TakingAIIM

Nearly twenty years ago I gave my first ECM seminar.  Cutting edge topics included imaging and optical storage.  Much has changed since then.  Imaging, then a standalone, typically proprietary siloed technology has evolved into a function or feature of an ECM.  Optical storage is no longer viewed as "different and confusing", and has evolved into a mainstream component of a hierarchical storage management strategy (HSM).  Some things haven't changed however.  One of the more frequent questions back then, is still often asked - "If I migrate business content to electronic format, how to I guarantee that the content will still be accessible and readable 20 years from now, 50 years from now, 100 years from now."

The question often caused me, and other presenters to go into the consultant song and dance routine.  There was no one sure fire way to do it.    The industry has made a major step forward in addressing that concern.  The AIIM standards group has developed a electronic archiving file format standard known as PDF/Archival, or PDF/A.   

PDF/A, is the first PDF standard developed in a collaborative manner by AIIM and NPES (The Association for Suppliers of Printing, Publishing, and Converting Technologies). It was developed to define a file format based on top of the Adobe PDF standard, that provides a mechanism for representing electronic documents in a manner that preserves their visual appearance over time, independent of the tools and systems used for creating, storing, or tending the files.  In other words, PDF/A provides a file format for long-term preservation of electronic documents.

In order to raise  market's awareness of the standard, AIIM has developed a new training course on PDF/A.

Beginning in April, this two day training focused on PDF/A (ISO 19005-1) and its use as a file format for archiving and preserving electronic data will be available as either web-based, public or private class offerings. This course will enable the person attending to speak more knowledgeably about PDF/A as well as know how and when to apply the use of PDF/A.

AIIM is responsible for the majority of the PDF family of standards which includes PDF, PDF/E, PDF/UA, PDF Healthcare and PDF/A.

Those who are interested in the training should contact Betsy Fanning (bfanning@aiim.org or 301-755-2682).

Its always nice when current events substantiate the opinions purported in our research.

Right on the heels of our Market IQ report and webinar on Content Security, Whole Foods announced just hours ago that it is forbidding its executives from participating in Internet message boards (article).  This is a reaction to their CEO being caught posting comments about the company, under a pseudonym, on Yahoo financial chat boards.

A wonderful real life example of why and how content security can be used.  It would behoove Whole Foods to not only forbid such behavior, but further enforce this policy through the use of technologies such as authentication and data leak prevention.

Content Security - its real - its now.

This  is the third (and final for me, see more Q&Q at Dan Keldsen's blog Biztechtalk), posting of answer to questions left outstanding from our recent webinar on the MarketIQ on Content Security (download report). (View earlier Q&A postings).

Q: Using a camera phone or video camera to record content would violate privacy whether or not the person is an authorized user. What do you do about that? That seems that would overcome the point of the self-destructing files. please help me with this!

A:  Unfortunatley there is no technology approach that can completely overcome poor ethics.  Yes, it is true that despite any controls put in place, of someone gets to view a document they could take a picture of it (or transcribe it).  Subsequent attempts, using IRM/ERM to prohibit further access are rendered nearly moot.  I say nearly moot, because using other authentication technologies, such as trusted time stamps, it can be proven that the photocopy is just that, not an original.  That said, nonetheless the "pirate" does have a full readable rendition of the document.  Other physical controls should be put in place in highly secure environments.  For example, perhaps access to such content is only provided in rooms that are monitored - no cameras allowed.  Policies should clearly state what is and is not permitted, with retribution stated.  Ultimately, if the potential for unscrupulous behavior outweighs the benefits of content sharing, than the affected documents should not be provided, online or otherwise.

Q:  You suggested "rugged, general policies" assigned to content, but often, what is needed is department/project group segregation of access and control over content, and some of those groups are outside the company itself.  Do you have advice for implementing more complex policy structures?

