical is defence, especially here in the UAE and Saudi. Our solutions have a hard drive eraser which permanently erases the document, which drew the interest of the Ministry of defence."

Perpetrators of data leakage often include disgruntled employees, for whom document management systems have actually made life easier.

Altaie says there are protections against this kind of behavior: "One of them is detecting if a lot of data is getting transferred at the same time, alerting the IT manager that somebody is spooling a lot of data very fast and then he can question the employee."

EMC's Zenner believes the trend of employee theft is more widespread than most people realise: "Gartner made a statement that they said 84% of high-cost security incidents are the result of the insiders sending confidential material outside the company. Now, how can I prevent that as a company? With our Documentum system today, it allows you to plant certain security measures, not on repositories or data stores but on the physical document which prevent people from copying, saving or taking data to a external disk and sending it via e-mail."

But firms should not rely solely on the power of technology. Xerox's Smith says there are limits to what the technology can do: "There are clearly advances in biometric access, whether that's fingerprints or the retinal scans that are built into systems nowadays, but that ultimately protects only the entry point."

Canon's Altaie concurs: "You can have a password on a password - levels of passwords. He can log in as a user but when he needs to view a specific document, he has to have the password. But if the password is leaked, no company in the world can do anything about it."

Data leakages can and do happen, but a regional culture of secrecy prevents them being made public - leading to a general notion that firms are secure.

Symantec's Harrison lends weight to this theory: "It's not like the US where there's now a duty of disclosure for any kind of data breach. They are probably three to five years ahead of Europe in terms of legislation forcing people to do it [disclosure]. In the Middle East, it's a stage even further behind that. From a cultural perspective, nobody wants to go through and disclose something embarrassing when they don't have to," he continues.

So it's the same story with document management as it is with most security implementations. While the technology exists to protect data, most firms still place the technology and convenience aspects of having their data in a central, searchable database ahead of the very real possibility of data leakage. In part, this is because few incidents have come to light.

Until the region becomes open about the reality of such incidents, it seems enterprises will have to place their trusts in the preventative measures of vendors and the vigilance of IT managers - a combination that will have to do, for now.

Top tips for more secure enterprise content management

"There are four things to consider. First, get document management with a minimum of 128-bit encryption of all documents no matter where it is. Second, always back up your documents in multiple locations - never put all your eggs in one basket.

Thirdly, even when you log in to your internet access or web access for your document manager, always use your own PC, not someone else's, because they could hack your password. Fourth, use more security than a password, like fingerprint recognition or retinal scanning." - Audai Altaie, senior product manager at Canon Middle East

"Our recommendation is to start by understanding what you have, what format is it in. For example, if you decide you want to keep some data for ten years, how do you know that the current format it's in will be usable in ten years time? We recommend that when people put the data into an archive store, keep it as flexible as possible.

"It's all very well, having a copy of the data, but how do I access it? Do I have the servers, people and documented processes to keep running my business? Just because I've had a disaster doesn't excuse me from any legal liability to store the data and provide access to it when I need it." - Anthony Harrison, server and storage management expert at Symantec.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code