1 of 59 pages
Content Security At the Fulcrum of Innovation and Risk
0 Comments on this document
Document Transcript:
¨
Market IQ
Intelligence Quarterly
Content Security
At the Fulcrum of Innovation and Risk
Authored by AIIM Market Intelligence Division
Carl Frappaolo and Dan Keldsen
¨
Underwritten in part by:
© 2007
AIIM - The ECM Association
1100 Wayne Avenue, Suite 1100
Silver Spring, MD 20910
301-587-8202
www.aiim.org
SEND TO A FRIEND !¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk
About the Authors
Carl Frappaolo - Vice President, AIIM Market Intelligence
With over 25 years experience working with a broad array of business solutions including knowl-
edge and content management, portals, search engines, document management, workflow, BPM,
records management, imaging, intranets and electronic document databases, Mr. Frappaolo is well
versed in the practical business and technical aspects of implementing large scale e-applications.
Valued for his technical, practical and market expertise, he has consulted with a variety of
organizations spanning multiple industries.
Prior to joining AIIM, Mr. Frappaolo founded Delphi Group, where he led the firm's consulting and market research
practice for nearly 20 years. He is the creator of several methodologies designed to address the needs of
knowledge management, content management, business process management and portal design.
Mr. Frappaolo has published 4 books and over 300 studies, articles and whitepapers, and has lectured to audiences
around the world.
Dan Keldsen - Director, AIIM Market Intelligence
Mr. Keldsen's experience is based broadly and deeply around innovation management and
Enterprise 2.0/Web 2.0 topicsÑbuilt on the unstructured and semi-structured content-based
enterprise concepts such as Information Architecture, Taxonomy, Search, Semantics, Navigation,
Enterprise Content Management,Web Content Management, and Portals.
He has 13 years experience as a Senior Analyst, Consultant, and Chief Technology Officer. Mr. KeldsenÕs expertise is
in bridging theoretical knowledge and practical application of technology to business problems. He is also an adept
educator and industry spokesperson, having delivered keynotes and seminars to audiences around the world.
Mr. Keldsen graduated Cum Laude from Berklee College of Music (Boston) with a Dual BFA in Music Synthesis
Production and Songwriting. He holds a SANS GSEC certification, and was on the Advisory Board for the SANS
GSEC program for two years. He is also a Member of the Usability ProfessionalsÕ Association (UPA) and The
Information Architecture Institute.
AIIMÑThe Enterprise Content Management Association
For over 60 years,AIIMÑThe ECM Association has been a neutral and unbiased source for helping individuals and
organizations understand the challenges associated with managing documents, content, records, and business
processes. AIIM is international in scope, independent, implementation-focused, and, as the representative of the
entire ECM industryÑincluding users, suppliers, and the channelÑacts as the industryÕs intermediary.
The AIIM community has grown to over 50,000 professionals from all industries and government, over 150
countries, and all levels of management, including senior executives, line-of-business, and IT. With every organization
in the world handling some type of paper or electronic content, the ECM industry will continue to grow. As the
industry grows, AIIM can be counted on to provide market education, peer networking, professional development,
and industry advocacy. Visit AIIM on the web at www.aiim.org
SEND TO A FRIEND !
AIIM - The ECM Association © 2007 page 2 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Section 3:
Why Content Security NOW? . . . . . . . . . . 16
Section 1: New Business Models, and Novel Applications
of Technology are all FineÑBut how do
Defining Content Security in the 21st
Century . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Organizations Think About Security Today? . . . . . . 17
Towards a More Granular Model . . . . . . . . . . . . . . 6 Role of Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Document-Centric Model . . . . . . . . . . . . . . . . . . . . 7The Role of Vertical Industry Standards and
Regulations Within Their Respective Industry . . . . 32
Granularity-Targeting Sub-document Control . . . . . 7
The Content Security Lifecycle Model . . . . . . . . . . 8
Section 4:
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The State of the Market . . . . . . . . . . . . . . . 36
The Object-centric Approach . . . . . . . . . . . . . . . . . 9
The State of the Adoption Lifecycle . . . . . . . . . . . 36
Level of Appreciation . . . . . . . . . . . . . . . . . . . . . . . 40
Section 2:
Content Security in Search of Ownership
Technology Complements and
and Vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Content Security - Playing it Close to Home . . . . 46
Records Management (Federated Records
Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Document Management (DM) . . . . . . . . . . . . . . . . 11 Section 5:
Web Content Management (WCM) . . . . . . . . . . . 11 Conclusion: Developing an Enterprise
Content Management Model . . . . . . . . . . . 48
E-mail Management . . . . . . . . . . . . . . . . . . . . . . . . 11
Content Lifecycle Security . . . . . . . . . . . . . . . . . . . 50
Workflow/BPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Policies and Enforceability . . . . . . . . . . . . . . . . . . . 50
Identity Management/User Authentication . . . . . . 12
The Impact of Content Security . . . . . . . . . . . . . . 51
Enterprise Rights Management (ERM) . . . . . . . . . . 12
Policy-based Encryption . . . . . . . . . . . . . . . . . . . . . 12
Appendix:
Content Authentication . . . . . . . . . . . . . . . . . . . . . 12
Methodology Used and Survey
Content Addressed Storage (CAS) . . . . . . . . . . . . 12
Demographics . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Trusted Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 13
Methodology Used . . . . . . . . . . . . . . . . . . . . . . . . . 52
Data Loss/Leak Prevention (DLP) . . . . . . . . . . . . . 13
Survey Demographics . . . . . . . . . . . . . . . . . . . . . . . 52
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . 13
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Underwriters
Hierarchical Storage Management (HSM) . . . . . . . 13
CaseCentral . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Market Awareness of Content Security
Certeon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Technologies & Topics . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Liquid Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Surety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
EMC Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Xerox Global Services . . . . . . . . . . . . . . . . . . . . . . 59
SEND TO A FRIEND !
AIIM - The ECM Association © 2007 page 3 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk
Figures
Figure 1.The Network-centric Approach to Figure 22. Assuming budget is available, Figure 40.Within the Last 2 Years,Has
Content Security . . . . . . . . . . . . . . . . . . . .7identify the PRIMARY obstacles to Content Been Inappropriately Accessed by
implementing Content Security . . . . . . . .28an Unauthorized Individual Either
Figure 2.The Document-centric Approach
to Content Security . . . . . . . . . . . . . . . . . .7Figure 23. Is a ROI (Return on Investment)Deliberately or Accidentally? . . . . . . . . . . . . .41
Figure 3.The Object-centric Approach to study required as part of your planning forFigure 41.Within the Last 2 Years,Has
Content Security . . . . . . . . . . . . . . . . . . . .9Content Security? . . . . . . . . . . . . . . . . . .28Content Been Inappropriately Updated/
Deleted by an Unauthorized Individual
Figure 4.Technology Components In Figure 24. If you have performed an ROI onEither Deliberately or Accidentally? . . . . .41
your Content Security project,were you able
Content Security Strategies . . . . . . . . . . .14to show an acceptable level of return? . .29Figure 42. Do You Have a Specific Group
Figure 5. Awareness Levels Regarding Within the Organization to Address
Figure 25. If you achieved a successful ROI,
Content Security Technologies . . . . . . . . . . . 15what was the time frame for showing aContent Security? . . . . . . . . . . . . . . . . . .42
Figure 6. Awareness Levels Regarding return?. . . . . . . . . . . . . . . . . . . . . . . . . . .29Figure 43. If You Answered YES,to Whom
Content Security Concepts and Topics . . .15Figure 26. Please Rank the Following Does the Content Security Group Report? .42
Figure 7.The Extremes:Control/Secure Standards and Regulations as They Relate Figure 44.Which of the Following CXX-level
vs.Collaboration/Innovation . . . . . . . . . . . . .17to Your Content Security Strategy/Needs? . .31Security Officers are There in Your
Organization? . . . . . . . . . . . . . . . . . . . . . .43
Figure 8.The Control/Secure - Figure 27. Ranking of the Criticality of
Collaboration/Innovation Continuum. . . . . .17HIPAA to a Content Security StrategyFigure 45.Who DEFINES the Corporate
Amongst Healthcare and Pharmaceutical Security Strategy for Your Organization? . .43
Figure 9. Is the Content Security strategy Respondents Only . . . . . . . . . . . . . . . . . .32
of your organization driven more by a Figure 46.Who OWNS/IS RESPONSIBLE for
desire to lock down content or to enable Figure 28. Ranking of the Criticality of the Corporate Security Strategy for Your
secure collaboration? . . . . . . . . . . . . . . . . .18CFR21 Part 11 to a Content SecurityOrganization? . . . . . . . . . . . . . . . . . . . . .44
Figure 10. If compliance and legal Strategy Amongst Pharmaceutical Figure 47.Who Pays For/Funds the Corporate
Respondents Only . . . . . . . . . . . . . . . . . .33
requirements were no longer issues,what Content Security Initiative? . . . . . . . . . . . .44
would likely happen to your organization'sFigure 29. Ranking of the Criticality of Figure 48. How Well is Content Security
Content Security initiative/strategy? . . . . .18DOD 5015 to a Content Security Strategy
Amongst Government Respondents Only. .33 Understood in Your Organization? . . . . . . .44
Figure 11.Which of the following is Figure 49. Is Content Security Included in
closest to your organization's Figure 30. Ranking of the Criticality of
perspective on Content Security? . . . . . .19Sarbanes-Oxley (SarBox) to a Content Your Corporate Governance Model? . . . . . . .45
Security Strategy Amongst Financial ServicesFigure 50. Has Discussion of Creative
Figure 12.Which of the following definitions
of Content Security most closely aligns and Insurance Respondents Only . . . . . . 34Commons Licenses or Similar
Concepts Impacted Your Organization's
with your definition? . . . . . . . . . . . . . . . .20Figure 31. Ranking of the Criticality of theAttitudes Towards Content Security? . . . . . 46
Gramm-Leach-Bliley Act to a Content Security
Figure 13.What content types are you Strategy Amongst Financial Services and Figure 51.Would You Be Likely to Implement
targeting for Content Security? . . . . . . . .21Insurance Respondents Only . . . . . . . . . .34Your Content Security System in an
Figure 14. Approximately what percentage Figure 32. Ranking of the Criticality of theOutsourced or SaaS Model? . . . . . . . . . .47
of your organization's total content requiresMoREQ to a Content Security Strategy Figure 52.If You Answered ÒNoÓto
specific controls to ensure validity/security? .22Amongst European Respondents Only . . 35Implementing in an Outsourced
Figure 15.Which departments' content Figure 33. Ranking of the Criticality of theor SaaS Model,Why? . . . . . . . . . . . . . . .47
are included in your Content Security
strategy? . . . . . . . . . . . . . . . . . . . . . . . . .23FERPA to a Content Security StrategyFigure 53.The Control/Security -
Amongst Education Respondents Only . 35 Collaboration/Innovation Continuum . . . .49
Figure 16.Who/what are you protecting
Figure 34.Where Do You Feel the Overall Figure 54. Content Lifecycle . . . . . . . . . 50
your content from? . . . . . . . . . . . . . . . . .23INDUSTRY Adoption is With Regards to the
Figure 17.What are you trying to avoid/ Following Terms/Phrases? . . . . . . . . . . . . .36Figure 55. How Many Employees are
in Your Organization? . . . . . . . . . . . . . . .52
protect your content from? . . . . . . . . . . . . . .24Figure 35.What is YOUR ORGANIZATION'S
Current Involvement with Content Security? 37Figure 56. Major Vertical Industries
Figure 18. What are the results of Responding (%) . . . . . . . . . . . . . . . . . . . 53
breaches in Content Security for your Figure 36.What is Your Current Level of
organization? . . . . . . . . . . . . . . . . . . . . . .25Involvement with the following technologies?38Figure 57. Major Geographical Regions
Responding (%) . . . . . . . . . . . . . . . . . . . .54
Figure 19. Is there an appreciation for Figure 37.What is Your Implementation
the potential cost associated with the Timeline for Content Security? . . . . . . . .38Figure 58.What is Your Role in Your
risk of unsecured content in your Organization? . . . . . . . . . . . . . . . . . . . . .54
organization? If so,how great? . . . . . . . .26Figure 38 What is Your Budget to Implement
Figure 20.What drives your Content Security Content Security? . . . . . . . . . . . . . . . . . .39
initiative (select all that apply)? . . . . . . . . . . . 27Figure 39.What Approaches to Content
Figure 21.What is the PRIMARY driver Security Monitoring Does Your Organization
use to Identify Inappropriate or Malicious
of your Content Security initiative? . . . . . . 27Behavior? . . . . . . . . . . . . . . . . . . . . . . . . .40
AIIM - The ECM Association © 2007 page 4 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Introduction
This AIIM Market IQ is focused on the art and science of securing electronic content, via a hybrid, strategy driven
model that we have labeled Content Security. Two basic sources of input were used in constructing this report. The
first was the accumulated experience and ongoing market analysis work performed by the AIIM Market Intelligence
Division. The second was an AIIM Market Intelligence developed and administered survey. The survey was taken by
600 individuals between 8/25 - 9/14/2007. It should be noted that the survey results are reported in aggregate (i.e.,
AIIM members and non-AIIM members),except in cases where the opinions of these two groups were polar enough
to render the aggregated responses as non-indicative of either group. These instances are specifically noted in the
body of this Market IQ. Further demographics regarding the survey population can be found in the Appendix.
This Market IQ covers the concept of Content Security from multiple perspectives, providing a thorough education
on the topic. In order to achieve a balanced understanding of Content Security, the reader is encouraged to read
this report in its entirety, in the order presented. The report, however, has been structured into six sections, each
providing a specific perspective on Content Security. These sections are:
Section1
Defining Content Security in the 21st Century
This section introduces the subject, provides a definition and compares it to older approaches to
securing content.
Section 2
Technology Complements and Alternatives
This section identifies a family of point solutions that are part of a family of technologies that
collectively comprise Content Security.
Section 3
Why Content Security Now?
