TakingAIIM

IBM and Yahoo announced the third release (version 8.4.2) of OmniFind. (See release.)

Perhaps no ECM technology has ridden a more tumultuous roller coaster than search.  Search was in teh limelight in the late 1980s, went into near obscurity via integration in the mid-1990s, and is now hotter than ever.  With the advent of the internet, the power of effective search against vast content collections became obvious for business users, both inside and outside the firewall.   

Of late, attention has predominately been on the companies such as Google, FAST and Endeca.  These companies and their respective products do indeed represent new offerings for enterprise search, but with this announcement by IBM, we are reminded that search is still a focus for solution providers such as IBM (among others, Xerox and Autonomy).  Indeed, IBM must be credited with introducing text-based search to the market with its Stairs product more than a quarter of a century ago.  Much has been done to enhance Search from IBM since those early days.  This grandad - or  "fat lady" of the search market continues to be a player in the game with enhancements being made not only to their Yahoo internet edition, but to the OmniFind Enterprise Search tool as well.  Search ain't over yet folks, and this is likely not this fat lady's final aria.

Thanksgiving is over, that means it is the official start of the holiday shopping season.  So, what's the hottest item on the holiday shopping list this year?  Well judging by the fact that it is already back ordered due to popular demand, Amazon's Kindle is on that list.  But the fact that it this e-book appliance is a hot new “holiday item” is not why I am blogging on it (but if any of my friends or relatives are wondering what to get me this year . . . ).  What catches my attention as an ECM blogger is that Kindle helps to herald in (I can hear those angels now), an ECM subject that I have been speaking about for several years, content delivery.   (See earlier blog post and recent paper). 

This is so cool - no not Kindle itself (though it is), but the fact that ECM is  once again hitting the mainstream public, and this time in the form of content delivery. Content delivery represents a huge opportunity for the ECM market, and for the creativity of content managers.  Personalized content, dynamic content, JIT content, portable content, nimble navigation through the entire Library of Congress - carried around in your hip pocket . . . the list seems endless.

On a more technical note, it is interesting to note that Kindle utilizes technology developed by Xerox many years ago, digital ink and digital paper.  While Xerox once again failed to bring technology to market itself, it has fueled and empowered the commercial instinct and reach of Amazon, who has productized this technology for the mainstream, and is positioning Kindle as the book version of the iPOD (there is a Kindle store - available directly from Kindle).  This is interesting times for ECM indeed, as not only does Kindle represent the widescale adoption of digital paper, but another player in the business content delivery market place - Amazon.  While Kindle makes traditional publications available (magazines, newspapers, books),  it also provides access to blogs, e-mail, Word documents, image files, IM (although it should be noted that Amazon charges a fee to convert "non-Kindle" files such as e-mail and Word to their proprietary format) - all through the high-speed data network (EVDO) used by advanced cell phones (hot spots not necessary) and in a unique (for now) book type interface (complete with page turning, highlighting, dog-earring, bookmarking) and the physical look and size of a paperback. The lines of distinction between laptops, cell phones, PDAs and now e-books continues to blur.

The topic of content delivery (the on ramps and off ramps of ECM) is on the AIIM Market Intelligence Market IQ editorial calendar for Q4 2008.  Kindle will definitely be a part of the issues discussed in that report.  So stay tuned. Due out in December 2008, the Market IQ may be the hot new content of the 2008 holiday season – available for download to your Kindle – if you are among the lucky recipients  this holiday season.

As you all know, we recently released our Market IQ on Content Security.  Since then many people have reacjed out with additional commentary.  Today, AIIM colleague John Newman shared an article that ran in USA Today.  The article references research recently cone by Radiance Technologies which provides hard numbers of the prolific use of personal e-mails and shipping of CDs/DVDs by business people in order to share files, whose size makes them prohibited for e-mail shipping/sharing online.  Perhaps the biggest finding in our Market IQ was the level of ignorance in most organizations with regards to state-of-the-art approaches to securing content and the level of threat or workarounds that are currently in use.  Too many organizations obtain a very false sense of security (pun intended) by instituting such arbitrary, antiquated and ineffective polices around content sharing, as restricting file sizes in incoming and outgoing e-mail.  Would they not be far better served with a filtering policy based on the actual content of the file. 

