ECM Questions

What security features does Enterprise Content Management software provide?

With both on-demand and on-premise ECM systems, the application itself should include security tools and features that enable administrators to put security policies and procedures in place. The more security the software offers, the better. Here are some basics to look for and some additional ECM security features.

The Basics

  • User Passwords—Administrators should be able to set password complexity and length requirements.  Passwords should be encrypted with a one-way hash (a special type of encryption). Only the hash value (the special encryption code)—not the password itself—should be stored.
  • Account Lockout—Administrators should be able to schedule account lockouts after a specific number of invalid sign-in attempts within a specific amount of time.
  • Session Timeout—User sessions should automatically timeout after a period of no activity.
  • Sensitive Data Encryption—Any secure data (i.e. encryption keys) should be stored encrypted.

Preferred ECM Security Features
-These features significantly increase security-

  • Customer Information Protection—The application should never store customer data or pass data in cookies (text exchanged between servers and web browsers).This should include session IDs (a unique user number) passed back and forth between clients and servers.
  • IP Address Limiting—Access to information should be limited to specific IP addresses (unique identifiers) to ensure access is gained only from authorized locations.
  • Function-Level Verification—Exchanging information without verifying security access rights opens the possibility for an information breach. If security is evaluated and verified only for the first exchange, an attacker could write a program that could access your information. Therefore, every single application function call (information request or command) should be verified before access is granted.

How are my documents secured both during transmission and when stored?

Information is vulnerable. Encryption is critical for protection in both on-demand and on-premise ECM systems. Vendors and in-house systems should use Secure Sockets Layer (SSL) encryption to transmit private documents via the internet. SSL enables full encryption of all traffic (including documents).

Encryption is equally as important when information is stored. The gold-standard for encryption is 256-bit AES. It is best suited for protecting information during storage, because it is a stronger type of encryption that increases the complexity of data scrambling.

What is your disaster recovery plan as it applies to data restoration? 

Backup frequency and storage methods are critical elements of disaster recovery and information reliability. Local tape backups provide a good safeguard, but restoring large volumes of information stored on tape can take days, weeks or even months. A better practice for vendors and companies that implement ECM in-house is to use multiple, fully redundant storage systems and mirror all data (including backup files) synchronously. Within seconds, the vendor should be able to synchronize data between sites.

Activating the secondary site to become the primary site should take only a matter of minutes, and, ideally, no data restoration should be required. Accidents happen. Make sure you’re comfortable with how frequently your information is backed up and the amount of time needed to recover your data and restore information access.

How is information accessed?

Understand how servers retrieve data from the network, because system design affects the security of information access. vendor applications and in-house hardware systems often commit two network security sins:

  • The web servers (servers exposed to the world) have direct access to customer data in the secured network (the location where your information is stored).
  • Similarly, applications store customer data on the same network as the externally accessed systems without using firewall protection between the networks. In this case, firewalls should always be in place—but, even with firewalls, this is not the best setup. Data access should be performed by entirely different servers (application servers) that sit on a completely different secured network. Only these separate servers should have direct access to storage locations and databases. The application server should act as a go-between for the web server to access the customer data stored on the secured network. This separation provides an important layer of security.

Data Delivery Methods are Significant:

Be aware of the method used to deliver and view documents. Many on-demand enterprise content management software vendors post your information to their website without proper security measures to protect it. This is dangerous, because it opens the possibility for anyone on the internet to simply guess or modify a website address and gain unauthorized access to data. Vendors and companies offering internet access to documents should first require a user name and password to gain access and then further protect documents and users by encrypting session IDs. Session ID encryption ensures skilled attackers cannot hijack your session ID, disguise themselves as authorized users and roam the system opening files.


Source: Digitech Systems Inc


Contact your Tab Service representative today to request a free 30-day demo to familiarize yourself with our ECM security features first hand before making a purchase. Call today: 312-527-4306