Document-level security with Enterprise Search
December 7th, 2006 | Published in Google Enterprise
We came across another interesting article published in New Idea Engineering in the series - "Enterprise Search: Mapping Security Requirements to Enterprise Search". In this article Mark talks about the importance of document level security and the two methods of implementing it. We completely agree with Mark on the importance of supporting document level security with enterprise search systems. Anything short of fine-grained access control is no security at all. The Google Search Appliance supports document level security across heterogeneous enterprise content stores.
While we agree with Mark on some of the benefits with using early-binding security filtering, there are certain limitations that make it impractical (if not impossible) to use for most deployments today. One of the main issues with early-binding is synchronization with the access control list (ACL) policies stored in content systems. ACL policies change frequently, and caching the ACL policies results in policies being out-of-sync with the source system. This can cause severe breaches in company security and allow sensitive IP to be leaked within the organization.
The second issue is the lack of implemented standards for introspecting the ACL policies. Without a standard way of reading policies from source systems, companies are faced with difficult implementations or are only able to provide secure results inside a homogeneous system. The new MOSS 2007 search system is a prime example of this, where security is only enforced on content that is stored in the Sharepoint system and not across other content systems, web servers, or databases.
At Google, we're working to establish a scalable, standards-driven way of early-binding security filtering. For that to work we need implemented standards within content systems (web servers, file servers, document management systems, portals, etc.) for introspecting and notifying changes in ACL policies. Until then we continue to support late-binding, document-level security filtering and delivering the highest quality, highly secure search results to tens of millions of users in companies worldwide every day.