As the USA article points out, the damage done through these arbitrary policies and their correlated workarounds is two fold.  Not only do they not actually prevent potential inappropriate data leaks, but they basically encourage employees to use workarounds in order to get real work done.  But, these workarounds leave no trail of where the corporate files are sent, or how collaboration is being used.

In the Radiance Technologies survey, respondents overwhelmingly cited the lack of file tracking as a concern; 90% said it would be helpful to have an automatic record of who sent and received a file. Workflow and productivity would improve if files could be sent and received more easily over the Internet, according to the survey takers.  Yes indeed, I most whole heartedly agree with these survey takers.  When content security, as defined in the Market IQ, is integrated into an overall corporate strategy for content management, collaboration and process efficiency are enabled, not hindered, in an environment that nonetheless runs as secure, if not more securely than one that tries to arbitrarily lock down content sharing.

We are in the throes of developing our next Market IQ, and AIIM training course on Enterprise 2.0.  It is interesting that, as a result, we, the AIIM Market Intelligence Group, find ourselves using many Enterprise 2.0 collaborative tools as we undertake this collaborative authoring and research project.  Too many people (in our opinion, we'll see what the research shows), nearly exclusively target wikis and blogs as the tools of Enterprise 2.0.  While we are indeed using such tools, we are also using simple straightforward shared document authoring tools, namely Google Docs.  Google is to be commended for providing this toolset as freeware.  Its an excellent example of an Enterprise 2.0 tool (collaborative, web based, easy to deploy, low cost of entry).

It is ironic though, that this environment does not provide a tangential, often overlooked, technology, namely search.  While some may argue that search is not an Enterprise 2.0 technology, I would argue that it is clearly a related and valuable tool to "integrate" into the Enterprise 2.0 environment.  Too many wikis and blogs that I encounter provide little to no search capability.  This is a very real shortcoming for obvious reasons.  But in this case, the lack of such functionality is more than frustrating, and an oversight, it is downright ironic given that the provider of the platform is Google. 

Last week, I spoke at an AIIM Webinar sponsored by Google (access recorded webinar).  The webinar focused on universal search.  Google is positioning their enterprise search tool as just that, a single search platform that can cut across, integrate into, virtually any and all content repositories, providing a single point of search.  Such functionality promises to end the search silos, causes of frustration of so many knowledge workers who find themselves the users of multiple search tools, which was a major point I made in my presentation during the webinar. Invoking the browser search within GoogleDocs (in my case Firefox), provides me with search, but again as a silo, not via an enterprise search experience, not via a "standardized search box", not via Google.

This is  likely just  a symptom  of a nascent technology genre, an issue we plan to delve into in the upcoming Market IQ.

There was an article in the paper today that once again provides support for the propositions made in the recent Market IQ on Content Security.   The need for organizations to develop a strategy and deploy a system that supports collaboration and access to online content, while minimizing or eliminating risk/protecting privacy seems to be popping up everywhere.  In today's article the target was the State of Massachusetts and the dilemma officials are facing with regards to the universal health care law passed this year.  Apparently, in order to adequately administer and control the plan, individual medical claim records need to be published and made accessible to many state employees.  Yet, the highly publicized issue of personal health and financial data breaches stands as a high risk challenge to this need.  The article does a decent job of pointing out the benefits of making the content available (including publication of authenticated BI-type content  listing best rated/lowest cost health care providers), but offers no insight into how the risk factor and trust will be approached.  JudyAnn Bigby, state secretary of health and human services was quoted as saying "This data will be public record unless we have a regulation in place to withhold the data."  Sure, but as a resident of Massachusetts, I want to go on record as saying, I hope the state does more than have a regulation in place.  I hope they have in place a way to enforce access policies as well.  This seems to echo teh general finding in the Market IQ report that while most business personnel understand teh need for content security, few understand what to do about it beyond written policies and traditional technology approaches, which have been shown to be riddled with risk.

