Documents are the new digital currency for online commerce, the record of business for online collaboration, and the “lifeblood” of present day business processes. The documents include commercial artifacts such as catalogs, offers, bids and contracts. Doctors and Bioscientists leverage documents with domain-specific formats, such as HL7, and medical images. Business networks leverage design extranets through other specialized document types. Aerial surveillance and prospecting requires the sharing and storage of images. In the Pharmaceutical vertical, these documents might contain information about DNA sequencing, reagent information, and components of drug discovery.
The information contained in these documents is usually sensitive business IP, or Personally Identifiable Information (PII), and often content that is highly regulated by perhaps Health and Human Services (HIPAA, FDA), the Office of Currency Comptroller (Gramm-Leach-Bliley), or self-regulated through consortiums such as the PCI Council. As collaboration becomes global, accelerated through cloud-enabled geo-distribution, it is increasingly convenient for producers and consumers, buyers and sellers, business collaborators and others to leverage cloud-based services to effectively share documents through workflows to transact business. This requires the management of the lifecycles of these documents across trust boundaries that might include organizational, legal or international boundaries. Emerging cloud solutions have a propensity for reducing costs and optimizing ease of use, but if these solutions do not provide sufficient visibility into, and control over these regulated assets from inappropriate access or modification by cloud intermediaries, there could be significant business and other risks to organizations and their officers.
Efficiency and ease of use is always a high priority, since the ability to efficiently share documents with remote collaborators can become a significant business differentiation for any organization or individual, who will otherwise not be able to effective capitalize on markets and resources if they do not leverage suitable technologies, along with the required ability to protect sensitive business assets. This is an imperative for these organizations and individuals for their business survival. Hence there is a two-fold need to enable efficiency and productivity, while preserving safety.
Users, that include primarily information workers, have a need to efficiently author, save, share, locate, retrieve, archive and dispose documents. Other users, such as administrators and regulators, have a need to propagate policies and monitor access enforcement. Often there is a trade-off between ease of use, which is a key underpinning of efficiency, and control, which is a requirement for administration and regulatory compliance.
Present day systems can usually be grouped under either traditional ‘Enterprise Class’ systems, that are based on servers and services such as Active Directory and SharePoint, and emerging ‘Cloud Scale’ systems, such as Dropbox® and Box®, that leverage cloud services for document sharing and identity federation.
The challenge is that traditional systems tend to be brittle, antiquated, hence unable to address the emerging needs for geo-collaboration, while emerging systems provide limited functionality and safety. While traditional systems focus on safety and “intra-prise” workflows with limited and complex support for bridging across enterprises through mechanisms such as virtual private networks, emerging systems optimize for usability and global sharing and tend to come up short in the areas of access monitoring and enforcement.
The challenge in moving from traditional to emerging solutions is that this generates a schism between the enterprise, represented by the IT administrator and GRC on one hand, and the information worker on the other. Since documents have a propensity for getting lost, retained beyond their specified lifecycle, or being inappropriately modified, due to negligence, accident, malice or greed, this move to cloud systems poses an immediate risk for enterprises.
These emerging cloud-based solutions continue to leverage “old style” security that relies on the security of hardware and operating systems, and continues to require all-powerful administrators that can view, or modify sensitive data. In some cases these emerging solutions leverage federation mechanisms such as SAML (Security Assertion Markup Language) to integrate with enterprise policy and identity systems, but these are disjoint from the cloud providers own identity and policy systems for their operations staff, hence there is no trustworthy mechanism to ensure that the cloud providers actions are compliant with enterprise conveyed policies. Therefore despite any augmentation through the traditional digital equivalents of “guard dogs” and “electric fences” it is not practical to administer the administrator in the cloud that might have access to the hardware, software, or administrative interfaces of the hosted services that are outside the enterprise region of visibility and control.
Hence enterprise customers view these solutions with suspicion. This is for good reason because these cloud service providers are frequent targets of warrants and subpoenas from governments for purposes of law enforcement or surveillance. Since these are often bundled with gag orders, with severe penalties for violation, the customers may never come to know about who is looking at their sensitive data in documents that are managed through the cloud. Such an example in the United States is the National Security Letter (NSL) and many other sovereign entities have their own equivalents.
Furthermore, despite the theoretical ability of any service provider to provide higher levels of security, the critical mass of sensitive data makes them more lucrative targets of criminal and government hackers, and the consequence of a single successful intrusion is significantly more devastating.