This section looks at the high level business drivers behind the need for Content Security.A framework
for defining a Content Security strategy is introduced.The struggle between compliance and control
versus innovation and collaboration is defined and measured via survey responses. This includes insight
into the effect that government standards/mandates and industry/technology standards are having in
shaping enterprise strategies for Content Security.
Section 4
The State of the Market
This section provides insight into the current obstacles, funding models, staffing models, deployment
models, overall attitudes and perceived adoption rates of technologies in organizations with regards
to Content Security.
Section 5
Developing An Enterprise Content Security Model
This section provides advice on how to leverage the knowledge presented within this Market IQ.
It offers a framework for evaluating and mapping organizational needs in order to define a Content
Security Model that best fits your organizational needs.
Appendix
Survey Demographics
This section provides analysis of the survey population.
AIIM - The ECM Association © 2007 page 5 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Defining Content Security in the 21st Century
Securing online content is not a new concept. IT departments have been securing data since the first time-shared
mainframe was deployed, perhaps earlier. Operating systems and databases have been providing read/write access
control lists (ACLs) for decades. But much has changed since these early days of computing in terms of:
¥ networking capabilities (e.g., the reach of the internet and distributed wireless computing),
¥ business focus (e.g., the computer as a collaboration tool),
¥ online content (e.g., from data in rows and columns to digitized images of contracts),
¥ modes of communication (e.g., the advent of e-mail and instant messaging) and
¥ the business applications associated with online content (e.g., online paid-for subscriptions).
Many organizations find that their ability to create, use and share enterprise content is out of sync with their
ability to secure that content. Content Security often lacks the flexibility and dynamic nature of content creation
and management. A focus on and need to leverage and share content in order to maintain competitive standing
requires more open approaches to access. Yet compliance, ethical and legal concerns mandate closer scrutiny and
controls over open access. Moreover, the proliferation of content, the ease with which content can be posted
on a forum that reaches literally millions of users, (i.e., the Internet), and the potential for manipulating content
by non-authorized individuals or inappropriate sharing, necessitates the need to authenticate and secure content.
Today, there is potentially great risk in assuming that content is in any deep sense secured simply because it is under
the control of system level security, or even a traditional document or records management system. It is
no longer reasonable to expect workers to be the Òwatchful eyeÓ and only enforcement point in ensuring that information
that should be private and/or protected remains in a secure state.The volume of content, the speed of creation and
the reach of collaboration render this premise far too risky. Between accidental content exposure, purposeful
content leakage and/or piracy, the problem of who is watching the watchers has become very real. Scalability,
adaptability, awareness and enforceability of security policies are not reliable through a purely human effort, or a
piecemeal technology deployment. Yet, as we have found in this study, that is often the case. In spite of threatened
personal responsibility for inappropriate management of content, (e.g., Sarbanes-Oxley), many organizations and
their executives continue to rely on Ògood intentionÓ and/or siloed technology solutions limited in scope and
capability that are several years behind the technology used for creation and sharing content. There is a family of
technology point solutions specifically designed to address security in the 21st century, but, as this study found,
understanding and deployment of these technologies is slow. Development of enterprise strategies to secure
content in any meaningful way, and leveraging the powers of available technology is nascent.
Enterprises must adapt approaches to securing content that differs from traditional approaches in two basic ways:
the granularity of security and the authentication of security.
Towards a More Granular Model
Traditional approaches to Content Security are focused at the perimeter of an organization and/or applications. This
is the network-centric approach to Content Security that includes tools such as system login and firewalls. The
focus is at a high level of granularity; network, server, desktops, and/or operating system level security. Content is
holistically protected or secured from outsiders, and in some cases restricts insiders from accessing inappropriate
outside resources. There is no contextual adaptability. The standard policy is one of Òinsiders are fully trusted,
outsiders are completely distrusted.Ó This approach to Content Security is generic, providing lowest common
denominator levels of protection to secure network applications and desktops, but not content specifically.
Collaboration and knowledge sharing models under this approach require an all or nothing level of access to content,
or the replication of content outside the system of control (e.g., a repository on a file server). The former is limiting,
while the latter represents abandoning any ability to control content and the issues associated with content replication.
AIIM - The ECM Association © 2007 page 6 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Document Ñ Centric Model Figure 1.The Network-centric Approach to Content Security
The application of certain Content Security technologies
(e.g., records management and document management,
which are discussed in more detail later in this report), Perimeter
push the level of granularity down to the individual file
level. In this approach, content, especially unstructured
Content
content is secured file-by-file, or in collections of files.The
perimeter of control is constrained more tightly around a
single file or group of files. In this scenario, work areas as
sub-groups to an entire library can be established to Core
enable shared access to a collection or single document.
A limiting factor of this approach is that the security is
enabled through the platform itself, (i.e., the content or
records management system). At this level of security
content is free to go where it will and be manipulated
once it is out of these systems. Users can check-out a file,
modify it, share it (inappropriately), and not necessarily
check the file back into the management system, or indi-
cate what actions have been taken. Collaboration typical-
In this traditional approach to Content Security,focus is at a
ly requires providing full access (read/write) to interested high level of granularity. Content, represented by the red
parties. Though an audit trail may be maintained, users are cubes,is protected holistically.A perimeter or firewall is created
on their honor to Òdo the right thingÓ with regards to that allows for total access or no access.There is no monitoring
editing and sharing. Authentication of timestamps and the of the individual content. Auditing occurs at the system level
and there is no authentication of the content itself.
audit logs themselves may or may not provide meaningful
evidence of content-centric issues.
Granularity Ñ Targeting Figure 2.The Document-centric Approach to Content Security
Sub-document Control
It should be appreciated that under the document-centric
model, some platforms will provide control over sub-sets
of a file or document (e.g., individual objects such as a sin-
gle image or paragraphs of text). In this way the level of
control is at a lower level of content, and enables the
repurposing of content in multiple delivery mechanisms
(e.g., the usage of a single photograph in two separate
documents and a web page, but the security and tracking
of the image is maintained onceÑcentrally). This level of
granularity is particularly useful in a web content manage-
ment environment and/or in scenarios in which complex
compound documents are created through links to a
library of content Òchunks.Ó
In the document-centric approach to Content Security,focus is on the individual file level,or a collection of files.Content,represented
by the red cubes,can be individually protected. A perimeter or control can be created within the perimeter that allows for specific
read/write/delete access to specific files (in this illustration the two cubes in the red circle contained in their own yellow ring are
specifically protected,separate and distinctly from the rest of the content collection).These files,however,are not protected from
leaving this environment,and thus can ÒescapeÓthe implied security.
AIIM - The ECM Association © 2007 page 7 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Additionally, granularity can be extended to metadata associated with each file or chunk. This metadata can include
properties such as author, title, summary, version number, an internal reference number, tracked changes and
forwarding history. With this level of granularity, each tracked facet of content, from the macro to the chunk level,
and metadata about or within content is accounted for providing a comprehensive Content Security system.
It should be noted that the granular levels of securing content are not necessarily hierarchical. That is to say,
protection at a higher level of granularity may not negate the need for the lower level. Networks and platforms may
still be secured, even though specific chunks of content on those platforms or within those networks are also
secured. A major component to any Content Security implementation is the strategy that takes a holistic approach
at the business requirements and technology alternatives available, and weighs and leverages each. This is a reoccurring
theme throughout this Market IQ and is directly addressed in Section 5.
The Content Security Lifecycle Model
One of the biggest challenges to securing online content stems from the fact that online content is not static. Online
content can be easily manipulated, and/or revised on an ongoing basis. Document properties, such as authorship,
approval, and audit trail data are also subject to (legitimate and unauthorized) editing. A comprehensive Content
Security strategy must address this facet of online content a well, else render virtually all other attempts to security
worthless.
The dynamic nature of online content is also associated with the ease with which content can be shared, duplicat-
ed and transported across systems and networks. Content/Data in motion as a term emerged because this is a real
occurrence (yet our survey showed that most individuals still do not have a clear appreciation for what data in
motion means and the complexity it proposes from a security standpoint). Content Security is, in many cases, embedded
directly into content throughout its lifecycleÑfrom creation, modification, distribution, archiving and destructionÑ
regardless of format or transmission method. This is a policy-driven capability, distinct from the realm of
information security, which is primarily focused on securing infrastructure such as networks, servers, desktops, and
operating systems. In Content Security, the security challenge is the development of policies and procedures for any
and all content. The benefit is the ability to centrally administer these across all content, at any level, in context.
Authentication
Authentication can be a pivotal and critical element to a Content Security system. Despite noble attempts to secure
content, in all the manners discussed above, the Content Security system and its managed content can be rendered
moot if there are no policies, procedures and mechanisms in place to manage and/or provide authentication of:
¥ user
¥ author
¥ approver
¥ and the content itself.
The value and criticality of authentication ranges from a need to ensure reliability of an author to legally prove the validity
of a document. A user of online content needs to be assured that the content in use is what it purports to be.
In an age where Òeveryone can be an author and/or expert,Ó controls may be necessary to ensure that accessed
content is legitimate, created by and/or approved by Òapproved or recognizedÓ individuals, and in its latest approved
revision. Mechanisms should provide a sense of reliability and/or an ability to reference and monitor the authenti-
cation of content and the data associated with content. In issues of litigation and compliance, content can be
deemed inadmissible if its authenticity cannot be proven beyond reasonable doubt.
AIIM - The ECM Association © 2007 page 8 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
The Object-centric Approach Figure 3. The Object-centric Approach to Content Security
Finally, a Content Security system needs to potentially
address the fact that online content can be and is often
purposefully Òcontent in motion.Ó Content is frequently
shared, replicated, e-mailed and/or stored in multiple
repositories. Content Security models that rely on an
underlying platform approach whose perimeter of control
extends only as far as that platform, potentially fail
an organization whose content extends beyond that
platform. Content in motion is in the process of being
transported from one physical location to another, may
undergo automated encryption. The object-centric
approach to Content Security goes beyond encryption of
Òin motionÓ content, however, and may incorporate
approaches to managing the security of content Òat restÓ
(after it reaches the end point of its Òin motionÓ path).
The object-centric approach to Content Security deploys
technology that extends the document-centric model, by
embedding the security mechanisms within a content
In the object-centric approach to Content Security,focus is on
object. Thus the content is transformed from an Òigno- the individual file level (similar to the document-centric
rantÓ object that relies on outside mechanisms to assure approach,but the policies and mechanisms to secure the
its authenticity and security, to an ÒintelligentÓ object that content are embedded within and thus move with the
manages its authenticity and security itself, in an content itself). Thus,the content becomes a self-regulating
intelligent object that controls who and what can be done to
omnipresent fashion, in context. This potentially enables the object,in context,at all times. The security associated
wider distribution and ease of collaboration,because of an
with the content is omnipresent.Content,represented by the
underlying assurance that control is not relinquished. For red cubes, is individually protected, and that perimeter of
example, press releases could be openly shared internally control (illustrated by the yellow circle) stays with the content,
as a means of early education. Recipients would be auto- even when the content is ÒsentÓoutside the perimeter of the
matically prohibited from attaching the press release to an file,document,or records management system.Unlike the
e-mail message prior to the release date, by the intelligent situation in a document-centric security model,content can
press release itself. Market reports could be sold to a be protected from leaving this environment,and if permitted
to Òleave,Ómaintain its integrity and access permissions.
customer without fear of privacy. The report would not
allow the customer to duplicate the report, print the
report or e-mail attach the report.
The object-centric approach to Content Security repre-
sents the state-of-the-art in terms of flexibility, reach and
the type of business models it supports. It is again impor-
tant to point out, however, that application of such secu-
rity mechanisms does not necessarily negate the need for
the other approaches and technologies introduced in this
section of this Market IQ. A state-of-the-art Content
Security system is only accomplished through the applica-
tion and integration of several point technologies
(covered later in this section of the Market IQ), and
governed and orchestrated through a centrally developed,
maintained and executed strategy and policy (covered in
section 5 of this Market IQ).
AIIM - The ECM Association © 2007 page 9 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Technology Complements and Alternatives
While it must be continuously stressed that Content Security is more about a well defined and executed strategy
model than it is about technology, it is nonetheless prudent to have a working knowledge of technology alternatives
before embarking on a strategy. For too many organizations, the Content Security strategy is confined to Òold
approachesÓ or limited functionality due simply to an ignorance of what technology alternatives can provide. Indeed,
as is highlighted later in this section of the Market IQ, there is predominately a dearth of knowledge regarding
Content Security technology components in the market. Before organizations can embrace the state-of-the-art in
Content Security they need to have an appreciation of what is and is not possible.
As a means of introduction, the primary point technologies that can comprise a Content Security strategy are briefly
described and positioned here. These technologies are:
¥ Records Management
¥ Document Management
¥ Web Content Management (WCM)
¥ Workflow/BPM
¥ E-mail Management
¥ Enterprise Rights Management (ERM)
¥ Identity Management/User Authentication
¥ Policy-based Encryption
¥ Content Authentication
¥ Content Addressed Storage (CAS)
¥ Trusted Timestamps
¥ Data Loss/Leak Prevention (DLP)
¥ Public Key Infrastructure (PKI)
¥ Digital Signatures
¥ Hierarchical Storage Management (HSM)
Records Management (Federated Records Management)
Records Management (Federated Records Management) systems manage declared business records against the
records retention schedules that an organization has established. In this regard records management addresses Content
Security over a lifecycle, from declaration of the content as a record to the archival and possible destruction of the
content. Records management systems address the Òfinal resting placeÓ or Òlife durationÓ of content, but do not
address any other security aspects of content. The perimeter of control of the records management system does
not extend beyond the system itself. Content is not in any way managed until it is declared a ÒrecordÓ and thus
Òmoved intoÓ the control of the records management system. The integrity of the content and authenticity of the
content prior to it being declared a record is not managed. Similarly, copies of content (records) are not tracked.
Copies existing outside the records management system are not managed in any manner. This is often a critical
component of a content management system, and is one that most organizations we surveyed claimed to
understand and include in their Content Security strategy.