Its always nice when current events substantiate the opinions purported in our research.

Right on the heels of our Market IQ report and webinar on Content Security, Whole Foods announced just hours ago that it is forbidding its executives from participating in Internet message boards (article).  This is a reaction to their CEO being caught posting comments about the company, under a pseudonym, on Yahoo financial chat boards.

A wonderful real life example of why and how content security can be used.  It would behoove Whole Foods to not only forbid such behavior, but further enforce this policy through the use of technologies such as authentication and data leak prevention.

Content Security - its real - its now.

This  is the third (and final for me, see more Q&Q at Dan Keldsen's blog Biztechtalk), posting of answer to questions left outstanding from our recent webinar on the MarketIQ on Content Security (download report). (View earlier Q&A postings).

Q: Using a camera phone or video camera to record content would violate privacy whether or not the person is an authorized user. What do you do about that? That seems that would overcome the point of the self-destructing files. please help me with this!

A:  Unfortunatley there is no technology approach that can completely overcome poor ethics.  Yes, it is true that despite any controls put in place, of someone gets to view a document they could take a picture of it (or transcribe it).  Subsequent attempts, using IRM/ERM to prohibit further access are rendered nearly moot.  I say nearly moot, because using other authentication technologies, such as trusted time stamps, it can be proven that the photocopy is just that, not an original.  That said, nonetheless the "pirate" does have a full readable rendition of the document.  Other physical controls should be put in place in highly secure environments.  For example, perhaps access to such content is only provided in rooms that are monitored - no cameras allowed.  Policies should clearly state what is and is not permitted, with retribution stated.  Ultimately, if the potential for unscrupulous behavior outweighs the benefits of content sharing, than the affected documents should not be provided, online or otherwise.

Q:  You suggested "rugged, general policies" assigned to content, but often, what is needed is department/project group segregation of access and control over content, and some of those groups are outside the company itself.  Do you have advice for implementing more complex policy structures?

A:  The tools we discussed in the webinar do allow for the most complex policies, and any number of them.  You could potentially have a unique policy declared for each individual document.  The point I was making in the webinar is that you probably do not want to do that because management of myriad policies is a burden you probably do not want to take on.  There is typically an initial tendency to view the power and flexibility of content security and be awed by them, leading to the creation of multiple unique policies.  I suggested that the manner take a second look and determine if a smaller number of policies can be created.  It is recommended that you create as few as possible, while still meeting all the requirements for securing the content.  By the way, content security tools allow the granting of permissions outside "the group".  You can defined documents (collections of documents) that permit "outsiders" who have access to them to set further restrictions and/or sharing, but obviously within the parameters set by the ultimate document permissions owner.

This is the second posting of answers to questions remaining from our recent Market IQ Content Security webinar.  (An earlier posting was made last week.  The recorded webinar is available for download.  The Market IQ report is also available for download.). 

Q: Do you think it is a good or bad idea for organizations to limit employee access to stuff like Facebook?

A:  Access to tools such as Facebook have much to do with an organization's knowledge management inclination, culture and value derived from knowledge sharing, especially in a global sense.  IF the organization sees value in collaborative development (used here very liberally), then it stands to reason that there is much to be gained form broad social networking and collaboration in tools such as Facebook.  That said, and as was stressed in the webinar, that does not mean that the organization needs to provide carte blanche access to the tool.  Perhaps only certain employees "need" such access, and so only those will be enabled.  Using content security techniques such as ERM and data leak protection, controls could be set in place to monitor the exchange of knowledge in these environments, greatly reducing the potential for inappropriate usage of the platform.  In deed, good corporate governance requires that such an approach be taken, in my opinion.  But to just deny access out of fear of possible security breach (as was found to be the case in 50% of organizations polled by Sophos), is to also limit the potentially great benefit from collaboration. 