The conventional “Enterprise Class” repositories and tools for protecting, and managing document lifecycles, have organically grown piecemeal, with incremental functionality added as needed for backup, archival, search, or rights management. This has resulted in a “Rats nest of Enterprise Infrastructures” (REI). This exacerbates the complexities when access to these repositories needs to be federated across enterprise boundaries, or if this hosting or federation is through a cloud service provider.
The conventional systems and services were often designed to optimize for functionality, rather than ease of use, and also for use within a single organization. The access mechanisms for mobile and remote workers often require VPNs and add to a level of complexity that is compounded when information works are collaborating across organizations. When a mobile worker needs to access disparate repositories in distinct enterprises that are silo'd, this complexity is significantly compounded. In a sense, conventional systems are ‘repository-centric’ while the emerging needs are for this to be ‘collaboration-centric’ with the recognition that the collaborators could be working in disparate organizational, legal, sovereign, or geographic regions.
Even though emerging solutions are attempting to jettison some of those archaic complexities of SharePoint and Active Directory, they are sometimes continuing to perpetuate old metaphors of networked and distributed file systems for sharing. Therefore there is sometimes a break from convention, as is the case with the weaknesses in federation of policy for monitoring and enforcement. But in other cases the vestiges of enterprise style sharing such as those that present users with inconsistent and difficult to use file system sharing semantics, detract from the opportunity to provide ‘collaboration-centric’ solutions.
Present, and emerging technologies are tending to make the problems of document collaboration worse, as sharing solutions such as Dropbox® are perpetuating an archaic metaphor of networked and distributed file systems, even while solutions such as Apple iOS® move to an application-centric metaphor, which is in turn is a piecemeal solution to device access to documents. Furthermore, all of these vendors are creating additional data silos as Apple fuses iCloud into their OS-X and iOS offerings, while Microsoft does the same with SkyDrive and Windows, and Google couples GDrive with Google Apps. Third party sharing solutions such as Dropbox and Box attempt piecemeal integration with the platforms such as OS-X, iOS, and Windows, and the applications such as Google Apps, but are at business odds with the storage components such as SkyDrive, GDrive, and iCloud. Hence the present day software and service delivery model is in conflict when these third parties attempt to compete with, or dislodge end-to-end solution stacks from larger vendors such as Apple and Microsoft. All of this detracts from the ability to provide end users with ‘collaboration-centric’ solutions that are agnostic of platforms, applications, and cloud storage services.
There is an intense and growing need to help the end user to be more productive through document collaboration, and to help organizations be more efficient and safe in protecting their digital assets. However, it is impractical to consider any forklift changes, or expedient global standardizations to improve the existing collective REI. Due to their own business-centric needs, solution providers are exacerbating the problems by generating more data silos and exacerbating the existing REI. Users are reluctant to change their usage behavior, and re-training of the workforce would be a significant burden on organizations. Similarly, enterprise IT has significant investment in IT infrastructures, workflows and IT policies, and it would be significantly costly and complex to rip and replace these. Hence for any ‘collaboration-centric’ solution it is necessary to make the integration of any new systems and services occur in a manner that is mostly transparent to IWs (Information Workers) and IT Managers.
Meanwhile, users are under assault from an avalanche of information, primarily delivered through documents that they need to generate and share, or access and respond to, but their jobs are becoming increasingly more difficult, since a Windows or Office user is being cajoled to use SkyDrive, while a Google Apps customer is being lured toward GDrive. Meanwhile there is an exploding hodgepodge of specialized storage and collaboration services that address real or perceived needs. As a consequence, the purported cloud enabled services and tools for simpler, cheaper and more efficient collaboration, are tending to increase the complexities that users have to face when they need to collaborate with their peers across heterogeneous enterprise or cloud services. One of the consequences is the ‘BYOD rebellion’ where IWs tend to create grass roots sharing of a single cloud sharing solution, despite the security and compliance risks, because it bypasses these complexities. However this grass roots model runs into obstacles when the collaborators are on disparate cloud storage and collaboration services, and when these collaborators need to access or update documents that held in enterprise repositories, and with their collaborators that are continuing to use these enterprise repositories.
It is desirable to have methods, systems and apparatuses for an operator provisioning a trustworthy workspace to a user that is collaboration-centric and reconciles between IT-desired policy-based federation of visibility and control, with the IW-required ease of collaboration.