It is worth noting that a new approach to records management, known as federated records management or
universal records management (URM) has emerged. In a federated records management system, the content
(records) may be stored in multiple locations across organizations, in repositories that may contain content not
declared as a record. These systems can access the enterprise's content stores and identify and manage records
within them.This helps to extend the perimeter of control of the records management system, more readily integrate
records management into an overall Content Security system and simplify the deployment of records control across
an enterprise.
AIIM - The ECM Association © 2007 page 10 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Document Management (DM)
Document Management systems are typically concerned with revision control (knowing the current version and
ability to Òroll-backÓ to prior versions), document lifecycle audit trails (knowing the string of authorship, last modi-
fication date/time/author stamp), and rendition control (PDF versus MS Word copies of the same contentÑlinking
the two together). Thus there is a rudimentary content authentication functionality provided. DM systems
typically provide read/write/delete control over files. DM is a core capability for Content Security, as integration
into document management capabilities allows multiple points to apply policies, provide logging, and ensure that
ÒsplinteredÓ versions of documents (Word vs.PDF from above) retain appropriate policies regardless of the machine
format used. Typically the perimeter of control of the document management system does not extend beyond
the system itself.
Web Content Management (WCM)
Web Content Management systems are similar to document management systems, but focus on content published
to web sites. This includes management of the publishing process and maintenance of links between information
chunks. Key features include creation and authoring, input and presentation template design and management, content
re-use management, and dynamic publishing capabilities. WCM can be leveraged to ensure that content managed
and deployed via the web remains in compliance with the policies established within the purview of the Content
Security strategy.
E-mail Management
E-mail Management systems are similar to records management systems, but are finely tuned to specifically handle
e-mail messages, and in most cases their associated file attachments. These systems typically include functionality
that extracts e-mails from the server and saves them to a secure environment in which they are classified and
maintained as business records. Typically the perimeter of control of the e-mail management system does not
extend beyond the system itself. The e-mail management system can be integrated into a broader records manage-
ment system, in which case the perimeter of control is limited by the reach of the records management system.
Workflow/BPM
Workflow/BPM as a technology is often deployed beyond the purview of security. These technologies are deployed
to automate virtually any business process. But, workflow and BPM (Business Process Management) can be incor-
porated into a Content Security strategy in order to provide integrity to the processes used to move the content
through its security lifecycle and to automate (i.e., enforce) the execution of critical steps and functions to securing
the content over time. For example, a workflow enabled publishing process can ensure that a body of content is
automatically declared a record when posted to a web site, or that a file cannot be released for the Ògeneral
publicÓ until a designated reviewer has ÒapprovedÓ its content (and it would automate the routing of the content
for approval to the proper reviewer). Thus workflow and BPM can be used to automatically and relentlessly apply
the policies key to policy-driven and policy-enforced Content Security.Without automated processes to assist and
enforce these policies, Content Security is greatly vulnerable to human error, oversight and/or sabotage.
Additionally, the workflow system provides an audit trail on the processes, providing a further level of authentica-
tion and quality control over content across its lifecycle.This ability to provide business process integrity, in situations
related to litigation, can be as critical as the securing of content itself, as litigators bring into question the process
used to manage content as much if not more than the record or content itself.
AIIM - The ECM Association © 2007 page 11 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Identity Management/User Authentication
Simply put,Identity Management/User Authentication,are systems and techniques used to ensure that users are who
they purport to be. Authentication depends on one or more authentication factors. At the low end this could
include a username and password. At the high end this could include a retina or fingerprint scan. Authentication is
typically a precursor to authorizationÑsecure identification (authentication) of a user leads to an associated list of
permissions (authorization) within content and processes.
At the higher end of functionality, these systems are used to ensure that authentication, access and audit controls
feed from authoritative, current, and fully correct identity stores. Policies are connected to both higher-level groupings,
and have fine-grained control down to each unique individual.While standard access control repositories such as
Active Directory (AD) are typical end repositories of this information, they do not contain the ÒintelligenceÓ to
ensure that this information is verified and up-to-date. Regulatory compliance and general corporate governance
standards state explicitly that access privileges need to be certified and audited. Individuals should have the appro-
priate level of access to content that they need to do their stated jobs, but no more than that.Typically permissions
and identity are tracked at the roles and rights level.This eliminates the Òrights creepÓ that can occur if rights are
tracked by individual, and an individual ÒmovesÓ across jobs and functions within an organization, keeping past access
rights even though they have changed roles and or project/department affiliation.
Enterprise Rights Management (ERM)
Enterprise Rights Management (ERM) systems embed security policies within documents themselves (the object-
based model). Under an ERM system, the perimeter of control is tightly maintained around the content, even when
the content is Òin motionÓ or Òat rest,Ó outside the physical domain of the underlying platform. ERM can control con-
tent usage to various levels (e.g., Read/write/access, access based on user and user current location, number of times
or length of time a file can be viewed by a single user, whether cut/copy/paste of content is permitted, ability to for-
ward or e-mail attach and online/offline access), both within and beyond organizational barriers.
Policy-based Encryption
Policy-based Encryption automatically encrypts content based on user-defined rules, which are typically embedded
in a user authentication and/or ERM system. Using policy-based encryption, content may be physically Òavailable,Ó
but not ÒaccessibleÓ until conditions are met that ensure the Òright person at the right timeÓ is accessing the content.
Policy-based encryption is predominately used on content in motion, or being transported from a protected system
to another system.
Content Authentication
Content Authentication refers to the orchestrated usage of many Content Security point technologies (e.g., trusted
timestamps, CAS, e-signatures, electronic watermarks and document management) used in aggregate. These
technologies are used to provide auditable assurance and reliance that the content is indeed what it represents itself
to be (that it is Òofficial,Ó is the latest version, has had no unauthorized modifications, etc.).
Content Addressed Storage (CAS)
Content Addressed Storage (CAS) technology is focused on data or content at rest, or endpoint data protection.
It is used exclusively on content that is written once and never to be changed. It could be an invoice, financial state-
ment, archived e-mail, medical X-ray or a sealed record. CAS creates a digital fingerprint of the stored content file.
This fingerprint (also known as an ID or logical address) ensures that the content is the same exact piece of data
that was saved. No duplicates are ever stored.
AIIM - The ECM Association © 2007 page 12 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Trusted Timestamps
Trusted Timestamps are technology that works in concert with records management or document management
systems to certify outside of the records/document management system that a file, when submitted to the managing
system, is the same file as when it is later recalled/retrieved. Trusted timestamps render online content beyond repu-
diation Ñ ÒproofÓ that the content has not been modified nor has any of its associated metatags including
signatures/approvals or timestamps on approvals.Trusted timestamps are a critical component to content integrity
and in some cases include service by an independent trusted third party to further separate the possibility of
internal collusion.
Data Loss/Leak Prevention (DLP)
Data Loss/Leak Prevention (DLP) is intelligent filtering of content in motion, based on centrally administered
policies, with as little human intervention as possible. DLP systems ÒreadÓ content that is targeted to be sent outside
a defined perimeter (e.g., an internal system or an external firewall) and discern whether there is protected content
or private data (such as social security numbers, credit card numbers, medical history) within the content. If such
content is detected, the content is filtered, and kept from being shared. Advanced content filtering (e.g., semantic
of linguistic content filtering) can detect protected or private content that is not directly contained in the content
(e.g., rephrasing content to potentially bypass keyword filters). Advanced systems can also process rules regarding
the intended recipient of the content (i.e., the content is only protected from certain people), for example, preventing
buy-side and sell-side workers in a brokerage firm from sharing content that can be construed as internal collusion.
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) uses a public and private key pair held by a trusted third party to transact business
over the public Internet. These are typically used to verify digital signatures (see below).
Digital Signatures
Digital Signatures refer to a spectrum of functionality. At the low end (where the functionality is also known as
electronic signatures), this refers to the attachment of an image, electronic sound or symbol to content, providing
association with a person to the content (e.g., as a reviewer or approver.) At the high end, digital signatures are
created and verified by cryptography. Digital signatures employ an algorithm using two different but related ÒkeysÓ
(using PKI), one for creating a digital signature, and another key for verifying a digital signature or returning the
content to its original form.
Hierarchical Storage Management (HSM)
Hierarchical Storage Management (HSM) is a content storage system that typically transcends Content Security.
HSM automatically moves online content between various storage mediums for a variety of policy and efficiency
reasons. HSM can be deployed as part of a Content Security system, typically in conjunction with a workflow-
enabled process, to automatically move content to a specific type of storage medium at a particular point of its
lifecycle (e.g., content when declared as a legal record is automatically moved to a WORM drive, and potentially
subjected to a trusted timestamp and/or CAS system).
It is again stressed that Content Security is not embodied by any one of these technologies, but through orchestration,
coordination and integration of these technologies in a complementary fashion. This requires the development of a
content management strategy (the focus of section 5 of this Market IQ), in which business needs (see section 4 of this
Market IQ for more detail on how to define business need and current experiences with business need) are evaluated
and specifically addressed through selection of appropriate candidates from Content Security related technologies.
AIIM - The ECM Association © 2007 page 13 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Market Awareness of Content Security Technologies and Topics
This section of the Market IQ is provided to give a basic education on the state of the industry from a technology
perspective. In reality, the state-of-the-industry, from an implementation perspective is very different. Our survey
measured the state of the industry from an implementation/user perspective in many ways. The bulk of these
findings and insights are the focus of section 3 of this Market IQ. Two of the findings from the survey are discussed
here, however so that the current reality of technology awareness and how this affects content strategy develop-
ment can be appreciated.
When asked to identify technology components that are within their definition of Content Security,survey respondents
paint a minimalist and rudimentary picture. Focus is predominately on older technologies with basic functionality,
(i.e., records management, document management and user authentication were each included by 55% of survey
respondents), and e-mail management (54%) which has received much attention in the market of late. No other
technologies were identified by more than 50% of the survey population. This would perhaps suggest that the more
cutting-edge technologies, those that are beyond the ÒtraditionalÓ world of Content Security (e.g., trusted time-
stamps, policy-based encryption, DLP, and ERM), are not relevant to the needs of today's organizations and/or that
their cost of implementation is not exceeded by their value statement or return on investment.
Figure 4. Technology Components In Content Security Strategies
Records Management 55%
User Authentication 55%
E-mail Management 54%
Document Management 45%
Data Leak/Loss Prevention 43%
Digital Signatures 35%
Content Authentication 34%
Digital Rights Management 23%
Enterprise Rights Management 23%
Policy-based Encryption 23%
Public Key Infrastructure 22%
Trusted Timestamps 21%
BPM/Workflow 19%
Hierarchical Storage Management 18%
Content Addressed Storage 13%
10% 20% 30% 40% 50% 60%
Survey participants were asked to identify those technologies that fit within their definition of Content Security. The older, more
mainstream technologies were predominately and consistently selected,while more cutting edge technologies received mixed ratings.
It is reasonable to conclude, however, that the lack of inclusion of these ÒnewerÓ technologies in a Content Security
strategy is more a function of the general level of awareness than an educated decision that they are not relevant.
When asked to rank their level of understanding of a sample of Content Security point technologies, the results nearly
mirrored the ranking of technologies incorporated into a content management strategy. Most survey respondents
indicated either a ÒFully understandÓ or ÒMostly understandÓ level of awareness for technologies such as archiving,
records management and digital signatures (probably with a focus to the more rudimentary electronic signature end
of the functional spectrum) and e-mail management, and a ÒSomewhat familiarÓ to ÒNo ideaÓ level of awareness for
technologies such as content filtering, content authentication, PKI (as a function of the higher end digital signatures)
and trusted timestamps.
AIIM - The ECM Association © 2007 page 14 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
When asked to rank their level of understanding regarding a sample of Content Security concepts, only the somewhat
generic ÒInformation SecurityÓ received more than 50% response for a ÒMostly understoodÓ or better. Even the
much recently publicized topic of Òe-discoveryÓ ranked third with only 43% of respondents indicating a ÒMostly
understandÓ (or better) level of understanding. Concepts somewhat basic to appreciating the specific nuances of
electronic content (versus a paper-based environment) such as ÒData at Rest,Ó ÒData in Motion,Ó ÒEndpoint Data
Protection,Ó and ÒUnified MessagingÓ are poorly understood.
Until organizations develop a more broadly defined and up-to-date appreciation for the challenges and specific
nuances associated with electronic Content Security and the availability of multiple point technologies to specifically
address those issues (as well as potential new business value propositions) it is likely that uptake of these technologies
will remain low. These findings seem to indicate that there is a strong need for education of users and owners of
online content in order to move enterprise Content Security models forward, beyond Òtraditional approaches.Ó
(See sections 3, 4, and 5 of this Market IQ for further insights into the current state of the market regarding
business drivers and strategies for Content Security).
Figure 5. Awareness Levels Regarding
Content Security Technologies
Technologies: What is YOUR level of awareness of the following terms/phrases?
Archiving 45% 30% 14% 5% 6%6%
Records Management 41% 24% 18% 10% 7%
Digital Signatures34% 30% 19% 8% 9%
E-mail Management 31% 29% 23% 10% 7%
Content Filtering20% 24% 28% 15% 13%
Content Authentication16% 27% 27% 16% 14%
Public Key Infrastructure (PKI)14%12%16%18% 40%
Trusted Timestamps11%19% 22% 21% 27%
25% 50% 75% 100%
Fully understandMostly understandSomewhat familiarVaguely familiarNo idea
Figure 6. Awareness Levels Regarding
Content Security Concepts and Topics
Concepts: What is YOUR level of awareness of the following terms/phrases?