Q: Shouldn't emailing documents be prohibited and only allow on-line access to the docs?

A:  What you suggest here could very well be a best practice, but it takes a radical mind shift in the minds of most business users.  E-mail has quickly proliferated every organization and has been "over used".  I know of many organization that use e-mail as a workflow tool, for example, which it is not really meant to be, and does create an unnecessary duplication of files.  So yes, content security technology could be used to enforce the policy that you propose here, but again it will take someone in senior management to dictate that policy.  Another thing to consider in this regard is the extent to which this is being done inside and outside teh firewall.  Sharing files inside the firewall, without e-mail is fairly straightforward.  IF files are being shared outside the firewall, and e-mail attaching is prohibited, than a extranet-type document platform will have to be established, in which intra-company document exchange occurs.

As I mentioned in a post yesterday, our webinar on Content Security (available for replay) was a great success, so much so that we did not have time to handle all the questions that our 200+ audience submitted.  Over the next 2 weeks, Dan Keldsen (on his blog www.biztechtalk.com) and I (here in this blog, www.takingaiim.com), will be answering those questions, and in the spirit of Web 2.0 and an ECM community encourage to continue to feed questions ala comments to these postings.  We promise, all questions/comments will be addressed.

So here goes, the first 3 questions:

Q: With everyone so focused on security, has the industry turned more than ever to the best practices for Records Management.

A:  To a certain degree yes, but for many, the definition of Records Management (RM) is being expanded as well.  In the Content Security Market IQ, several questions regarding the role of RM were posed.  RM was ranked the single most popularly deployed technology component in existing content security systems, with 55% indicating such (it was tied with User authentication, with e-mail management a very close second at 54%).  65% of respondents also indicated RM either mostly or fully understood in their organization.  So yes, there is a focus on RM as a component to content security, and as such there is much inquiry on best practices and ways to use software to drive compliance with RM policy.  But the report also found that RM alone is not the answer, (witness the same ranking of User Authentication, for example, as a deployed component, and the confusion of positioning E-mail management as separate and distinct from RM), nor the answer in every case.  44% of the organizations polled indicated that they had no RM in place, and had no immediate plans to do so.  (On a personal opinion note, that scares me.  RM should be positioned as a component in most organizations.  To simply ignore it is risky.  It may be that this level of ignoring is tied to the lack of awareness of many organizations regarding RM.  Indeed, you may recall that they report found that there is a general lack of awareness with most content security functions and technologies.) Individuals are also coming to realize that content security must address “all content” not just that which is declared a business record.  Nonetheless, to wrap up,, yes, the focus on content security does place renewed interest in RM best practices.  (For those that wish to gain expertise in this area, you may consider the AIIM training and certificate program on Electronic Records Management.)

Q: You presented a graph that suggested the biggest challenge content security etc, is user acceptance. What measures do you suggest to put in place with the user community to ensure that most end up as raving fans of the new technology business processes?

A:  Actually, the graph shows “Lack of Understanding” as the biggest impediment to implementing Content Security (budget aside).  In fact, the comment I made was that, for the first time in the 20+ years I have been doing ECM-related market studies, I believe this is the first time user acceptance was NOT the #1 issue raised in this regard (it ranked 3rd, below “lack of understanding” and “complexity of solution”.  This so clearly reinforces the repeating finding of the study, that there is a dire need for education regarding content security, from both a business and technology perspective (greater need for education was found on the technology side), in the market.  So the measures I suggest to garner user acceptance are measures of education.  That is to say, a strategy project should perhaps begin with a careful analysis of user needs in this regard. What type of content do each user/community create, share and need to manage.  Then educate the users on the different alternatives or approaches to providing control over their content, while enabling access to the content.  Educate on the risks and costs associated with each approach.  When that is accomplished for most, if not all of the community, then you have achieved the first “benchmark” in your project.