Search and Security Management
Security management in the context of secure search comes down to understanding the role and behaviors of search in three distinct areas: secure environments, secure transmission of content and secure access to content. The following summary provides security professionals with a framework for deploying secure search, and the key considerations for successful deployment.
Security of the applications: In the context of an organization's typical technology environment, there's a broad mix of enterprise systems, file shares, email servers and end-user workstations, all containing data with varying levels of sensitivity and privacy. Even in high-security environments where the teams and their systems are isolated from the rest of the organization, enterprise search must recognize and adhere to critical requirements and nuances within that secure ecosystem.
To that end, enterprise search, when done properly, should employ best practices that cater for this need. These capabilities should ensure:
- Understanding of sensitive deployments-your search partner should be trusted in sensitive installations, including but not limited to areas dealing with classified information such as defense and intelligence; and
- All products are digitally signed and will run on "locked-down" systems.
Security in terms of transmission: The true power of enterprise search is to help your organization better leverage its information assets while also keeping private data secure from eavesdroppers, no matter where end users are, what they access or how they access it. Enterprise search cannot open a new vector to unauthorized access. As such, your enterprise search technology should ensure the secure transmission of content with industry standard 128-bit SSL encryption of traffic to/from the server.
Security "filtering" implications on performance: There are multiple methods to ensure document-level security. Based on experience in supporting high-security environments within government and intelligence, ISYS recommends the following three key methods, in order of preferred approach:
1. Early binding. Access control lists (ACLs) are expanded, de-composed and cached during indexing, searches have a "restricted-to" mask applied to them which means result counts are 100% accurate on the first page and no search time performance penalty.
2. Optimized late binding. Previous hybrid document filtering mechanism: ACLs are cached during indexing, distinct ACLs are identified and used at search time to filter results that users do not have access to. Minimal but non-zero effect on search performance—search result counts are approximate.
3. Custom security systems. Extension mechanisms for creating your own authentication/filtering modules, including custom/proprietary early bound scenarios.
Security in terms of multi-tenant installations (SaaS/cloud): For customers who deliver software as a service, it's critical that the enterprise search application maintain the integrity of multi-tenant servers, ensuring high performance and no "information leakage" (harmless or otherwise) from one client's corpus into another's. To that end, we recommend creating separate physical indexes for each tenant, ensuring high performance and no chance of leakage from one customer to the next.
Authentication Systems
Wherever possible, your enterprise search engine should reuse your existing identity and authentication systems, which helps minimize time to deployment and ongoing maintenance. Best practices include:
- Sign on once and your search application will remember your credentials for subsequent visits/searches;
- For multiple content sources that use Active Directory for authentication, only a single login is required; and
- For multiple content sources that use different authentication mechanisms, your enterprise search application should employ the concept of security zones whereby users specify their credentials for each underlying content source, and the engine then caches and uses the appropriate credentials for each system as needed. Once set up, only a single login is required.
In any application that produces activity logs, there's always the potential for an administrator to come across information that an organization might want to keep private, either for compliance reasons, corporate policy or otherwise. As it relates to enterprise search, here are the areas to note:
- Standard Apache-style Web logs: Typically viewable by administrators, but can be "locked down" using NTFS permissions to prevent IT people from inspecting sensitive user search terms; and
- Search trends: Reports generate highlighted search behaviors, trends and usage. Typically viewable by administrators, content managers and marketers, but SQL Server security can be used and enforced to prevent IT people from inspecting sensitive user search terms.
Security of Results Lists
Results lists often show how many matching documents there are, or how many documents contain each search term. If care isn't taken to recognize this, a search could communicate to end-users that their queries found 50 terms in 10 documents, yet the search results only show three documents in the list.
It is important that lists of results should not disclose any frequency data about words that are in documents that a user is not allowed to see. This is especially a problem when displaying hit counts in facet windows. If the numbers do not add up, users can become confused or suspicious.
By adhering to the early binding approach of document-level security, you can ensure that end-users glean nothing from a search that would give them reason to question the results.
Security professionals who are a part of enterprise search project teams are encouraged to ensure that the requirements introduced in this document are included in both vendor review and deployment plans. Doing so at the outset of a plan will reduce potential implementation delays and cost overruns.
ISYS Search Software is a global leader in embedded search and universal information access solutions. Our innovations in enterprise search power the world's leading information management providers, including Sybase (an SAP Company), MarkLogic, ProofPoint, EMC, HP, Reveal and Bridgeline Digital. The ISYS suite of enterprise search also enables the virtual aggregation of corporate knowledge, providing a single point of access to information that resides across workstation, file shares, intranets, databases and enterprise systems. A pioneer in enterprise search, ISYS has served more than 16,000 organizations worldwide.