Information Security30% 27% 28% 7% 8%
e-Discovery 23% 20% 18% 15% 24%
Data Loss Prevention22% 30% 28% 11% 9%
Content Security22% 26% 26% 12% 14%
Information Risk Management21% 26% 29% 11% 13%
Information Loss Prevention18%28% 27% 16% 11%
Content Loss Prevention13%25% 28% 18% 16%
Business Process Integrity13%17% 26% 19% 25%
Unified Messaging10%13% 18% 23% 36%
Endpoint Data Protection9%12%21% 23% 35%
Data At Rest7% 8% 21% 23% 41%
Data In Motion6% 10% 21% 25% 38%
25% 50% 75% 100%
Fully understandMostly understandSomewhat familiarVaguely familiarNo idea
AIIM - The ECM Association © 2007 page 15 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Why Content Security NOW?
The mindsets and technical capabilities that tie security to content specifically are still fairly early in the adoption
lifecycle. Most of the focus on security in an electronic world has been focused on core infrastructure concerns, and
the fight against viruses, malware, spyware, and spamÑrather than on how security capabilities can enable the
business itself.
As businesses have continued to adopt information technology solutions, there is a continuing and emergent recog-
nition that adding even more technology, specifically point solutions, is not helping business as a whole to improve.
There have been some pundits, among them Nicholas Carr (ÒDoes IT Matter? Information Technology and the Corrosion
of Competitive AdvantageÓ published by Harvard Business School Press, 2004), who states IT as a whole is
actually contributing to a business hindrance, not a driver for businesses.The issue is that technology adoption for its
own sake leads to tactical solutions solving fairly narrowly defined issues.
The solution is to step back and examine what the primary business drivers are in any information management or
enterprise content management (ECM) deployment.
Content Security, as a layer that unites ECM investments and addresses the lifecycle of content creation (as
described in Section 1 of this Market IQ), is not a technology in search of a business problem, but a direct response
to the challenges of surviving and thriving as a business in the 21st century.
At the root of these emerging business requirements is the growing rate at which the businesses, whether global,
regional, or local, and the community of customers, partners, employees and other parties, creates, stores and shares
its business content in electronic format. Word processing, e-mail (and attachments), web sites of all types, and
online collaboration whether web-based or in a purpose-built application are among the more popular approaches
to creating and storing business content, along with the rising adoption and volume of content being created via
instant messaging, blogs, and wikis.
Needless to say, the amount of business content that is created and stored electronically is at an all time high, and
continues to grow. We have all accepted this as fact, and our growing storage capabilities at the desktop, laptop and
network level mirror this fact.
The question then is not what do we do with all of this content, but rather, what the business reasons are for
creating the content in the first place. From that point, the layers of security that would be necessary and appropriate
to the business task at hand can begin to be identified.
Electronic content is still a relatively recent phenomenon, and has given way to evolving business challenges and
opportunities. Indeed, in the case of Content Security, there is not one business challenge or set of issues, but two
dynamic forces that make up the spectrum of concerns. This convergence of need is a strong force behind the
adoption rate of Content Security and its ultimate business drivers.
AIIM - The ECM Association © 2007 page 16 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 7. The Extremes:Control/Secure vs.Collaboration/Innovation
Control & Secure Collaborate & Innovate
As figure 7 illustrates (above), the need for security is driven by:
1) the need for increased control and an ability to lock down, or secure content for compliance, regulatory, or legal
issues.This may also be driven by a need to enforce general business operational rules of the business itself, regardless
of third party directives; and
2) the need to enable the ability to collaborate and innovate freely within whatever community the business chooses
to embrace.This also harkens to enabling traditional Research & Development (R&D) work, and more broad-based
Knowledge Management (KM) initiatives.
Traditionally, security solutions have seen these two dynamics as polar opposites. Content is controlled, or wide-
open. Moving a step beyond that, content is controlled only when posted into a secure repository, otherwise it's
wide open. As introduced in Section 1, this is the general state of the market for typical Document or Content
Management deployments.
The reason technology has been deployed in such a black or white manner though, is because that has been the
capability generally touted and understood, and therefore is the default thinking on how Content Security can be
deployed. Security concerns are not black and white in the real-world.They require fine-grained tuning that balances
out a need for control (extreme in some cases, lax in others), versus a desire to collaborate (whether with two
people or thousands, employees, partners, or customers), as illustrated in figure 8 (below).
Figure 8. The Control/Secure - Collaboration/Innovation Continuum
Control Collaborate
& Secure & Innovate
New Business Models and Novel Applications of Technology are all Fine Ñ
but how do Organizations Think About Security Today?
While there are some very interesting ways that security could be implemented, what is the thinking, and thus, the
tactics and strategies that organizations are using today, to make decisions around security specifically addressing
content itself, rather than pure infrastructure security?
To uncover answers to the above questions, a series of survey questions were asked, aimed at identifying the
business drivers, the types of content targeted, and from whom content is being secured. The insights gained
provide an education on how to address Content Security in a business setting.
AIIM - The ECM Association © 2007 page 17 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 9.Is the Content Security strategy of your organization driven more
by a desire to lock down content or to enable secure collaboration?
Exclusively to lock down content7%
Predominately to lock down content 26%
It is a balanced approach 49%
Predominately to enable secure collaboration14%
Exclusively to enable secure collaboration3%
10% 20% 30% 40% 50%
The responses to this question seem to indicate that the desire of a Content Security strategy is a balancing act
between the two extremes. There is, however, a definite lean (33% of respondents) towards the Òlock downÓ view
of security, versus a collaboration mindset (17%).This is perhaps a symptom of the fact that the market is still early
in strategic understanding and technical capability, in balancing out harsh control, and open collaboration (see
Sections 1 and 4 for more details). As the technology adoption lifecycle for Content Security as a whole gains
further inroads, and the benefits rather than pure cost/risk mitigation are seen, a more balanced approach is sure
to emerge.
We challenged this first finding by further asking whether strategy would change if outside influences from
regulatory or legal compliance requirements were to disappear. The majority of respondents (62%) stated that their
strategy Òwould remain the same.Ó
Figure 10.If compliance and legal requirements were no longer issues,what would likely
happen to your organization's Content Security initiative/strategy?
6%
32%
62%
It would remain the same
It would be scaled back
It would be terminated
AIIM - The ECM Association © 2007 page 18 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
This lends further credence to the attitudes expressed above.Most organizations seem to be addressing Content Security
not simply Òbecause we have toÓ.
That said, as the market matures, the percentage of organizations that view Content Security as a balance between
control and collaboration and would implement a system regardless of external/legal issues should continue to rise even
further to reflect the fact that for purely operational purposes, there are plenty of reasons to be concerned with using
content in a secure manner,as electronic content becomes more discretely understood as a business enabler.32% of respon-
dents acknowledged that their strategy would be scaled back if outside factors were removed Ñ which is simply an indi-
cation of the level of sophistication spread across the technology adoption lifecycle. Only 6% believe strategy would be
outright terminated in the absence of legal pressures. It is likely that it would depend upon how far an organization
has already embraced strategic Content Security use, and how solidly the business cases have been built in both revenue
generation and cost/risk reduction, that would determine whether such a program would continue to live.
A challenge to their initial observation came in response to the question,ÒWhich of the following is closest to your orga-
nization's perspective on Content Security?Ó In this case, there was a more pronounced preference for traditional
approaches to Content Security. 38% of respondents indicated Content Security was to prohibit unauthorized use (and
as we will see in a later question,primarily from ÒhackersÓ),whereas 47% (combined) are oriented towards Òenable secure
sharing and collaborationÓ or Òimplement a secure knowledge repository.Ó 26% (combined) are driven by a definition to
Òsatisfy compliance directivesÓ or Òto prepare for audit.Ó Compliance and audit concerns clearly still weigh heavily on the
mind, although again, signs point to a continuing recognition that security can be active enabler of business as well as a
protection mechanism in and of itself.
Figure 11.Which of the following is closest to your organization's
perspective on Content Security?
To prohibit unauthorized use 38%
To enable secure sharing and collaboration 22%
To satisfy compliance directives17%
To implement a secure knowledge repository15%
To prepare for audit9%
10% 20% 30% 40%
Further examination and analysis of survey responses regarding the basic value statement of Content Security again pointed
to a fairly receptive market, one that sees Content Security not just as lock-down, but as Òa means to share content in a
secure manner,so as not to violate privacy,confidentiality or competitive boundariesÓ (31% of responses). See figure 12 on
the following page.
AIIM - The ECM Association © 2007 page 19 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 12. Which of the following definitions of Content Security
most closely aligns with your definition?
A means to share content in a secure manner so as not to violate privacy, 31%
confidentiality or competitive boundaries
Lifecycle control access to online content 17%
A strategy and infrastructure directly targeted at
providing intelligent access to content in context14%
Tools and techniques to keep unauthorized11%
individuals out of online repositories
A system to prevent fradulent duplication/sharing8%
A component of overall corporate security
6%
that does not need a specific focus/strategy
5% 10% 15% 20% 25% 30% 35%
It is interesting to note that the lowest response level (6%) was Òa component of overall corporate security that does not
need a specific focus/strategy.Ó In theory, once adoption of Content Security is more fully embedded as a core compo-
nent in organizations,that answer should rise to the forefront,but at this stage,it is not surprising that most see Content
Security as something separate from corporate security,which could be both physical security (of buildings,materials,etc.)
as well as traditional Òinformation securityÓ (more about networks,desktops, and system security).
From a traditional information security or physical security standpoint,one can easily see that security systems and policies
are more stove-piped than integrated, making it easier for both malicious and accidental security problems to arise, as
they would remain undetected in the hidden cracks between systems. However, completely integrated security, across all
types of security concerns (physical, electronic, network, content, etc.), is a level of capability that is barely attainable even
by the best funded,and most legitimately paranoid institutions at this point.Certainly,this is something to aspire to,as long
as security in and of itself does not become the banner,but instead,a balance of how your organization can safely run,and
how to best protect itself, through various means.
Respondents also indicated that the boundaries of security systems,from a content perspective, need to be broad.This is
in keeping with the attitude expressed thus far, that Content Security is a way to balance security/control with collabora-
tion/innovation. Respondents were asked to indicate what types of content would fall under the purview of a Content
Security strategy (multiple choices allowed). Not surprisingly,Òoffice documentsÓ (spreadsheets, word processing docu-
ments,presentations) rank quite highly at 40%,as that represents the bulk of documentation created in many organizations.
Also rated at 40% were all electronic forms of content Ñ a very holistic outlook.
Given the current fervor around e-mail management concerns,that e-mail ranked as the highest individual response at 44%
is also understandable. However, in light of the sentiments expressed thus far with regards to respondents' views on
Content Security, this response is perhaps a bit misguided.E-mail represents the bulk of ÒcontentÓ flowing in and out of an
organization, and from that perspective, it is understandable that e-mail is a serious topic of concern within an enterprise
Content Security model.That said, a hyper-focus to call out e-mail as a specific and separate solution is troubling over the
long-termÑas the ultimate sustainable solution to truly secure and manage content across the organization can likely only be
accomplished through a single layer (virtualized or truly centralized and pushed out). As an early stage of solutions have
grown up in the e-mail management space,the ability to carve out and address e-mail separately makes sense,for now,but
should only be seen in the context of a migration up into a larger solution set.
AIIM - The ECM Association © 2007 page 20 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 13. What content types are you targeting for
Content Security?
E-mail 44%
Desktop files (spreadsheets, documents) 40%
ALL electronic forms of content 40%
ALL forms of content 32%
Website content 28%
Paper files 28%
Instant messages 11%
Film/Fiche 10%
Blogs/Wikis 5%
10% 20% 30% 40% 50%
That instant messages (IM) and Blogs/wikis are not seen as nearly as applicable within a Content Security model is trou-
bling,to say the least.It may purely be that these tool/medium types are not as prevalent in the respondents' organizations,
and therefore are not weighted as heavily. However, again, to think that any specific media/medium type is out of scope
purely based on the technology is to miss important opportunities to help drive business,facilitate collaboration,as well as
to be aware of the legal and regulatory concerns,as well as ÒpureÓ risk management in how an organization conducts itself
through its desired operational rules, as described earlier. Given the overall opinion reviewed thus far, in which Content
Security is predominately seen as a way to balance control and collaboration. It is a bit of an anomaly that a greater
percentage of respondents did not select Òall contentÓ (whether electronic or otherwise).
We are not proposing in this Market IQ that all content holds equal value, and thus should be secured or controlled in
exactly the same fashionÑthere is so-called Òhigh valueÓ content, and there is quite a wide variety of content that essen-
tially has little value. A strategy should not necessarily exclude content by its physical format, but rather its subject matter
and ultimate value, which is what makes format-specific solutions an understandable short-term strategy, but one that
ultimately will need to be coordinated or Òrolled-upÓ into a larger, systemic and systematic approach.
To get a sense as to what amount of content organizations felt needed extra rigor in validating or securing (making it Òhigh
valueÓ), we provided a follow-on question asking what percentages of overall content needed specific controls applied.
AIIM - The ECM Association © 2007 page 21 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 14. Approximately what percentage of your organization's
total content requires specific controls to ensure validity/security?
30%
28%
25%
20%
20%
15%
14%
10% 12%
10%
9%
5% 6%
<1% 1-10% 11-25% 26-50% 51-75% 76-100% Unknown
This response continues to be more in line with the general opinion that Content Security is a balance, with Òall contentÓ
the 2nd highest response, by way of 20% responding that Ò76-100%Ó of content would need more stringent, specific con-
trols.This was topped only by ÒUnknownÓ (28%), which is likely due to the fact that they may have not yet quantified the
values and risks in their content.When respondents were asked what departments would have content included in a
Content Security strategy (multiple choices allowed), it is heartening to see that the runaway response was ALL
Departments (69%).While there seems to be some confusion as to what media or content types are within scope, there
is strong recognition that any strategy should cut straight across the organization. Of the remaining choices that ranked
highest, Legal (18%), Finance (11%), Human Resources (9%) and Intellectual Property Management (8%) have clear ties to
what would be either legal or regulatory mandates, or at the least,very clear cases where knowing what content is in play
and holds high value (due to the competitive nature or private nature of the content).