A:  The tools we discussed in the webinar do allow for the most complex policies, and any number of them.  You could potentially have a unique policy declared for each individual document.  The point I was making in the webinar is that you probably do not want to do that because management of myriad policies is a burden you probably do not want to take on.  There is typically an initial tendency to view the power and flexibility of content security and be awed by them, leading to the creation of multiple unique policies.  I suggested that the manner take a second look and determine if a smaller number of policies can be created.  It is recommended that you create as few as possible, while still meeting all the requirements for securing the content.  By the way, content security tools allow the granting of permissions outside "the group".  You can defined documents (collections of documents) that permit "outsiders" who have access to them to set further restrictions and/or sharing, but obviously within the parameters set by the ultimate document permissions owner.

As I mentioned in a post yesterday, our webinar on Content Security (available for replay) was a great success, so much so that we did not have time to handle all the questions that our 200+ audience submitted.  Over the next 2 weeks, Dan Keldsen (on his blog www.biztechtalk.com) and I (here in this blog, www.takingaiim.com), will be answering those questions, and in the spirit of Web 2.0 and an ECM community encourage to continue to feed questions ala comments to these postings.  We promise, all questions/comments will be addressed.

So here goes, the first 3 questions:

Q: With everyone so focused on security, has the industry turned more than ever to the best practices for Records Management.

A:  To a certain degree yes, but for many, the definition of Records Management (RM) is being expanded as well.  In the Content Security Market IQ, several questions regarding the role of RM were posed.  RM was ranked the single most popularly deployed technology component in existing content security systems, with 55% indicating such (it was tied with User authentication, with e-mail management a very close second at 54%).  65% of respondents also indicated RM either mostly or fully understood in their organization.  So yes, there is a focus on RM as a component to content security, and as such there is much inquiry on best practices and ways to use software to drive compliance with RM policy.  But the report also found that RM alone is not the answer, (witness the same ranking of User Authentication, for example, as a deployed component, and the confusion of positioning E-mail management as separate and distinct from RM), nor the answer in every case.  44% of the organizations polled indicated that they had no RM in place, and had no immediate plans to do so.  (On a personal opinion note, that scares me.  RM should be positioned as a component in most organizations.  To simply ignore it is risky.  It may be that this level of ignoring is tied to the lack of awareness of many organizations regarding RM.  Indeed, you may recall that they report found that there is a general lack of awareness with most content security functions and technologies.) Individuals are also coming to realize that content security must address “all content” not just that which is declared a business record.  Nonetheless, to wrap up,, yes, the focus on content security does place renewed interest in RM best practices.  (For those that wish to gain expertise in this area, you may consider the AIIM training and certificate program on Electronic Records Management.)

Q: You presented a graph that suggested the biggest challenge content security etc, is user acceptance. What measures do you suggest to put in place with the user community to ensure that most end up as raving fans of the new technology business processes?

A:  Actually, the graph shows “Lack of Understanding” as the biggest impediment to implementing Content Security (budget aside).  In fact, the comment I made was that, for the first time in the 20+ years I have been doing ECM-related market studies, I believe this is the first time user acceptance was NOT the #1 issue raised in this regard (it ranked 3rd, below “lack of understanding” and “complexity of solution”.  This so clearly reinforces the repeating finding of the study, that there is a dire need for education regarding content security, from both a business and technology perspective (greater need for education was found on the technology side), in the market.  So the measures I suggest to garner user acceptance are measures of education.  That is to say, a strategy project should perhaps begin with a careful analysis of user needs in this regard. What type of content do each user/community create, share and need to manage.  Then educate the users on the different alternatives or approaches to providing control over their content, while enabling access to the content.  Educate on the risks and costs associated with each approach.  When that is accomplished for most, if not all of the community, then you have achieved the first “benchmark” in your project.

Earlier today I posted on the merits of ECM delivered in a SaaS model.  Over the least week, I have also been commenting on the newly released AIIM Market IQ on Content Security (download report).

