I am off to the AIIM (Association for Information and Image Management) Conference in Boston right now. This is perhaps the largest Enterprise Content Management conference there is. I will be speaking tomorrow on Web 2.0 and ECM with Wilson D’Souza of MIT. Looking through the agenda of the conference, I was looking for sessions on security.
James McGovern has constantly asked me and other ECM vendors to solve security issues for ECM using the standards that have already been developed for web services, such as XACML. Looking at the agenda at AIIM, it doesn’t look like the vendors are taking it quite as seriously as James. James is an enterprise architect and his role is to look at stuff like this.
Trying to address security in some of the standards groups such as AIIM’s iECM initiative and JSR-283, the successor to JSR-170, has been politically tricky. It is difficult to figure out what a common view of security is given all of the different models of security such as Access Control List, Role-based Security and Policy-based Security used in Records Management, let alone all the different vendors’ implementations of each. However, looking at this problem going forward, without addressing and standardizing security, we are creating huge barriers to interoperability and not meeting the requirements of new models of interaction on the internet.
In looking at how new Web 2.0 companies are starting to mash-up and integrate different services, it is hard to see how we can extend these capabilities into more secure and sensitive services such as eCommerce or bringing these services into the enterprise without a common notion of identity, role, entitlements or membership. As vendors, we either address these issues or, like so many time before, they will be addressed for us by others on the internet and we will be forced to catch up.
I have been doing some background thinking on this and here are some important points that I think ECM vendors need to consider:
- Common identity. There needs to be a common way of addressing identity between different services whether those services are in the enterprise or outside. As we start to bring customers and partners into the process of serving themselves or helping us design new products and services, we can’t just rely on internal directory services. OpenID is the only standard that I am aware of that provides a neutral way of identifying users and is not dependent on any single vendor.
- Common Models for Rights Management. The big, looming problem in content is the fact that huge numbers of users are adding, accessing or updating an even larger number of pieces of content. This calls for a model that controls content through definition of context such as time, location, metadata or role. XACML could very well fit this model. However, users need to understand this model as they set up the controls on the content.
- Distributed Directory Services. Identity is not sufficient for determining roles or entitlements. There needs to be a more open way of integrating multiple directories without revealing sensitive information. This is the same problem we are trying to solve for content and directories need the same mechanism to define access.
- Search and Security. As search becomes increasingly federated, such as through the OpenSearch API, managing identity and entitlements on content becomes very problematic. The search sources should filter out any content to which the user doesn’t have access. However, that requires some cooperation with the software that is doing the aggregating and the content sources. ECM systems will probably control the most sensitive information, but this will need to be aggregated with public sources as well to create effective search applications for the enterprise.
Help the process by asking your vendor how they expect to address these types of security concerns. If you are at AIIM, bring the issue in relevant sessions. I don’t have all the answers nor does any vendor. People in the middle of this problem like James can help by bringing up their use cases. If we start asking the questions, then perhaps we can collaboratively answer the questions and solve this problem. If you think standardizing this is hard, try imagining building next generation systems without standardizing these security needs.