AIIM - The ECM Association © 2007 page 22 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fu
Market IQ
Intelligence Quarterly
Content Security
At the Fulcrum of Innovation and Risk
Authored by AIIM Market Intelligence Division
Carl Frappaolo and Dan Keldsen
¨
Underwritten in part by:
© 2007
AIIM - The ECM Association
1100 Wayne Avenue, Suite 1100
Silver Spring, MD 20910
301-587-8202
www.aiim.org
SEND TO A FRIEND !¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk
About the Authors
Carl Frappaolo - Vice President, AIIM Market Intelligence
With over 25 years experience working with a broad array of business solutions including knowl-
edge and content management, portals, search engines, document management, workflow, BPM,
records management, imaging, intranets and electronic document databases, Mr. Frappaolo is well
versed in the practical business and technical aspects of implementing large scale e-applications.
Valued for his technical, practical and market expertise, he has consulted with a variety of
organizations spanning multiple industries.
Prior to joining AIIM, Mr. Frappaolo founded Delphi Group, where he led the firm's consulting and market research
practice for nearly 20 years. He is the creator of several methodologies designed to address the needs of
knowledge management, content management, business process management and portal design.
Mr. Frappaolo has published 4 books and over 300 studies, articles and whitepapers, and has lectured to audiences
around the world.
Dan Keldsen - Director, AIIM Market Intelligence
Mr. Keldsen's experience is based broadly and deeply around innovation management and
Enterprise 2.0/Web 2.0 topicsÑbuilt on the unstructured and semi-structured content-based
enterprise concepts such as Information Architecture, Taxonomy, Search, Semantics, Navigation,
Enterprise Content Management,Web Content Management, and Portals.
He has 13 years experience as a Senior Analyst, Consultant, and Chief Technology Officer. Mr. KeldsenÕs expertise is
in bridging theoretical knowledge and practical application of technology to business problems. He is also an adept
educator and industry spokesperson, having delivered keynotes and seminars to audiences around the world.
Mr. Keldsen graduated Cum Laude from Berklee College of Music (Boston) with a Dual BFA in Music Synthesis
Production and Songwriting. He holds a SANS GSEC certification, and was on the Advisory Board for the SANS
GSEC program for two years. He is also a Member of the Usability ProfessionalsÕ Association (UPA) and The
Information Architecture Institute.
AIIMÑThe Enterprise Content Management Association
For over 60 years,AIIMÑThe ECM Association has been a neutral and unbiased source for helping individuals and
organizations understand the challenges associated with managing documents, content, records, and business
processes. AIIM is international in scope, independent, implementation-focused, and, as the representative of the
entire ECM industryÑincluding users, suppliers, and the channelÑacts as the industryÕs intermediary.
The AIIM community has grown to over 50,000 professionals from all industries and government, over 150
countries, and all levels of management, including senior executives, line-of-business, and IT. With every organization
in the world handling some type of paper or electronic content, the ECM industry will continue to grow. As the
industry grows, AIIM can be counted on to provide market education, peer networking, professional development,
and industry advocacy. Visit AIIM on the web at www.aiim.org
SEND TO A FRIEND !
AIIM - The ECM Association © 2007 page 2 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Section 3:
Why Content Security NOW? . . . . . . . . . . 16
Section 1: New Business Models, and Novel Applications
of Technology are all FineÑBut how do
Defining Content Security in the 21st
Century . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Organizations Think About Security Today? . . . . . . 17
Towards a More Granular Model . . . . . . . . . . . . . . 6 Role of Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Document-Centric Model . . . . . . . . . . . . . . . . . . . . 7The Role of Vertical Industry Standards and
Regulations Within Their Respective Industry . . . . 32
Granularity-Targeting Sub-document Control . . . . . 7
The Content Security Lifecycle Model . . . . . . . . . . 8
Section 4:
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The State of the Market . . . . . . . . . . . . . . . 36
The Object-centric Approach . . . . . . . . . . . . . . . . . 9
The State of the Adoption Lifecycle . . . . . . . . . . . 36
Level of Appreciation . . . . . . . . . . . . . . . . . . . . . . . 40
Section 2:
Content Security in Search of Ownership
Technology Complements and
and Vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Content Security - Playing it Close to Home . . . . 46
Records Management (Federated Records
Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Document Management (DM) . . . . . . . . . . . . . . . . 11 Section 5:
Web Content Management (WCM) . . . . . . . . . . . 11 Conclusion: Developing an Enterprise
Content Management Model . . . . . . . . . . . 48
E-mail Management . . . . . . . . . . . . . . . . . . . . . . . . 11
Content Lifecycle Security . . . . . . . . . . . . . . . . . . . 50
Workflow/BPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Policies and Enforceability . . . . . . . . . . . . . . . . . . . 50
Identity Management/User Authentication . . . . . . 12
The Impact of Content Security . . . . . . . . . . . . . . 51
Enterprise Rights Management (ERM) . . . . . . . . . . 12
Policy-based Encryption . . . . . . . . . . . . . . . . . . . . . 12
Appendix:
Content Authentication . . . . . . . . . . . . . . . . . . . . . 12
Methodology Used and Survey
Content Addressed Storage (CAS) . . . . . . . . . . . . 12
Demographics . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Trusted Timestamps . . . . . . . . . . . . . . . . . . . . . . . . 13
Methodology Used . . . . . . . . . . . . . . . . . . . . . . . . . 52
Data Loss/Leak Prevention (DLP) . . . . . . . . . . . . . 13
Survey Demographics . . . . . . . . . . . . . . . . . . . . . . . 52
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . 13
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Underwriters
Hierarchical Storage Management (HSM) . . . . . . . 13
CaseCentral . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Market Awareness of Content Security
Certeon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Technologies & Topics . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Liquid Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Surety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
EMC Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Xerox Global Services . . . . . . . . . . . . . . . . . . . . . . 59
SEND TO A FRIEND !
AIIM - The ECM Association © 2007 page 3 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk
Figures
Figure 1.The Network-centric Approach to Figure 22. Assuming budget is available, Figure 40.Within the Last 2 Years,Has
Content Security . . . . . . . . . . . . . . . . . . . .7identify the PRIMARY obstacles to Content Been Inappropriately Accessed by
implementing Content Security . . . . . . . .28an Unauthorized Individual Either
Figure 2.The Document-centric Approach
to Content Security . . . . . . . . . . . . . . . . . .7Figure 23. Is a ROI (Return on Investment)Deliberately or Accidentally? . . . . . . . . . . . . .41
Figure 3.The Object-centric Approach to study required as part of your planning forFigure 41.Within the Last 2 Years,Has
Content Security . . . . . . . . . . . . . . . . . . . .9Content Security? . . . . . . . . . . . . . . . . . .28Content Been Inappropriately Updated/
Deleted by an Unauthorized Individual
Figure 4.Technology Components In Figure 24. If you have performed an ROI onEither Deliberately or Accidentally? . . . . .41
your Content Security project,were you able
Content Security Strategies . . . . . . . . . . .14to show an acceptable level of return? . .29Figure 42. Do You Have a Specific Group
Figure 5. Awareness Levels Regarding Within the Organization to Address
Figure 25. If you achieved a successful ROI,
Content Security Technologies . . . . . . . . . . . 15what was the time frame for showing aContent Security? . . . . . . . . . . . . . . . . . .42
Figure 6. Awareness Levels Regarding return?. . . . . . . . . . . . . . . . . . . . . . . . . . .29Figure 43. If You Answered YES,to Whom
Content Security Concepts and Topics . . .15Figure 26. Please Rank the Following Does the Content Security Group Report? .42
Figure 7.The Extremes:Control/Secure Standards and Regulations as They Relate Figure 44.Which of the Following CXX-level
vs.Collaboration/Innovation . . . . . . . . . . . . .17to Your Content Security Strategy/Needs? . .31Security Officers are There in Your
Organization? . . . . . . . . . . . . . . . . . . . . . .43
Figure 8.The Control/Secure - Figure 27. Ranking of the Criticality of
Collaboration/Innovation Continuum. . . . . .17HIPAA to a Content Security StrategyFigure 45.Who DEFINES the Corporate
Amongst Healthcare and Pharmaceutical Security Strategy for Your Organization? . .43
Figure 9. Is the Content Security strategy Respondents Only . . . . . . . . . . . . . . . . . .32
of your organization driven more by a Figure 46.Who OWNS/IS RESPONSIBLE for
desire to lock down content or to enable Figure 28. Ranking of the Criticality of the Corporate Security Strategy for Your
secure collaboration? . . . . . . . . . . . . . . . . .18CFR21 Part 11 to a Content SecurityOrganization? . . . . . . . . . . . . . . . . . . . . .44
Figure 10. If compliance and legal Strategy Amongst Pharmaceutical Figure 47.Who Pays For/Funds the Corporate
Respondents Only . . . . . . . . . . . . . . . . . .33
requirements were no longer issues,what Content Security Initiative? . . . . . . . . . . . .44
would likely happen to your organization'sFigure 29. Ranking of the Criticality of Figure 48. How Well is Content Security
Content Security initiative/strategy? . . . . .18DOD 5015 to a Content Security Strategy
Amongst Government Respondents Only. .33 Understood in Your Organization? . . . . . . .44
Figure 11.Which of the following is Figure 49. Is Content Security Included in
closest to your organization's Figure 30. Ranking of the Criticality of
perspective on Content Security? . . . . . .19Sarbanes-Oxley (SarBox) to a Content Your Corporate Governance Model? . . . . . . .45
Security Strategy Amongst Financial ServicesFigure 50. Has Discussion of Creative
Figure 12.Which of the following definitions
of Content Security most closely aligns and Insurance Respondents Only . . . . . . 34Commons Licenses or Similar
Concepts Impacted Your Organization's
with your definition? . . . . . . . . . . . . . . . .20Figure 31. Ranking of the Criticality of theAttitudes Towards Content Security? . . . . . 46
Gramm-Leach-Bliley Act to a Content Security
Figure 13.What content types are you Strategy Amongst Financial Services and Figure 51.Would You Be Likely to Implement
targeting for Content Security? . . . . . . . .21Insurance Respondents Only . . . . . . . . . .34Your Content Security System in an
Figure 14. Approximately what percentage Figure 32. Ranking of the Criticality of theOutsourced or SaaS Model? . . . . . . . . . .47
of your organization's total content requiresMoREQ to a Content Security Strategy Figure 52.If You Answered ÒNoÓto
specific controls to ensure validity/security? .22Amongst European Respondents Only . . 35Implementing in an Outsourced
Figure 15.Which departments' content Figure 33. Ranking of the Criticality of theor SaaS Model,Why? . . . . . . . . . . . . . . .47
are included in your Content Security
strategy? . . . . . . . . . . . . . . . . . . . . . . . . .23FERPA to a Content Security StrategyFigure 53.The Control/Security -
Amongst Education Respondents Only . 35 Collaboration/Innovation Continuum . . . .49
Figure 16.Who/what are you protecting
Figure 34.Where Do You Feel the Overall Figure 54. Content Lifecycle . . . . . . . . . 50
your content from? . . . . . . . . . . . . . . . . .23INDUSTRY Adoption is With Regards to the
Figure 17.What are you trying to avoid/ Following Terms/Phrases? . . . . . . . . . . . . .36Figure 55. How Many Employees are
in Your Organization? . . . . . . . . . . . . . . .52
protect your content from? . . . . . . . . . . . . . .24Figure 35.What is YOUR ORGANIZATION'S
Current Involvement with Content Security? 37Figure 56. Major Vertical Industries
Figure 18. What are the results of Responding (%) . . . . . . . . . . . . . . . . . . . 53
breaches in Content Security for your Figure 36.What is Your Current Level of
organization? . . . . . . . . . . . . . . . . . . . . . .25Involvement with the following technologies?38Figure 57. Major Geographical Regions
Responding (%) . . . . . . . . . . . . . . . . . . . .54
Figure 19. Is there an appreciation for Figure 37.What is Your Implementation
the potential cost associated with the Timeline for Content Security? . . . . . . . .38Figure 58.What is Your Role in Your
risk of unsecured content in your Organization? . . . . . . . . . . . . . . . . . . . . .54
organization? If so,how great? . . . . . . . .26Figure 38 What is Your Budget to Implement
Figure 20.What drives your Content Security Content Security? . . . . . . . . . . . . . . . . . .39
initiative (select all that apply)? . . . . . . . . . . . 27Figure 39.What Approaches to Content
Figure 21.What is the PRIMARY driver Security Monitoring Does Your Organization
use to Identify Inappropriate or Malicious
of your Content Security initiative? . . . . . . 27Behavior? . . . . . . . . . . . . . . . . . . . . . . . . .40
AIIM - The ECM Association © 2007 page 4 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Introduction
This AIIM Market IQ is focused on the art and science of securing electronic content, via a hybrid, strategy driven
model that we have labeled Content Security. Two basic sources of input were used in constructing this report. The
first was the accumulated experience and ongoing market analysis work performed by the AIIM Market Intelligence
Division. The second was an AIIM Market Intelligence developed and administered survey. The survey was taken by
600 individuals between 8/25 - 9/14/2007. It should be noted that the survey results are reported in aggregate (i.e.,
AIIM members and non-AIIM members),except in cases where the opinions of these two groups were polar enough
to render the aggregated responses as non-indicative of either group. These instances are specifically noted in the
body of this Market IQ. Further demographics regarding the survey population can be found in the Appendix.
This Market IQ covers the concept of Content Security from multiple perspectives, providing a thorough education
on the topic. In order to achieve a balanced understanding of Content Security, the reader is encouraged to read
this report in its entirety, in the order presented. The report, however, has been structured into six sections, each
providing a specific perspective on Content Security. These sections are:
Section1
Defining Content Security in the 21st Century
This section introduces the subject, provides a definition and compares it to older approaches to
securing content.
Section 2
Technology Complements and Alternatives
This section identifies a family of point solutions that are part of a family of technologies that
collectively comprise Content Security.
Section 3
Why Content Security Now?