There is a most interesting point of intersection between these two topics.  In the Market IQ report, we posed the question to 600 responding organizations, “Would You be Likely to Implement Your Content Security System in an Outsourced or SaaS Model?"   An overwhelming 78% stated that they would not.

Of those that said “No”, 38% cited “Lack of Control/Increased Security Concerns” as the number one reason why.  This is a legitimate concern.  As discussed in detail in the Market IQ report, security online content is a complex issue.  Today’s security much be agile enough not to inhibit communication and collaboration, yet thorough enough to eliminate unauthorized sharing/access, whether intentionally or accidentally.

One of the overall key findings in the Market IQ was that the market is relatively immature and requires a fair amount of education.  I believe this is the case with regards to a SaaS approach to Content Security.  Surely no organization should ever surrender control of their business content to a third party without a thorough examination of that party’s capabilities.  But it is reasonable to foresee a situation in which a content service provider offers a level of security as good as, or even better than what the content owning organization can provide. 

As the market and the courts mature (see earlier post: Courts Get  Serious About Digital Content), it will be interesting to see how this issue unfolds.  Those considering outsourcing content management (and security), need to make a thorough assessment of the security provisions offered by the service provider.  Agreements should clearly indicate the degree to which the service provider “guarantees” security and the limit to their liability should a breech of security occur.   Organizations will likely someday be provided statements of content management and security from a service provider that can be incorporated, by reference into the Corporate Governance Plan.

Indeed, looking forward I can see a time when organizations “surrender” their content (and its security) to a “professionals” that provides a state-of-the-art industry best practice in content management and security. Organizations have taken this approach with paper files for many years.  It is only a matter of acclimation before they become as comfortable with similar digital services.  Simultaneously, content management service providers are wise to begin developing such offerings, and determining how they will handle the legal assuring aspect of this nascent business proposition.

This and other related issues will be discussed in the upcoming AIIM Webinar on Content Security, being held on November 1, 2007. (register). 

As readers of this blog know, I am a proponent of Web 2.0, and its corporate counterpart Enterprise 2.0.  You are also aware that I have several times mused about how pure uncensored or unmanaged collaboration is over-hyped, some management makes sense, some control over the who contributes and what is contributed can be necessary.  There was an interesting development in Web 2.0 that supports this position. 

Sermo, a Web 2.0 collaborative site that allows physicians from around the world to exchange ideas and observations, decided recently to expand its community, but simultaneously strengthened its content and user authentication.  Sermo is approximately a year old and already has over 30,000 physicians participating.  The forum was founded as a controlled platform, for doctors only, with assurance that content is protected from the general public.  Sermo is rooted in the philosophy that Web 2.0 collaboration does not have to mean "wide-open", and that contributors can be registered and "approved". 

Today, Sermo announced that it will partner with Pfizer, a move that seems to go against the charter of Sermo, i.e. letting industry commercial opinion into the mix.  Apparently after a year of collaboration, the community of doctors believe there would be value in having input from "the industry", i.e. pharmaceutical R&D professionals.  But, according to the article, "it's expected any postings by Pfizer's medical staff must be clearly identified as coming from a Pfizer source logging onto the system securely from an office computer, said Daniel Palestrant, Sermo's CEO.  In our recent Market IQ on Content Security, we talked about content and user authentication.  This move by Sermo is an excellent example of the value of such functionality. Moreover, Sermo is an example, in my opinion, of the future of many Web 2.0 and Enterprise 2.0 sites, that will rely on content security techniques to provide greater value and control over otherwise chaotic input.

Yesterday I blogged regarding the lawsuit between ConnectU and Facebook (Web 2.0 Back to Business 1.0), commenting on the need for Web 2.0 content and processes to be secured and governed with the same degree of scrutiny and thoroughness of any other form of enterprise content. 

