The growing need to balance content management with Web 2.0 collaboration can open new revenue streams for solution providers.

Information security and corporate governance aren't just for large enterprises anymore. While large public companies continue to face the challenges and expenses of meeting Sarbanes-Oxley and similar regulations, small and medium businesses, as well as public sector organizations, now also grapple with a host of Sarbox-inspired laws. And virtually every organization is feeling the heat of new e-discovery rules that impose stiff penalties for those that can't produce e-mails and electronic documents requested during legal proceedings.

As if these challenges weren't difficult enough, new "Web 2.0" technologies are fueling a parallel trend for greater and easier information sharing through blogs, wikis, and ad-hoc Web sites. These new tools can thwart even the best user access controls and firewalls by spreading sensitive company information to outsiders.

Fortunately, there's an upside for solution providers that understand new content-security practices and technologies and who can advise their customers in this increasingly important area.

Break from tradition
Content security addresses the shortfalls in traditional IT security strategies that help organizations keep outsiders from internal databases and applications. Technologically, these perimeter-protection approaches can be successful at holding most hackers at bay, however, they rely heavily on their employees' ability to follow content distribution policies, an assumption that may be too risky in today's highly regulated environment.

Malicious hackers aren't the only danger—e-mail attachments holding sensitive information may inadvertently forwarded by authorized employees who accidentally fail to edit a distribution list, for example.

Content security combines elements of content management and IT security to help keep important information from unauthorized eyes. The core idea is to not rely solely only on traditional access-control technologies like firewalls for a security perimeter to keep outsiders from internal information.

Added protection comes from a host of technologies and policies that create "mini perimeters" around each individual pieces of sensitive information. These controls embedded in the files assure that only authorized viewers see the information, while additional safeguards control how people use it.

"Content security is a redefinition of something people think they're already familiar with—securing content online," says Carl Frappaolo, vice president of market intelligence for AIIM, an industry association that specializes in content-management research and practices. "But the rules of the game have seriously changed, and we found that many companies have yet to realize that the tools of the game are changing."

Rather than just locking down and hiding content, security technologies today must work in a world where there's increasing demand to share and use information in collaborations among internal and external workgroups, to optimize business processes, and facilitate communications with customers, he adds. "A balance has to occur. There's a risk when you expose content, but there also are benefits. Where do we create a happy medium?"

Content-security technologies let organizations push content outside their boundaries while also assuring that appropriate controls travel with the information. For example, only someone with the right pass word may unlock a certain file, and while others may access the data, some may be allowed to open the file only once or for a set amount of time—say long enough to read it. Others may view the content, but they're not allowed to print it or e-mail it to anyone else.

Overcoming challenges
But before solution providers benefit from the new business opportunities created by content-security, they must understand and be ready to address some significant challenges. For example, according to research sponsored in part by Xerox Global Services, EMC Documentum, and Certeon, most organizations show little general understanding of content security.

For example, in a recent survey conducted by AIIM, more than half of the respondents said their company had yet to assign a specific group to address content security. Similarly, "no one" was the most common response when organizations were asked who's responsible for content-security initiatives in their organization.

"There's fairly high awareness of the balancing act between locking down information and collaboration," Frappaolo says. "There's also an understanding that this is an enterprise- wide issue, not an issue just for legal or R&D. All departments are generating content that needs to be secured and also needs to be shared."

Unfortunately, there's little understanding about how to deploy content security systems, he adds.

How to sell content security
What can solution providers do to increase awareness and launch content-security systems?

First, help customers understand the business value of this approach. Focus on the risks organizations face when they expose sensitive information to unauthorized people. When AIIM asked companies the degree to which content had been updated or deleted by unauthorized individuals within the last two years, most respondents didn't know the answer. Most also didn't know if anyone had recently accessed internal content by hacking or accidental expose. "Until [the risks are] being measured, ignorance is bliss," Frappaolo says, but at high potential for costs to the business or through regulatory fines.

Second, help customers develop an infrastructure that assigns content-security responsibility to specific groups or individuals.

Third, specify and implement appropriate technologies to help customers secure content as it evolves from creation to archiving and destruction. "Content security builds on but doesn't replace content management and records management systems," Frappaolo points out.

Design content management systems as part of an overall enterprise content management (ECM) strategy. Elements of a comprehensive content-security system range from records, document, and Web management software to workflow and business process management (BPM) applications, e-mail and enterprise rights management, identity-management, public key infrastructure (PKI), digital signature, and hierarchical storage management systems.

How do you know which of these components to mix and match? Frappaolo suggests identifying all the various types of content an organization manages and then analyze the information's security needs over its lifecycle. "The [security] rules change as content ages," he says.

Finally, help customers hone their hype filers, especially around Web 2.0, which may provide concrete collaboration benefits, but also pose unnecessary risks. "[Web 2.0] zealots are going to get broadsided at some point," Frappaolo warns. "There's a sense that all collaboration should be unfettered. Academically, this sounds good. But we're not planning a party here—do we really want to let everyone in and make information available from inside the firewall? "[Web 2.0] will be widely adopted only when executives have assurance they can maintain high degrees of control [over the information] and greatly reduce the risk of collaboration."