This section looks at the high level business drivers behind the need for Content Security.A framework
for defining a Content Security strategy is introduced.The struggle between compliance and control
versus innovation and collaboration is defined and measured via survey responses. This includes insight
into the effect that government standards/mandates and industry/technology standards are having in
shaping enterprise strategies for Content Security.
Section 4
The State of the Market
This section provides insight into the current obstacles, funding models, staffing models, deployment
models, overall attitudes and perceived adoption rates of technologies in organizations with regards
to Content Security.
Section 5
Developing An Enterprise Content Security Model
This section provides advice on how to leverage the knowledge presented within this Market IQ.
It offers a framework for evaluating and mapping organizational needs in order to define a Content
Security Model that best fits your organizational needs.
Appendix
Survey Demographics
This section provides analysis of the survey population.
AIIM - The ECM Association © 2007 page 5 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Defining Content Security in the 21st Century
Securing online content is not a new concept. IT departments have been securing data since the first time-shared
mainframe was deployed, perhaps earlier. Operating systems and databases have been providing read/write access
control lists (ACLs) for decades. But much has changed since these early days of computing in terms of:
¥ networking capabilities (e.g., the reach of the internet and distributed wireless computing),
¥ business focus (e.g., the computer as a collaboration tool),
¥ online content (e.g., from data in rows and columns to digitized images of contracts),
¥ modes of communication (e.g., the advent of e-mail and instant messaging) and
¥ the business applications associated with online content (e.g., online paid-for subscriptions).
Many organizations find that their ability to create, use and share enterprise content is out of sync with their
ability to secure that content. Content Security often lacks the flexibility and dynamic nature of content creation
and management. A focus on and need to leverage and share content in order to maintain competitive standing
requires more open approaches to access. Yet compliance, ethical and legal concerns mandate closer scrutiny and
controls over open access. Moreover, the proliferation of content, the ease with which content can be posted
on a forum that reaches literally millions of users, (i.e., the Internet), and the potential for manipulating content
by non-authorized individuals or inappropriate sharing, necessitates the need to authenticate and secure content.
Today, there is potentially great risk in assuming that content is in any deep sense secured simply because it is under
the control of system level security, or even a traditional document or records management system. It is
no longer reasonable to expect workers to be the Òwatchful eyeÓ and only enforcement point in ensuring that information
that should be private and/or protected remains in a secure state.The volume of content, the speed of creation and
the reach of collaboration render this premise far too risky. Between accidental content exposure, purposeful
content leakage and/or piracy, the problem of who is watching the watchers has become very real. Scalability,
adaptability, awareness and enforceability of security policies are not reliable through a purely human effort, or a
piecemeal technology deployment. Yet, as we have found in this study, that is often the case. In spite of threatened
personal responsibility for inappropriate management of content, (e.g., Sarbanes-Oxley), many organizations and
their executives continue to rely on Ògood intentionÓ and/or siloed technology solutions limited in scope and
capability that are several years behind the technology used for creation and sharing content. There is a family of
technology point solutions specifically designed to address security in the 21st century, but, as this study found,
understanding and deployment of these technologies is slow. Development of enterprise strategies to secure
content in any meaningful way, and leveraging the powers of available technology is nascent.
Enterprises must adapt approaches to securing content that differs from traditional approaches in two basic ways:
the granularity of security and the authentication of security.
Towards a More Granular Model
Traditional approaches to Content Security are focused at the perimeter of an organization and/or applications. This
is the network-centric approach to Content Security that includes tools such as system login and firewalls. The
focus is at a high level of granularity; network, server, desktops, and/or operating system level security. Content is
holistically protected or secured from outsiders, and in some cases restricts insiders from accessing inappropriate
outside resources. There is no contextual adaptability. The standard policy is one of Òinsiders are fully trusted,
outsiders are completely distrusted.Ó This approach to Content Security is generic, providing lowest common
denominator levels of protection to secure network applications and desktops, but not content specifically.
Collaboration and knowledge sharing models under this approach require an all or nothing level of access to content,
or the replication of content outside the system of control (e.g., a repository on a file server). The former is limiting,
while the latter represents abandoning any ability to control content and the issues associated with content replication.
AIIM - The ECM Association © 2007 page 6 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Document Ñ Centric Model Figure 1.The Network-centric Approach to Content Security
The application of certain Content Security technologies
(e.g., records management and document management,
which are discussed in more detail later in this report), Perimeter
push the level of granularity down to the individual file
level. In this approach, content, especially unstructured
Content
content is secured file-by-file, or in collections of files.The
perimeter of control is constrained more tightly around a
single file or group of files. In this scenario, work areas as
sub-groups to an entire library can be established to Core
enable shared access to a collection or single document.
A limiting factor of this approach is that the security is
enabled through the platform itself, (i.e., the content or
records management system). At this level of security
content is free to go where it will and be manipulated
once it is out of these systems. Users can check-out a file,
modify it, share it (inappropriately), and not necessarily
check the file back into the management system, or indi-
cate what actions have been taken. Collaboration typical-
In this traditional approach to Content Security,focus is at a
ly requires providing full access (read/write) to interested high level of granularity. Content, represented by the red
parties. Though an audit trail may be maintained, users are cubes,is protected holistically.A perimeter or firewall is created
on their honor to Òdo the right thingÓ with regards to that allows for total access or no access.There is no monitoring
editing and sharing. Authentication of timestamps and the of the individual content. Auditing occurs at the system level
and there is no authentication of the content itself.
audit logs themselves may or may not provide meaningful
evidence of content-centric issues.
Granularity Ñ Targeting Figure 2.The Document-centric Approach to Content Security
Sub-document Control
It should be appreciated that under the document-centric
model, some platforms will provide control over sub-sets
of a file or document (e.g., individual objects such as a sin-
gle image or paragraphs of text). In this way the level of
control is at a lower level of content, and enables the
repurposing of content in multiple delivery mechanisms
(e.g., the usage of a single photograph in two separate
documents and a web page, but the security and tracking
of the image is maintained onceÑcentrally). This level of
granularity is particularly useful in a web content manage-
ment environment and/or in scenarios in which complex
compound documents are created through links to a
library of content Òchunks.Ó
In the document-centric approach to Content Security,focus is on the individual file level,or a collection of files.Content,represented
by the red cubes,can be individually protected. A perimeter or control can be created within the perimeter that allows for specific
read/write/delete access to specific files (in this illustration the two cubes in the red circle contained in their own yellow ring are
specifically protected,separate and distinctly from the rest of the content collection).These files,however,are not protected from
leaving this environment,and thus can ÒescapeÓthe implied security.
AIIM - The ECM Association © 2007 page 7 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
Additionally, granularity can be extended to metadata associated with each file or chunk. This metadata can include
properties such as author, title, summary, version number, an internal reference number, tracked changes and
forwarding history. With this level of granularity, each tracked facet of content, from the macro to the chunk level,
and metadata about or within content is accounted for providing a comprehensive Content Security system.
It should be noted that the granular levels of securing content are not necessarily hierarchical. That is to say,
protection at a higher level of granularity may not negate the need for the lower level. Networks and platforms may
still be secured, even though specific chunks of content on those platforms or within those networks are also
secured. A major component to any Content Security implementation is the strategy that takes a holistic approach
at the business requirements and technology alternatives available, and weighs and leverages each. This is a reoccurring
theme throughout this Market IQ and is directly addressed in Section 5.
The Content Security Lifecycle Model
One of the biggest challenges to securing online content stems from the fact that online content is not static. Online
content can be easily manipulated, and/or revised on an ongoing basis. Document properties, such as authorship,
approval, and audit trail data are also subject to (legitimate and unauthorized) editing. A comprehensive Content
Security strategy must address this facet of online content a well, else render virtually all other attempts to security
worthless.
The dynamic nature of online content is also associated with the ease with which content can be shared, duplicat-
ed and transported across systems and networks. Content/Data in motion as a term emerged because this is a real
occurrence (yet our survey showed that most individuals still do not have a clear appreciation for what data in
motion means and the complexity it proposes from a security standpoint). Content Security is, in many cases, embedded
directly into content throughout its lifecycleÑfrom creation, modification, distribution, archiving and destructionÑ
regardless of format or transmission method. This is a policy-driven capability, distinct from the realm of
information security, which is primarily focused on securing infrastructure such as networks, servers, desktops, and
operating systems. In Content Security, the security challenge is the development of policies and procedures for any
and all content. The benefit is the ability to centrally administer these across all content, at any level, in context.
Authentication
Authentication can be a pivotal and critical element to a Content Security system. Despite noble attempts to secure
content, in all the manners discussed above, the Content Security system and its managed content can be rendered
moot if there are no policies, procedures and mechanisms in place to manage and/or provide authentication of:
¥ user
¥ author
¥ approver
¥ and the content itself.
The value and criticality of authentication ranges from a need to ensure reliability of an author to legally prove the validity
of a document. A user of online content needs to be assured that the content in use is what it purports to be.
In an age where Òeveryone can be an author and/or expert,Ó controls may be necessary to ensure that accessed
content is legitimate, created by and/or approved by Òapproved or recognizedÓ individuals, and in its latest approved
revision. Mechanisms should provide a sense of reliability and/or an ability to reference and monitor the authenti-
cation of content and the data associated with content. In issues of litigation and compliance, content can be
deemed inadmissible if its authenticity cannot be proven beyond reasonable doubt.
AIIM - The ECM Association © 2007 page 8 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 1
The Object-centric Approach Figure 3. The Object-centric Approach to Content Security
Finally, a Content Security system needs to potentially
address the fact that online content can be and is often
purposefully Òcontent in motion.Ó Content is frequently
shared, replicated, e-mailed and/or stored in multiple
repositories. Content Security models that rely on an
underlying platform approach whose perimeter of control
extends only as far as that platform, potentially fail
an organization whose content extends beyond that
platform. Content in motion is in the process of being
transported from one physical location to another, may
undergo automated encryption. The object-centric
approach to Content Security goes beyond encryption of
Òin motionÓ content, however, and may incorporate
approaches to managing the security of content Òat restÓ
(after it reaches the end point of its Òin motionÓ path).
The object-centric approach to Content Security deploys
technology that extends the document-centric model, by
embedding the security mechanisms within a content
In the object-centric approach to Content Security,focus is on
object. Thus the content is transformed from an Òigno- the individual file level (similar to the document-centric
rantÓ object that relies on outside mechanisms to assure approach,but the policies and mechanisms to secure the
its authenticity and security, to an ÒintelligentÓ object that content are embedded within and thus move with the
manages its authenticity and security itself, in an content itself). Thus,the content becomes a self-regulating
intelligent object that controls who and what can be done to
omnipresent fashion, in context. This potentially enables the object,in context,at all times. The security associated
wider distribution and ease of collaboration,because of an
with the content is omnipresent.Content,represented by the
underlying assurance that control is not relinquished. For red cubes, is individually protected, and that perimeter of
example, press releases could be openly shared internally control (illustrated by the yellow circle) stays with the content,
as a means of early education. Recipients would be auto- even when the content is ÒsentÓoutside the perimeter of the
matically prohibited from attaching the press release to an file,document,or records management system.Unlike the
e-mail message prior to the release date, by the intelligent situation in a document-centric security model,content can
press release itself. Market reports could be sold to a be protected from leaving this environment,and if permitted
to Òleave,Ómaintain its integrity and access permissions.
customer without fear of privacy. The report would not
allow the customer to duplicate the report, print the
report or e-mail attach the report.
The object-centric approach to Content Security repre-
sents the state-of-the-art in terms of flexibility, reach and
the type of business models it supports. It is again impor-
tant to point out, however, that application of such secu-
rity mechanisms does not necessarily negate the need for
the other approaches and technologies introduced in this
section of this Market IQ. A state-of-the-art Content
Security system is only accomplished through the applica-
tion and integration of several point technologies
(covered later in this section of the Market IQ), and
governed and orchestrated through a centrally developed,
maintained and executed strategy and policy (covered in
section 5 of this Market IQ).
AIIM - The ECM Association © 2007 page 9 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Technology Complements and Alternatives
While it must be continuously stressed that Content Security is more about a well defined and executed strategy
model than it is about technology, it is nonetheless prudent to have a working knowledge of technology alternatives
before embarking on a strategy. For too many organizations, the Content Security strategy is confined to Òold
approachesÓ or limited functionality due simply to an ignorance of what technology alternatives can provide. Indeed,
as is highlighted later in this section of the Market IQ, there is predominately a dearth of knowledge regarding
Content Security technology components in the market. Before organizations can embrace the state-of-the-art in
Content Security they need to have an appreciation of what is and is not possible.
As a means of introduction, the primary point technologies that can comprise a Content Security strategy are briefly
described and positioned here. These technologies are:
¥ Records Management
¥ Document Management
¥ Web Content Management (WCM)
¥ Workflow/BPM
¥ E-mail Management
¥ Enterprise Rights Management (ERM)
¥ Identity Management/User Authentication
¥ Policy-based Encryption
¥ Content Authentication
¥ Content Addressed Storage (CAS)
¥ Trusted Timestamps
¥ Data Loss/Leak Prevention (DLP)
¥ Public Key Infrastructure (PKI)
¥ Digital Signatures
¥ Hierarchical Storage Management (HSM)
Records Management (Federated Records Management)
Records Management (Federated Records Management) systems manage declared business records against the
records retention schedules that an organization has established. In this regard records management addresses Content
Security over a lifecycle, from declaration of the content as a record to the archival and possible destruction of the
content. Records management systems address the Òfinal resting placeÓ or Òlife durationÓ of content, but do not
address any other security aspects of content. The perimeter of control of the records management system does
not extend beyond the system itself. Content is not in any way managed until it is declared a ÒrecordÓ and thus
Òmoved intoÓ the control of the records management system. The integrity of the content and authenticity of the
content prior to it being declared a record is not managed. Similarly, copies of content (records) are not tracked.
Copies existing outside the records management system are not managed in any manner. This is often a critical
component of a content management system, and is one that most organizations we surveyed claimed to
understand and include in their Content Security strategy.