Well, the lawsuit was in the news again today, and continues to provide fodder for the ECM community.  Judge Woodlock delayed the case asking for the plaintiff, ConnectU, to provide more legally admissable evidence to support the claims of the lawsuit (fraud, copyright infringement and misappropriation of trade secrets).  To quote Judge Woodward, "Dorm room chit chat does not make a contract.".  The judge asked that the ConnectU legal team substantiate more effectively leverage its evidence, which is limited to e-mails and telephone voice mail messages. 

As the informality of Web 2.0 enters the business mainstream/Enterprise 2.0, participants need to realize that despite the power and informality/personal nature that somewhat characterizes Web 2.0 - when used in business settings - it is still business as usual.  The plaintiffs may learn that "Those that live by the sword die by the sword", or in this case "Those that live by the blunt instrument lose their case by the blunt instrument."  Content "captured" in wikis, blogs, e-mails and "dorm room conversations"  lose relevancy if they cannot be positioned and authenticated beyond repudiation.  Stay tuned . . .

In yesterday's post I introduced the idea of leveraging content security as a way to simultaneously build a corporate knowledge base or DNA.  The post ended with required functionality, among this the need to authenticate content.  Allow me to elucidate.  The ability and need to authenticate content is today more important than ever.  Why, because the web, blogs and wikis have enabled an era in which "everyone is a publisher/ everyone is an authority."  This really is Andy Warhol on steroids:  "In the future everyone will be famous for 15 minutes."  Well the future is here, and that 15 minutes can be for as long as someone wants to keep publishing.  Powerful yes, an enabler of collaboration and social network analysis.  But, in such a world we must be more careful than ever to validate our sources. 

There are at least three basic scenarios in which validation is critical.

The openness of the internet requires that we validate the source.  While I have always been inline with this philosophy, I did not understand the gravity of the issue until 2 years ago when I had the opportunity to work with a group of federal librarians.  Jan Herd, a research librarian with the Library of Congress (which offers a great interactive site) demonstrated the criticality of the point I was making.  She performed a Google search on "Martin Luther King", a popular query given the timeframe (it was the week following Martin Luther King Jr.'s birthday.)  As you would expect, hundreds of sites were retrieved.  Jan opened the site listed at the top.  It looked credible enough.  Using a series of tools and techniques at which she is a master, she was able to trace back the original ownership of the content to a white supremacy group.  Yikes.  Perhaps not the most credible source on the subject.

Within blogs and wikis it is equally important to know where content is coming form.  At the Enterprise 2.0 event I attended in Boston several weeks ago, the issue of trust was raised more than once.  How does one know they can rely on the content?  This is why I have never been a fan of anonymous postings to a blog or wiki.  Is the source credible?  Does the opinion belong to someone for whom you have respect and confidence?

Lastly, general business e-documents, (e.g. web files, Word files, PDF files, e-mails, etc.) need to be authenticated as well.  In yesterday's blog I spoke of a television show in which research was performed on an antique documents.  The legitimacy of the document (i.e. did Thomas Jefferson actually sign it, and was the signature placed at the time he was President?) had to be validated in order to establish legitimacy (and in this case cash value) to the document.  In the digital age validation and authentication are paramount.  Too many techniques are available to alter so called original content, including false endorsements and back/post dating.  Good records management policy can help in these cases, but the tools applied to validation and authentication have to be as versatile and powerful as the authoring/editing tools of today.  Business e-records must be able to prove authenticity, even at various points in time (e.g. the electronic version of did Thomas Jefferson really "sign" this, at what time was his signature applied and has the content of the document in any way been modified since his signature).  Because there is the capability to alter electronic files and time stamps, the approach used must be beyond repudiation in order to be admissible and reliable.  The case law regarding this is mounting (among the best most recent examples is Lorraine v. Markel Am.Ins. Co.)  Establishing content security that goes beyond repudiation is quickly becoming a requirement for any comprehensive corporate strategy, and as such is a topic that will receive ample coverage in The AIIM Market IQ on Content Security, scheduled for publication in October.