An organization wanting to increase its security should not focus on external threats but also consider the possibility of internal threats. Remember how Wikileaks started? A United States Army soldier who worked as an intelligent analyst, Bradley or Chelsea Manning, accessed US confidential information while stationed in Iraq. Without official restrictions barring the access to hundreds of thousands of classified documents, Manning had the ability to download secret information from Siprnet, a secure network of US official secrets.
The root of the leak may be because of the huge scope of user access – accounting for more than three million people as of 1993. After the 9/11 attacks, more personnel were given access to increase the country’s defense and intelligence requirements. Managing the access of millions of people is not an easy feat and creating restrictions for each of the personnel may be close to impossible.
Coming from these challenges, document management systems of today have implemented several layers of security features by restricting user groups, user level, and document security level. These systems have found a way to implement restrictions in bulk – grouping users and setting the security level or assigning several user groups to access a cluster of information.
In our document imaging system, Enadoc, we have implemented user groups, which have specific functions assigned and user privileges. For example, the marketing and HR team each have their respective user groups to limit their actions within the system. Moreover, these user groups can further be limited in terms of function in each library or data repository.
Document management solutions typically implement passive and active security, which are also called Traditional Triangular Security. However, this type of security doesn’t have solutions for some of the challenges of CIO’s today, including what the Siprnet lacked – a security process that each user has to undergo when accessing confidential information.
We at Enadoc have been proud of our hexagonal security feature, where we addressed the more recent challenges within an organization today. With the use of security levels, we have filtered the access of information, avoided information leakage, and created a security process when a user attempts to access a classified document. Each user, user group, and document can be assigned a security level – from level 1 to 6, where 6 is the highest.
Typically in an organization, security levels comply with the hierarchy or job function. For example, the CEO can have a security level 6, where he has access to all documents, while a mid-level employee has security level 3, where he can access documents from security level 1 to 3.
When the mid-level employee attempts to access a confidential document outside of his security level, he has to go through a multi-factor authentication process. This process requires the approval of three or more authorized users before the mid-level employee gains access. Just imagine if Siprnet implemented this instead of making all documents available to US military and state department employees. Then we might not have Wikileaks today!
Remember – if going for a more secure document management system, make sure to look at its security features that protects confidential information from external as well as internal threats. Enforcing security to protect from internal threats is not a sign of paranoia within an organization but a way of creating a more organized and productive workplace.