It is worth noting that a new approach to records management, known as federated records management or
universal records management (URM) has emerged. In a federated records management system, the content
(records) may be stored in multiple locations across organizations, in repositories that may contain content not
declared as a record. These systems can access the enterprise's content stores and identify and manage records
within them.This helps to extend the perimeter of control of the records management system, more readily integrate
records management into an overall Content Security system and simplify the deployment of records control across
an enterprise.
AIIM - The ECM Association © 2007 page 10 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Document Management (DM)
Document Management systems are typically concerned with revision control (knowing the current version and
ability to Òroll-backÓ to prior versions), document lifecycle audit trails (knowing the string of authorship, last modi-
fication date/time/author stamp), and rendition control (PDF versus MS Word copies of the same contentÑlinking
the two together). Thus there is a rudimentary content authentication functionality provided. DM systems
typically provide read/write/delete control over files. DM is a core capability for Content Security, as integration
into document management capabilities allows multiple points to apply policies, provide logging, and ensure that
ÒsplinteredÓ versions of documents (Word vs.PDF from above) retain appropriate policies regardless of the machine
format used. Typically the perimeter of control of the document management system does not extend beyond
the system itself.
Web Content Management (WCM)
Web Content Management systems are similar to document management systems, but focus on content published
to web sites. This includes management of the publishing process and maintenance of links between information
chunks. Key features include creation and authoring, input and presentation template design and management, content
re-use management, and dynamic publishing capabilities. WCM can be leveraged to ensure that content managed
and deployed via the web remains in compliance with the policies established within the purview of the Content
Security strategy.
E-mail Management
E-mail Management systems are similar to records management systems, but are finely tuned to specifically handle
e-mail messages, and in most cases their associated file attachments. These systems typically include functionality
that extracts e-mails from the server and saves them to a secure environment in which they are classified and
maintained as business records. Typically the perimeter of control of the e-mail management system does not
extend beyond the system itself. The e-mail management system can be integrated into a broader records manage-
ment system, in which case the perimeter of control is limited by the reach of the records management system.
Workflow/BPM
Workflow/BPM as a technology is often deployed beyond the purview of security. These technologies are deployed
to automate virtually any business process. But, workflow and BPM (Business Process Management) can be incor-
porated into a Content Security strategy in order to provide integrity to the processes used to move the content
through its security lifecycle and to automate (i.e., enforce) the execution of critical steps and functions to securing
the content over time. For example, a workflow enabled publishing process can ensure that a body of content is
automatically declared a record when posted to a web site, or that a file cannot be released for the Ògeneral
publicÓ until a designated reviewer has ÒapprovedÓ its content (and it would automate the routing of the content
for approval to the proper reviewer). Thus workflow and BPM can be used to automatically and relentlessly apply
the policies key to policy-driven and policy-enforced Content Security.Without automated processes to assist and
enforce these policies, Content Security is greatly vulnerable to human error, oversight and/or sabotage.
Additionally, the workflow system provides an audit trail on the processes, providing a further level of authentica-
tion and quality control over content across its lifecycle.This ability to provide business process integrity, in situations
related to litigation, can be as critical as the securing of content itself, as litigators bring into question the process
used to manage content as much if not more than the record or content itself.
AIIM - The ECM Association © 2007 page 11 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Identity Management/User Authentication
Simply put,Identity Management/User Authentication,are systems and techniques used to ensure that users are who
they purport to be. Authentication depends on one or more authentication factors. At the low end this could
include a username and password. At the high end this could include a retina or fingerprint scan. Authentication is
typically a precursor to authorizationÑsecure identification (authentication) of a user leads to an associated list of
permissions (authorization) within content and processes.
At the higher end of functionality, these systems are used to ensure that authentication, access and audit controls
feed from authoritative, current, and fully correct identity stores. Policies are connected to both higher-level groupings,
and have fine-grained control down to each unique individual.While standard access control repositories such as
Active Directory (AD) are typical end repositories of this information, they do not contain the ÒintelligenceÓ to
ensure that this information is verified and up-to-date. Regulatory compliance and general corporate governance
standards state explicitly that access privileges need to be certified and audited. Individuals should have the appro-
priate level of access to content that they need to do their stated jobs, but no more than that.Typically permissions
and identity are tracked at the roles and rights level.This eliminates the Òrights creepÓ that can occur if rights are
tracked by individual, and an individual ÒmovesÓ across jobs and functions within an organization, keeping past access
rights even though they have changed roles and or project/department affiliation.
Enterprise Rights Management (ERM)
Enterprise Rights Management (ERM) systems embed security policies within documents themselves (the object-
based model). Under an ERM system, the perimeter of control is tightly maintained around the content, even when
the content is Òin motionÓ or Òat rest,Ó outside the physical domain of the underlying platform. ERM can control con-
tent usage to various levels (e.g., Read/write/access, access based on user and user current location, number of times
or length of time a file can be viewed by a single user, whether cut/copy/paste of content is permitted, ability to for-
ward or e-mail attach and online/offline access), both within and beyond organizational barriers.
Policy-based Encryption
Policy-based Encryption automatically encrypts content based on user-defined rules, which are typically embedded
in a user authentication and/or ERM system. Using policy-based encryption, content may be physically Òavailable,Ó
but not ÒaccessibleÓ until conditions are met that ensure the Òright person at the right timeÓ is accessing the content.
Policy-based encryption is predominately used on content in motion, or being transported from a protected system
to another system.
Content Authentication
Content Authentication refers to the orchestrated usage of many Content Security point technologies (e.g., trusted
timestamps, CAS, e-signatures, electronic watermarks and document management) used in aggregate. These
technologies are used to provide auditable assurance and reliance that the content is indeed what it represents itself
to be (that it is Òofficial,Ó is the latest version, has had no unauthorized modifications, etc.).
Content Addressed Storage (CAS)
Content Addressed Storage (CAS) technology is focused on data or content at rest, or endpoint data protection.
It is used exclusively on content that is written once and never to be changed. It could be an invoice, financial state-
ment, archived e-mail, medical X-ray or a sealed record. CAS creates a digital fingerprint of the stored content file.
This fingerprint (also known as an ID or logical address) ensures that the content is the same exact piece of data
that was saved. No duplicates are ever stored.
AIIM - The ECM Association © 2007 page 12 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Trusted Timestamps
Trusted Timestamps are technology that works in concert with records management or document management
systems to certify outside of the records/document management system that a file, when submitted to the managing
system, is the same file as when it is later recalled/retrieved. Trusted timestamps render online content beyond repu-
diation Ñ ÒproofÓ that the content has not been modified nor has any of its associated metatags including
signatures/approvals or timestamps on approvals.Trusted timestamps are a critical component to content integrity
and in some cases include service by an independent trusted third party to further separate the possibility of
internal collusion.
Data Loss/Leak Prevention (DLP)
Data Loss/Leak Prevention (DLP) is intelligent filtering of content in motion, based on centrally administered
policies, with as little human intervention as possible. DLP systems ÒreadÓ content that is targeted to be sent outside
a defined perimeter (e.g., an internal system or an external firewall) and discern whether there is protected content
or private data (such as social security numbers, credit card numbers, medical history) within the content. If such
content is detected, the content is filtered, and kept from being shared. Advanced content filtering (e.g., semantic
of linguistic content filtering) can detect protected or private content that is not directly contained in the content
(e.g., rephrasing content to potentially bypass keyword filters). Advanced systems can also process rules regarding
the intended recipient of the content (i.e., the content is only protected from certain people), for example, preventing
buy-side and sell-side workers in a brokerage firm from sharing content that can be construed as internal collusion.
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) uses a public and private key pair held by a trusted third party to transact business
over the public Internet. These are typically used to verify digital signatures (see below).
Digital Signatures
Digital Signatures refer to a spectrum of functionality. At the low end (where the functionality is also known as
electronic signatures), this refers to the attachment of an image, electronic sound or symbol to content, providing
association with a person to the content (e.g., as a reviewer or approver.) At the high end, digital signatures are
created and verified by cryptography. Digital signatures employ an algorithm using two different but related ÒkeysÓ
(using PKI), one for creating a digital signature, and another key for verifying a digital signature or returning the
content to its original form.
Hierarchical Storage Management (HSM)
Hierarchical Storage Management (HSM) is a content storage system that typically transcends Content Security.
HSM automatically moves online content between various storage mediums for a variety of policy and efficiency
reasons. HSM can be deployed as part of a Content Security system, typically in conjunction with a workflow-
enabled process, to automatically move content to a specific type of storage medium at a particular point of its
lifecycle (e.g., content when declared as a legal record is automatically moved to a WORM drive, and potentially
subjected to a trusted timestamp and/or CAS system).
It is again stressed that Content Security is not embodied by any one of these technologies, but through orchestration,
coordination and integration of these technologies in a complementary fashion. This requires the development of a
content management strategy (the focus of section 5 of this Market IQ), in which business needs (see section 4 of this
Market IQ for more detail on how to define business need and current experiences with business need) are evaluated
and specifically addressed through selection of appropriate candidates from Content Security related technologies.
AIIM - The ECM Association © 2007 page 13 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
Market Awareness of Content Security Technologies and Topics
This section of the Market IQ is provided to give a basic education on the state of the industry from a technology
perspective. In reality, the state-of-the-industry, from an implementation perspective is very different. Our survey
measured the state of the industry from an implementation/user perspective in many ways. The bulk of these
findings and insights are the focus of section 3 of this Market IQ. Two of the findings from the survey are discussed
here, however so that the current reality of technology awareness and how this affects content strategy develop-
ment can be appreciated.
When asked to identify technology components that are within their definition of Content Security,survey respondents
paint a minimalist and rudimentary picture. Focus is predominately on older technologies with basic functionality,
(i.e., records management, document management and user authentication were each included by 55% of survey
respondents), and e-mail management (54%) which has received much attention in the market of late. No other
technologies were identified by more than 50% of the survey population. This would perhaps suggest that the more
cutting-edge technologies, those that are beyond the ÒtraditionalÓ world of Content Security (e.g., trusted time-
stamps, policy-based encryption, DLP, and ERM), are not relevant to the needs of today's organizations and/or that
their cost of implementation is not exceeded by their value statement or return on investment.
Figure 4. Technology Components In Content Security Strategies
Records Management 55%
User Authentication 55%
E-mail Management 54%
Document Management 45%
Data Leak/Loss Prevention 43%
Digital Signatures 35%
Content Authentication 34%
Digital Rights Management 23%
Enterprise Rights Management 23%
Policy-based Encryption 23%
Public Key Infrastructure 22%
Trusted Timestamps 21%
BPM/Workflow 19%
Hierarchical Storage Management 18%
Content Addressed Storage 13%
10% 20% 30% 40% 50% 60%
Survey participants were asked to identify those technologies that fit within their definition of Content Security. The older, more
mainstream technologies were predominately and consistently selected,while more cutting edge technologies received mixed ratings.
It is reasonable to conclude, however, that the lack of inclusion of these ÒnewerÓ technologies in a Content Security
strategy is more a function of the general level of awareness than an educated decision that they are not relevant.
When asked to rank their level of understanding of a sample of Content Security point technologies, the results nearly
mirrored the ranking of technologies incorporated into a content management strategy. Most survey respondents
indicated either a ÒFully understandÓ or ÒMostly understandÓ level of awareness for technologies such as archiving,
records management and digital signatures (probably with a focus to the more rudimentary electronic signature end
of the functional spectrum) and e-mail management, and a ÒSomewhat familiarÓ to ÒNo ideaÓ level of awareness for
technologies such as content filtering, content authentication, PKI (as a function of the higher end digital signatures)
and trusted timestamps.
AIIM - The ECM Association © 2007 page 14 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 2
When asked to rank their level of understanding regarding a sample of Content Security concepts, only the somewhat
generic ÒInformation SecurityÓ received more than 50% response for a ÒMostly understoodÓ or better. Even the
much recently publicized topic of Òe-discoveryÓ ranked third with only 43% of respondents indicating a ÒMostly
understandÓ (or better) level of understanding. Concepts somewhat basic to appreciating the specific nuances of
electronic content (versus a paper-based environment) such as ÒData at Rest,Ó ÒData in Motion,Ó ÒEndpoint Data
Protection,Ó and ÒUnified MessagingÓ are poorly understood.
Until organizations develop a more broadly defined and up-to-date appreciation for the challenges and specific
nuances associated with electronic Content Security and the availability of multiple point technologies to specifically
address those issues (as well as potential new business value propositions) it is likely that uptake of these technologies
will remain low. These findings seem to indicate that there is a strong need for education of users and owners of
online content in order to move enterprise Content Security models forward, beyond Òtraditional approaches.Ó
(See sections 3, 4, and 5 of this Market IQ for further insights into the current state of the market regarding
business drivers and strategies for Content Security).
Figure 5. Awareness Levels Regarding
Content Security Technologies
Technologies: What is YOUR level of awareness of the following terms/phrases?
Archiving 45% 30% 14% 5% 6%6%
Records Management 41% 24% 18% 10% 7%
Digital Signatures34% 30% 19% 8% 9%
E-mail Management 31% 29% 23% 10% 7%
Content Filtering20% 24% 28% 15% 13%
Content Authentication16% 27% 27% 16% 14%
Public Key Infrastructure (PKI)14%12%16%18% 40%
Trusted Timestamps11%19% 22% 21% 27%
25% 50% 75% 100%
Fully understandMostly understandSomewhat familiarVaguely familiarNo idea
Figure 6. Awareness Levels Regarding
Content Security Concepts and Topics
Concepts: What is YOUR level of awareness of the following terms/phrases?
Information Security30% 27% 28% 7% 8%
e-Discovery 23% 20% 18% 15% 24%
Data Loss Prevention22% 30% 28% 11% 9%
Content Security22% 26% 26% 12% 14%
Information Risk Management21% 26% 29% 11% 13%
Information Loss Prevention18%28% 27% 16% 11%
Content Loss Prevention13%25% 28% 18% 16%
Business Process Integrity13%17% 26% 19% 25%
Unified Messaging10%13% 18% 23% 36%
Endpoint Data Protection9%12%21% 23% 35%
Data At Rest7% 8% 21% 23% 41%
Data In Motion6% 10% 21% 25% 38%
25% 50% 75% 100%
Fully understandMostly understandSomewhat familiarVaguely familiarNo idea
AIIM - The ECM Association © 2007 page 15 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Why Content Security NOW?
