Paper trap

zoom

ALTAIE: If a document password is leaked, no company in the world can do anything about it.

zoom

SMITH: There have been advances in biometric access built into systems, but that ultimately protects only the entry point.

Document management systems are finally reaching critical mass in the Middle East - but many firms are still ignorant of the risks associated with making their data so widely available.

The world of document management systems does not reek of excitement. One of the more mundane parts of the IT machine, it typically involves converting a company's physical documents through scanning into digital form and today extends to all forms of correspondence within the organisation, including collaborative documents. These records can then be disseminated through a firm, while the physical copies are archived till their date of permanent disposal.

But it's easy to forget that something as mundane as a piece of paper could bring down an individual, company, a government or even an entire country. It's not the piece of paper but what's written (or drawn) on it - and most importantly, who sees that information. As such, the security aspect of these systems is often one that's ignored - at the peril of enterprises.

Dan Smith, general manager for integrated marketing for the Middle East and Africa at document veterans Xerox, names the key elements towards ensuring that documents are sufficiently secure: "You've got the input into document management and you've got the security around that. If you're taking sensitive documents and the information that's sensitive in hard copy documents, how do you actually get it into a digital format and consider the security aspects around that in terms of the handling, images and transmission, including tagging of the information as well.

"You've then obviously got the security issues around the storage. So where does it reside, are you using access levels that are tied to user accounts or are you increasing the security levels from that perspective? How do you back it up, how do you ensure the fidelity of the documents? Then obviously, you've got the retrieval. So it's three elements: input, storage, and retrieval. There are security issues around each aspect of those," he continues.

Florian Zenner, regional director for EMC Middle East, north and west Africa for content management and archiving suggests another attack vector. He believes many companies should take care to vet the outsourcing parties who carry out the conversion.

"You have companies that are working closely with EMC that come in and digitise large volumes of data. One of the security concerns here is obviously exposing your data to a third party company. If you have very sensitive data - especially government and military data - they would not allow a third party company to come in, they could acquire the software licences and do it themselves," he says.

The Telco example is particularly relevant. The very definition of the term security means to protect something of great value. Yet naturally, not every single document produced by an enterprise is of equal, mission-critical value and necessarily demands the most stringent security measures. To go back to Xerox's blueprint, retrieval is a key element of the ideal document management system and if security becomes so complex that it prevents easy retrieval - and in fact hinders the process of dissemination of information - then the system has failed the needs of the organisation.

Rather than letting technology decide the document's importance, Xerox's Smith says that this stage demands the human touch: "It really starts up-front with the user. We as vendors can ensure that the technology is in place to keep the document secure but the levels of security or the differentiation between different documents has to be established by the user."

One might easily assume that this need to build additional system measures simply adds to the already burgeoning - and daunting - overhead faced by the IT manager and his or her staff. But that, says Smith, should not be the case, although it sometimes is. Instead, the IT team should be focusing on replicating the overall enterprise architecture within the document management system.

"Office automation is about exactly that - automating the processes that you have. But to start off with, you need to ensure that the processes and the requirements from your business are very clearly defined so that you don't automate errors into your processes. We have a global services division who works with enterprises and government organisations to ensure that they use validated approaches to setting up processes and scanning repositories to ensure they don't just bake in the issues that they have to start off with,"

For Azam Dabbagh, managing director of vendor, International Computing Solutions, getting the processes right from the start is crucial: "With the dynamic business demands of today, security cannot be built in a static way based on pre-set field. Instead, security designs should remain dynamic and should be changed by the business user rather than the IT administrator so that therefore a business procedure should be designed to enable the authorised business user to determine the security policy."

Dabbagh's product lines focus on a technique known as text mining, which allows organisations to do searches based on the content of the actual document as opposed to predefined key fields. The capability to do the same for Arabic documents is also something which he says is strongly requested by regional enterprises - and in short supply.

Anthony Harrison, server and storage management expert at Symantec, agrees, saying enterprises also need to consider their labour overhead when formulating policies.

"Throwing more people at the problem just increases that level of complexity. You've got to keep them trained and in certain circumstances, they have to be security vetted. The more people you have in our operations, the greater the cost. Our operation has always been about optimisation through better use of tools for consistency and making sure that you can prove that things are being done the same way every time," he maintains.

Security is often about far more than just what controls you can impose. It also encompasses such oblique aspects as actual physical facility security, which Harrison claims is an area that many enterprises fall down in.

"Often, companies have to open up offices to a large number of contractors. Do what extent do you allow them access to your systems? Some people segregate them in terms of Wi-Fi access. Other people, if you go into a conference room where there's a network port - what policies do you have in place for stopping somebody plugging in their computer? Does that give them access to any domain resources that you have there? Once people are physically inside your premises, there's still a risk. You need to have the right mechanisms in place to make sure that you have the means to prevent access to unauthorised users," he warns.

Print | Email | Discuss this article

| Share |

READERS' COMMENTS

Click here to post a comment

Add your Comment All posts are sent to the administrator for review and are published only after approval. ArabianBusiness.com reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic.
Name *
Remember me on this computer
Email *	(Your email address will not be published)
City
Country
Subject *
Comment *
Notify me of further comments
Enter the words above *
Please click post only once - your comment will not be published immediately.

MORE FROM ARABIANBUSINESS.COM