Open By Design, Closed By Exception - Best Practices in Information Security

Greg Clark

Community Topic(s):

Keywords: ecm best practice, information governance, Security, ecm strategy

By Greg Clark, Principal

September 23, 2010 - 12:57 AM

Current Rating:
(0 ratings)

It's a debate that is as old as the information management industry itself (which isn't really that old, but bear with me).  Users want to collaborate freely and access the internal information they need while your IT security  team wants to information shared only on a "need to know" basis.

I side with the users on this one, but not because I think IT security types are wrong or misguided. I think that information wants to be free and that by adopting an "open by design, closed by exception" security model, you can keep everyone happy.

Here are a few common objections I have heard from IT security teams and my responses to each:

1. You're telling me that everyone gets access to everything? What about HR information or trade secrets or other sensitive information?

Open by design most definitely does NOT mean that everyone should have access to everything.  It's easy to get stuck on the "open by design" part and forget "closed by exception". There are most definitely categories of information that will be tightly controlled. Most organizations will have rules about who can access contractual information and most are governed by privacy and information disclosure rules. The benefit of Enterprise Content Management (ECM) systems is that you have the option of managing access to this information in a more granular way than you can on a shared drive. If the system is used properly, links to content distributed within the organization will only allow privileged users to access information.  Your ECM rollout must abide by the rules but these rules are not an excuse to lock down all information. 

2. The "need to know" principle means that if someone needs information to do their job, they will have access to it.

The best thing about an information management system is the power of ad hoc information discovery.

If you don’t know what you don’t know, how do you know you need access to it?  If valuable information doesn't come up in a search result, how do you avoid re-creating it or making decisions without  the benefit of this information? 

It's a case of risk vs. reward.  Your organization needs to decide if you are more worried about the risks that come from people finding information they shouldn’t (a risk which is still mitigated by the "closed by exception" part, as noted above) or if you are more interested in promoting knowledge sharing, collaboration and information discovery. I will always take the side of more information sharing over less; the "weak ties" we develop through finding information created by others help us expand our knowledge exponentially. Sociologist Mark Granovetter first came up with the concept of "the strength of weak ties" and Andrew McAfee and others have applied it to information management.   Basically, this principle says that we learn more from those we know peripherally than from our immediate colleagues; we already know what they know and we tend to become insulated and single-minded in our decision making. By expanding your network to people you only know somewhat, or people you don't yet know at all but have read a document authored by them, you will gain new perspectives and are much more likely to come up with creative solutions.

3. If everyone has access to information they will misuse it.

I fundamentally trust people. Maybe that's a shortcoming of mine but in a corporate context, I trust that the vast (vast) majority of people are trying to do the right thing for the organization.  If not, you've got far bigger problems than information security.  The "open by design" principle does not mean that just anyone can edit all information; most information will be read-only and some will be less than that (i.e. see that the content exists but not the content itself).  ECM repositories also have versioning and audit capabilities, so it is easy to see who accessed or changed a document and to roll back a version if necessary. This is difficult in an ordinary shared drive scenario and impossible if you can't find the information in the first place!

To address the concern that people will share information inappropriately outside of the organization I suggest making sure everyone understands your appropriate use policy. No, I am not so naive that I believe everyone will follow the rules just because they are the rules, but that's why ECM systems have security policies. If information is truly sensitive it should be secured. If not, is should be open to all users within your organization. Simple as that.

Report

Rate Post

You need to log in to rate blog posts. Click here to login.

Add a Comment

You need to log in to post messages. Click here to login.

Comments

Jo Bain

Submitted by Jo Bain September 23, 2010 - 1:52 AM

Just completing my own spiel on open access. Am pleased to experience that this is commonly agreed these days even amongst clients who used to think it was the enemy! They had been so burned by version losses through over-writing on file servers that they had become paranoid and resisted the open policies in ECM systems with a vehemence that would have been better directed to solving world hunger! Now they may still be paranoid about that problem, but are thrilled that we have a solution and seem to have more faith in both technologies and the information trade generally than they used to. I think they can visualise 'access' more effectively now because of the ubiquitousness of information sharing tools in their personal and work lives.
Report
Was this helpful? Yes No
Reply

Greg Clark

Submitted by Greg Clark September 27, 2010 - 11:21 PM

...glad to hear you found this piece useful. It's amazing how often users and clients who resist open security become the biggest advocates for the open by design model.
Report
Was this helpful? Yes No
Reply

Chris Walker

Submitted by Chris Walker October 19, 2010 - 10:59 AM

I've been spouting this to my clients for ages. I've seen the reverse approach taken with the result that an entire systems locks up because every search required that a user be validated against 75+ ACL's for a single role based search. Openness is a virtue in this information driven age.

I fully agree with your "risk vs reward" approach. One of the first questions I ask my clients when discussing security is "what's the worst that could happen if someone sees this?". It's interesting to see how many times the answer is "nothing".

I think that one of the reasons there is resistance to "Open By Design, Closed By Exception" is that there have been too many instances where private or personal information has been inadvertently disclosed (I'm sure we can all come up with one or two examples). However, I suspect that the reason that these breaches occur is not because of an open access approach, but rather because someone muffed it when designing or implementing a more restrictive policy (i.e.: they were trying to be too restrictive and missed something).
Report
Was this helpful? Yes No
Reply
Dan Keldsen

Submitted by Dan Keldsen October 25, 2010 - 10:52 AM

Greg - great post - thanks for raising this. Should be posted probably every day, and it still wouldn't get the attention it deserves.

Chris - absolutely agree - have done a fair bit of Findability consulting in recent years, and the impact of overly paranoid (and unmanaged) security implementations can crush search performance like no one's business. Just writing this very set of expectations into an RFP this week, as it turns out.

As an ex-security professional (sat on the advisory board for the SANS GSEC security certification), and former CTO, I put significant efforts into making sure that both business and IT owners of ECM/ERM/KM/EIM projects understand what they're getting into when they claim they want tight security, over everything, with equal weight.

It's not sustainable, it will kill your ability to get work done, and it's simply a bad idea.

Think guard rails instead of firewalls, and security as enabler of business, rather than eliminator of risk.

Cheers,
Dan
Report
Was this helpful? Yes No
Reply

This post and comment(s) reflect the personal perspectives of community members, and not necessarily those of their employers or of AIIM International

Blog email facebook linkedin Rss Twitter Youtube

Copyright © AIIM 2013 Privacy Policy