The mindsets and technical capabilities that tie security to content specifically are still fairly early in the adoption
lifecycle. Most of the focus on security in an electronic world has been focused on core infrastructure concerns, and
the fight against viruses, malware, spyware, and spamÑrather than on how security capabilities can enable the
business itself.
As businesses have continued to adopt information technology solutions, there is a continuing and emergent recog-
nition that adding even more technology, specifically point solutions, is not helping business as a whole to improve.
There have been some pundits, among them Nicholas Carr (ÒDoes IT Matter? Information Technology and the Corrosion
of Competitive AdvantageÓ published by Harvard Business School Press, 2004), who states IT as a whole is
actually contributing to a business hindrance, not a driver for businesses.The issue is that technology adoption for its
own sake leads to tactical solutions solving fairly narrowly defined issues.
The solution is to step back and examine what the primary business drivers are in any information management or
enterprise content management (ECM) deployment.
Content Security, as a layer that unites ECM investments and addresses the lifecycle of content creation (as
described in Section 1 of this Market IQ), is not a technology in search of a business problem, but a direct response
to the challenges of surviving and thriving as a business in the 21st century.
At the root of these emerging business requirements is the growing rate at which the businesses, whether global,
regional, or local, and the community of customers, partners, employees and other parties, creates, stores and shares
its business content in electronic format. Word processing, e-mail (and attachments), web sites of all types, and
online collaboration whether web-based or in a purpose-built application are among the more popular approaches
to creating and storing business content, along with the rising adoption and volume of content being created via
instant messaging, blogs, and wikis.
Needless to say, the amount of business content that is created and stored electronically is at an all time high, and
continues to grow. We have all accepted this as fact, and our growing storage capabilities at the desktop, laptop and
network level mirror this fact.
The question then is not what do we do with all of this content, but rather, what the business reasons are for
creating the content in the first place. From that point, the layers of security that would be necessary and appropriate
to the business task at hand can begin to be identified.
Electronic content is still a relatively recent phenomenon, and has given way to evolving business challenges and
opportunities. Indeed, in the case of Content Security, there is not one business challenge or set of issues, but two
dynamic forces that make up the spectrum of concerns. This convergence of need is a strong force behind the
adoption rate of Content Security and its ultimate business drivers.
AIIM - The ECM Association © 2007 page 16 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 7. The Extremes:Control/Secure vs.Collaboration/Innovation
Control & Secure Collaborate & Innovate
As figure 7 illustrates (above), the need for security is driven by:
1) the need for increased control and an ability to lock down, or secure content for compliance, regulatory, or legal
issues.This may also be driven by a need to enforce general business operational rules of the business itself, regardless
of third party directives; and
2) the need to enable the ability to collaborate and innovate freely within whatever community the business chooses
to embrace.This also harkens to enabling traditional Research & Development (R&D) work, and more broad-based
Knowledge Management (KM) initiatives.
Traditionally, security solutions have seen these two dynamics as polar opposites. Content is controlled, or wide-
open. Moving a step beyond that, content is controlled only when posted into a secure repository, otherwise it's
wide open. As introduced in Section 1, this is the general state of the market for typical Document or Content
Management deployments.
The reason technology has been deployed in such a black or white manner though, is because that has been the
capability generally touted and understood, and therefore is the default thinking on how Content Security can be
deployed. Security concerns are not black and white in the real-world.They require fine-grained tuning that balances
out a need for control (extreme in some cases, lax in others), versus a desire to collaborate (whether with two
people or thousands, employees, partners, or customers), as illustrated in figure 8 (below).
Figure 8. The Control/Secure - Collaboration/Innovation Continuum
Control Collaborate
& Secure & Innovate
New Business Models and Novel Applications of Technology are all Fine Ñ
but how do Organizations Think About Security Today?
While there are some very interesting ways that security could be implemented, what is the thinking, and thus, the
tactics and strategies that organizations are using today, to make decisions around security specifically addressing
content itself, rather than pure infrastructure security?
To uncover answers to the above questions, a series of survey questions were asked, aimed at identifying the
business drivers, the types of content targeted, and from whom content is being secured. The insights gained
provide an education on how to address Content Security in a business setting.
AIIM - The ECM Association © 2007 page 17 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 9.Is the Content Security strategy of your organization driven more
by a desire to lock down content or to enable secure collaboration?
Exclusively to lock down content7%
Predominately to lock down content 26%
It is a balanced approach 49%
Predominately to enable secure collaboration14%
Exclusively to enable secure collaboration3%
10% 20% 30% 40% 50%
The responses to this question seem to indicate that the desire of a Content Security strategy is a balancing act
between the two extremes. There is, however, a definite lean (33% of respondents) towards the Òlock downÓ view
of security, versus a collaboration mindset (17%).This is perhaps a symptom of the fact that the market is still early
in strategic understanding and technical capability, in balancing out harsh control, and open collaboration (see
Sections 1 and 4 for more details). As the technology adoption lifecycle for Content Security as a whole gains
further inroads, and the benefits rather than pure cost/risk mitigation are seen, a more balanced approach is sure
to emerge.
We challenged this first finding by further asking whether strategy would change if outside influences from
regulatory or legal compliance requirements were to disappear. The majority of respondents (62%) stated that their
strategy Òwould remain the same.Ó
Figure 10.If compliance and legal requirements were no longer issues,what would likely
happen to your organization's Content Security initiative/strategy?
6%
32%
62%
It would remain the same
It would be scaled back
It would be terminated
AIIM - The ECM Association © 2007 page 18 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
This lends further credence to the attitudes expressed above.Most organizations seem to be addressing Content Security
not simply Òbecause we have toÓ.
That said, as the market matures, the percentage of organizations that view Content Security as a balance between
control and collaboration and would implement a system regardless of external/legal issues should continue to rise even
further to reflect the fact that for purely operational purposes, there are plenty of reasons to be concerned with using
content in a secure manner,as electronic content becomes more discretely understood as a business enabler.32% of respon-
dents acknowledged that their strategy would be scaled back if outside factors were removed Ñ which is simply an indi-
cation of the level of sophistication spread across the technology adoption lifecycle. Only 6% believe strategy would be
outright terminated in the absence of legal pressures. It is likely that it would depend upon how far an organization
has already embraced strategic Content Security use, and how solidly the business cases have been built in both revenue
generation and cost/risk reduction, that would determine whether such a program would continue to live.
A challenge to their initial observation came in response to the question,ÒWhich of the following is closest to your orga-
nization's perspective on Content Security?Ó In this case, there was a more pronounced preference for traditional
approaches to Content Security. 38% of respondents indicated Content Security was to prohibit unauthorized use (and
as we will see in a later question,primarily from ÒhackersÓ),whereas 47% (combined) are oriented towards Òenable secure
sharing and collaborationÓ or Òimplement a secure knowledge repository.Ó 26% (combined) are driven by a definition to
Òsatisfy compliance directivesÓ or Òto prepare for audit.Ó Compliance and audit concerns clearly still weigh heavily on the
mind, although again, signs point to a continuing recognition that security can be active enabler of business as well as a
protection mechanism in and of itself.
Figure 11.Which of the following is closest to your organization's
perspective on Content Security?
To prohibit unauthorized use 38%
To enable secure sharing and collaboration 22%
To satisfy compliance directives17%
To implement a secure knowledge repository15%
To prepare for audit9%
10% 20% 30% 40%
Further examination and analysis of survey responses regarding the basic value statement of Content Security again pointed
to a fairly receptive market, one that sees Content Security not just as lock-down, but as Òa means to share content in a
secure manner,so as not to violate privacy,confidentiality or competitive boundariesÓ (31% of responses). See figure 12 on
the following page.
AIIM - The ECM Association © 2007 page 19 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 12. Which of the following definitions of Content Security
most closely aligns with your definition?
A means to share content in a secure manner so as not to violate privacy, 31%
confidentiality or competitive boundaries
Lifecycle control access to online content 17%
A strategy and infrastructure directly targeted at
providing intelligent access to content in context14%
Tools and techniques to keep unauthorized11%
individuals out of online repositories
A system to prevent fradulent duplication/sharing8%
A component of overall corporate security
6%
that does not need a specific focus/strategy
5% 10% 15% 20% 25% 30% 35%
It is interesting to note that the lowest response level (6%) was Òa component of overall corporate security that does not
need a specific focus/strategy.Ó In theory, once adoption of Content Security is more fully embedded as a core compo-
nent in organizations,that answer should rise to the forefront,but at this stage,it is not surprising that most see Content
Security as something separate from corporate security,which could be both physical security (of buildings,materials,etc.)
as well as traditional Òinformation securityÓ (more about networks,desktops, and system security).
From a traditional information security or physical security standpoint,one can easily see that security systems and policies
are more stove-piped than integrated, making it easier for both malicious and accidental security problems to arise, as
they would remain undetected in the hidden cracks between systems. However, completely integrated security, across all
types of security concerns (physical, electronic, network, content, etc.), is a level of capability that is barely attainable even
by the best funded,and most legitimately paranoid institutions at this point.Certainly,this is something to aspire to,as long
as security in and of itself does not become the banner,but instead,a balance of how your organization can safely run,and
how to best protect itself, through various means.
Respondents also indicated that the boundaries of security systems,from a content perspective, need to be broad.This is
in keeping with the attitude expressed thus far, that Content Security is a way to balance security/control with collabora-
tion/innovation. Respondents were asked to indicate what types of content would fall under the purview of a Content
Security strategy (multiple choices allowed). Not surprisingly,Òoffice documentsÓ (spreadsheets, word processing docu-
ments,presentations) rank quite highly at 40%,as that represents the bulk of documentation created in many organizations.
Also rated at 40% were all electronic forms of content Ñ a very holistic outlook.
Given the current fervor around e-mail management concerns,that e-mail ranked as the highest individual response at 44%
is also understandable. However, in light of the sentiments expressed thus far with regards to respondents' views on
Content Security, this response is perhaps a bit misguided.E-mail represents the bulk of ÒcontentÓ flowing in and out of an
organization, and from that perspective, it is understandable that e-mail is a serious topic of concern within an enterprise
Content Security model.That said, a hyper-focus to call out e-mail as a specific and separate solution is troubling over the
long-termÑas the ultimate sustainable solution to truly secure and manage content across the organization can likely only be
accomplished through a single layer (virtualized or truly centralized and pushed out). As an early stage of solutions have
grown up in the e-mail management space,the ability to carve out and address e-mail separately makes sense,for now,but
should only be seen in the context of a migration up into a larger solution set.
AIIM - The ECM Association © 2007 page 20 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 13. What content types are you targeting for
Content Security?
E-mail 44%
Desktop files (spreadsheets, documents) 40%
ALL electronic forms of content 40%
ALL forms of content 32%
Website content 28%
Paper files 28%
Instant messages 11%
Film/Fiche 10%
Blogs/Wikis 5%
10% 20% 30% 40% 50%
That instant messages (IM) and Blogs/wikis are not seen as nearly as applicable within a Content Security model is trou-
bling,to say the least.It may purely be that these tool/medium types are not as prevalent in the respondents' organizations,
and therefore are not weighted as heavily. However, again, to think that any specific media/medium type is out of scope
purely based on the technology is to miss important opportunities to help drive business,facilitate collaboration,as well as
to be aware of the legal and regulatory concerns,as well as ÒpureÓ risk management in how an organization conducts itself
through its desired operational rules, as described earlier. Given the overall opinion reviewed thus far, in which Content
Security is predominately seen as a way to balance control and collaboration. It is a bit of an anomaly that a greater
percentage of respondents did not select Òall contentÓ (whether electronic or otherwise).
We are not proposing in this Market IQ that all content holds equal value, and thus should be secured or controlled in
exactly the same fashionÑthere is so-called Òhigh valueÓ content, and there is quite a wide variety of content that essen-
tially has little value. A strategy should not necessarily exclude content by its physical format, but rather its subject matter
and ultimate value, which is what makes format-specific solutions an understandable short-term strategy, but one that
ultimately will need to be coordinated or Òrolled-upÓ into a larger, systemic and systematic approach.
To get a sense as to what amount of content organizations felt needed extra rigor in validating or securing (making it Òhigh
valueÓ), we provided a follow-on question asking what percentages of overall content needed specific controls applied.
AIIM - The ECM Association © 2007 page 21 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fulcrum of Innovation and Risk Section 3
Figure 14. Approximately what percentage of your organization's
total content requires specific controls to ensure validity/security?
30%
28%
25%
20%
20%
15%
14%
10% 12%
10%
9%
5% 6%
<1% 1-10% 11-25% 26-50% 51-75% 76-100% Unknown
This response continues to be more in line with the general opinion that Content Security is a balance, with Òall contentÓ
the 2nd highest response, by way of 20% responding that Ò76-100%Ó of content would need more stringent, specific con-
trols.This was topped only by ÒUnknownÓ (28%), which is likely due to the fact that they may have not yet quantified the
values and risks in their content.When respondents were asked what departments would have content included in a
Content Security strategy (multiple choices allowed), it is heartening to see that the runaway response was ALL
Departments (69%).While there seems to be some confusion as to what media or content types are within scope, there
is strong recognition that any strategy should cut straight across the organization. Of the remaining choices that ranked
highest, Legal (18%), Finance (11%), Human Resources (9%) and Intellectual Property Management (8%) have clear ties to
what would be either legal or regulatory mandates, or at the least,very clear cases where knowing what content is in play
and holds high value (due to the competitive nature or private nature of the content).
AIIM - The ECM Association © 2007 page 22 of 59¨
Market IQ
Intelligence Quarterly
Content Security At the Fu