Managing Enterprise Search Security

Just because your enterprise search application indexes all of your organization's information doesn't mean you get to see it all when you carry out a search. An important feature of enterprise search applications is ensuring people can only see the information they have authorization to see. Enterprises are full of secrets, often related to a particular customer, project or technology.  In some cases, the secret is commercially sensitive information which could be used to affect the share price.

Managing enterprise search security therefore is a challenging blend of technology and corporate governance.

Early Binding and Late Binding Using Access Control Lists

One fundamental element of the technology side is an access control list (ACL), which defines the access permissions for a piece of information. "Early binding" is where authorization data from the ACL is indexed with the piece of information when it is added to the server. This is also referred to as "index time" security. When you begin a search you will only be querying the information the ACL recognizes you have permission to see. Because ACL is incorporated into the index, any changes to the ACL may require undertaking a partial or even complete re-index.

"Late binding" runs a query against the complete index, but then matches the results against the ACL tables to display only the information the person conducting the search is authorized to see. For this reason, it is also known as "query time" security. The flexibility to quickly implement changes in this case is offset by possible delays in query response times.

The security matching processes are quite complex. I would recommend an excellent series of posts by Paul Nelson, which give a clear explanation and the pros and cons of each. ACLs sit outside the search application and so it can be a challenge finding a workable compromise between ACLs developed for other enterprise applications and the requirements of search application.

Related Article: How Secure Is Your Search?

Protective Marking Schemes

Most organizations take a complementary route to information security known as protective marking. (Goldsmiths, University of London provides an example (pdf).) Documents are classified based on whether they can be shared externally (and if so, with whom), are for internal use only, are for employees in specific roles only or are confidential to specific individuals. In an ideal world, the protective marking would appear as a water-mark on each page of the document. Unfortunately, all too often the circulation list is defined as an email group on the assumption that no one would ever share the document beyond the group. That defies human nature!

Making protective marking and ACL lists meet in the middle is always a challenge.

Learning Opportunities

ON DEMAND

Collaboration in a Distributed Workplace: Tools and Techniques of Top Performing Teams

Watch Now

ON DEMAND

Improve Knowledge Sharing: The Key to Employee Productivity

Streamline team collaboration and engagement

Watch Now

ON DEMAND

How McDonald’s Drove Productivity Through an Elevated Employee Experience

In the new remote/hybrid workplace, work/life boundaries are blurred and workplace stress is a top driver of mental health needs.

Watch Now

ON DEMAND

How to Future-Proof Your Employee Experience Strategy in 2023

A framework to navigate through economic uncertainty

Watch Now

ON DEMAND

Challenges to Efficiency in 2023: Your Employees Need the Digital Workplace of the Future

The era of asking employees to do more with less is upon us

Watch Now

ON DEMAND

The Essential Role of Communicators in Fostering Wellbeing in the Digital Workplace

Join us for practical insights on how digital communicators can support employees to thrive in the digital workplace

Watch Now

ON DEMAND

Addressing Employee Needs and Wants with a Digital Workplace

The workplace is getting more and more digital – both in how we work and where we work

Watch Now

ON DEMAND

Maintaining a Human-Centered Approach During Digital Transformation

When it comes to digital transformation - people drive change, not technology

Watch Now

ON DEMAND

The Evolution of Employee Recognition

Leveraging the power of appreciation to improve the employee experience

Watch Now

ON DEMAND

Are You Blocking Your Internal Comms Team Without Knowing It

Best practices & tips to help IC teams thrive

Watch Now

ON DEMAND

Cyber Resilience In The Cloud Is Not Optional

In today’s age of ransomware and widespread cyber attacks, your cloud data needs to be protected.

Watch Now

View All

Related Article: 5 Levers of Digital Workplace Governance

Be Aware of These Enterprise Search Security Implications 

Security measures can result in unintended and unexpected consequences, including:  

• Employees with high levels of expertise may work on sensitive projects, so a search for expertise may not identify their expertise in this area.
• Team members may search for information ahead of a meeting and then find their colleagues do not have access to the same documents.
• Making changes to ACLs might take longer than is desirable when employees move into new roles and responsibilities as a response to COVID-19 impacts.
• Search team members may not have high enough levels of access security to establish when the apparent invisibility of a document is a security management issue.
• Analysis of search logs can be biased.
• Hit counts on facets and filters can be difficult to interpret, e.g. a facet may have a result count of 35 but only 20 results are shown.
• Different subsidiaries, locations or departments may have their own protective marking schemes, especially following a company acquisition.

Related Article: Intranet Search Is More Than a Technology Problem

Balancing Transparency and Security

This column only serves as an introduction to a complex and often political process. The information security management team usually makes the decisions about who sees what, not the search team. And these security teams are often so busy with the management of cybersecurity that internal ACL management falls low on their priority list. A search team should have a clear statement of policy and procedures to ensure a documented and integrated approach to ACL management is in place for search applications. In my experience, problems with ACL management are often a result of a lack of resources rather than a deliberate act of concealment. 

Users should be able to view their authorization levels. A process should be in place to raise issues when information is unavailable, yet expected. This is important because what might seem like an ACL issue on the surface could be something more fundamental to index and query management.

My thanks to Miles Kehoe, New Idea Engineering, for his comments on a draft of this column.

Learn how you can join our contributor community.

About the Author

Martin White is Managing Director of Intranet Focus, Ltd. and is based in Horsham, UK. An information scientist by profession, he has been involved in information retrieval and search for nearly four decades as a consultant, author and columnist. Connect with Martin White: