If you ask an IT executive, "What keeps you up at night?" they would likely respond, "The risk of an information breach."

During the past several years, the volume of digital content created and managed has grown explosively. This content can contain highly sensitive items such as trade secrets, employee and client data, financial information, etc. From the stolen emails of the DNC to the security lapses at Yahoo, data breaches are now a constant in the news. The risks are alarming and organizations worldwide know they must take steps to address the threats.

Metadata is not a silver bullet to overcome every possible threat, but the intelligent use of metadata is paramount to ensuring information security. Here are two ways companies can leverage metadata to bolster content security and mitigate the risk of data breaches:

Use metadata to create dynamic permissions

Most organizations understand the importance of classifying information and defining access control policies. However, the ability to enforce access control policies can be very difficult when using network folders or other folder-based approaches.

Very often, one must be able to specify different permissions within a folder. Also, effective access controls should be defined as a combination of dimensions. For example, sales should have access to the "contracts" folder but only very few individuals within the company should have access to highly classified accounts and related contracts.

While policies and compliance mandates vary by organization, all organizations can leverage metadata to create and enforce strict controls for file access permissions. Traditionally, access permissions were inherited from a hierarchical folder system via an access control list (ACL). This was quite inflexible and restrictive because it was based on the premise that all information assets reside in a single location.

Metadata-driven dynamic permission settings in modern enterprise content management (ECM) systems enforce access controls via combination of document attributes, such as the customer it relates to and the document type. Hence, a single document can be accessible to members of a project team, a particular group of developers, all of management except HR, or any combination.

Additionally, permissions can change based on workflow state. In a similar way, object-based and role-based permissions can also be implemented.

A good example of metadata-driven permission inheritance is the action of a user tagging the metadata of document to a project, consequently enabling the ECM system to be "smart" enough to know who should be allowed to access the document. The system knows this because it inherits permissions from the project.

So, in this scenario, the project manager will have full rights and project members will be limited to read rights. Then, let's say, there is a new project manager assigned. There is no need to find all of the project documents and change permissions to remove the old project manager. One simply needs to modify the project manager to the new person in the project object. All of the documents tagged to the project inherit those permissions automatically.

Here's an example of permissions changing based on workflow with metadata driving permission controls. An attorney is working on a "draft" agreement, and thus the metadata permissions dictate that the document will only allow "edit permissions" to other attorneys when they have been tagged as authors. Once the contract moves to the "approval" state, the other attorneys can no longer edit the contract. The point is that permissions are automatic. The user doesn't have to worry about them and this eliminates the risk of setting them incorrectly.

Leveraging metadata for greater insight into audit activities

Audits are now ubiquitous as part of business operations, and leveraging metadata as part of an information security strategy enables companies to better track various changes made to documents or objects such as creation, modification or deletion operations. Comprehensive event log files are generated when actions occur based on metadata attributes associated to related documents and files. At any time, organizations can quickly and easily determine "who" performed an operation that resulted in a non-conformance and then take action to remedy it.

Threats to content security will continue to pose a challenge, but leveraging a metadata-centric approach to content security will put companies in a better position to prevent breaches before they can occur.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Antti Nivala

Antti Nivala

Antti Nivala is chief technology officer at M-Files and a software developer with 20 years of experience.