Software as a Service to the Rescue – Part 2: Complexities of Document Level Security

Corporate IT groups are no strangers to designing and enforcing enterprise data security regimens – but the type of security required for a strategic research portal incorporating licensed content from third-party publishers is a whole different ballgame.  It’s one of the reasons a Software as a Service-based portal solution is so appealing to many large organizations.

The fundamental challenge is that a portal requires security on a publisher-by-publisher, user-by-user, and document-by-document basis.  Corporate IT is quite proficient at system security predicated on a particular server or file directory, or by application.  But the idea that each and every document has its own security requirements in terms of whom within the organization, by individual’s name, has access rights, is alien to customary corporate IT practices.

And it’s daunting indeed.  Two people with the same title, in the same department, sitting side-by-side in the office, with the same level of permissions for internal research may have greatly different rights to external research.  Both may have equal access to the same research portal application.  But, one may hold a seat for Forrester and IDC, the second a seat for Gartner and IDC.  Even worse, a particular subset of content (many research publishers call these subsets “services”) from a given publisher may be available to one person but not to another, while different services have the opposite configuration for permissions.

And just to throw another complexity into the mix, some market research providers have gotten very creative in how they bucket and partition their content offerings.  For example, some of the content from a provider might be an enterprise license, but not all of it, and some may be on a seat license.  Or the content might be sold with download restrictions.  For example, 1,000 copies of a set of reports may be permitted to be downloaded by users, but the 1,001st download has to be blocked.  Nothing in the enterprise IT infrastructure is prepared to support such complicated business rules around content access.

A specialized research portal provider operating as  Software as a Service has the scale to develop solutions that make sure the research portal platform is fully informed about the rights each employee has to each third-party document in the research repository.  This scale comes from serving dozens of clients licensing scores of research sources.   The Software as a Service-based research portal provider sees and accommodates every possible nuance in content licensing business practices and can spread the cost of developing solutions for each flavor of access restrictions.  Such a research portal will deliver documents only to users authorized no matter how complex and unique the content publishers’ restrictions are.  Because the Software as a Service platform lives outside the enterprise IT platform, it is not constrained by the customary security structures of the deployed enterprise solutions, and custom extensions to handle document-level security on a publisher-by-publisher basis are possible.

There’s also a potentially very expensive liability issue related to document security.  For example, Northern Light was told of one company that was presented with a $460,000 bill from a market research provider for a single report that a well-meaning but naive employee carelessly posted to an enterprise intranet site for general consumption without access controls reflecting the report’s seat license business rules.  No CIO in his or her right mind would want to be within shouting distance of a mess like that.  In this scenario, the buffer of a Software as a Service provider whose application is fully informed about which employee has rights to each document represents an enormous comfort as well as valuable insurance.

NEXT TIME: Accelerating your portal development and deployment timeframe