Wednesday, August 23, 2006

Web technology for electronic records

Electronic records are hugely valuable evidence of business operations, which must be managed rigorously through their lifecycle to eventual destruction. They may be documents generated by human-driven authoring tools or other (typically human readable) information created through automated processes. Regardless, they are still just electronic files.

Organizations pay a lot of attention to records management (RM) to ensure that their records are well organized, accurate and retained securely through their lifecycle to eventual destruction. The importance of strong electronic records management systems and practices can not be underestimated. What happens though when documents are removed from the system, to take to court, or just to pass to a business partner? How do you continue to demonstrate good management of those records, their classification, authenticity and integrity? Traditional records management has always struggled with the problem of records leaving the custody of the records archive. Perhaps records management can learn a little from the web world.

When you decide to download a file you find on a website you are interacting with a vulnerable system, one that is open to malicious attack, putting the authenticity of files at risk. As the consumer of this downloaded information you need a way to be sure that the file you downloaded really was the file that you were intended to see. The vulnerability of the web world has warranted the creation of strong mechanisms to address this issue.

Open source software projects typically provide a checksum like an MD5 hash of a file which can be used to ensure that none of the information in the file has been changed since it was published. Digital signatures on Adobe PDF and Microsoft Office documents demonstrate the authenticity and author information of the files. They rely on certificates and Public Key Infrastructure to enable the publisher to demonstrate the authenticity and integrity of the file without needing any contact with the consumer.

The approach of embedding more and more metadata into documents is being perpetuated by Adobe and Microsoft on the desktop, not just for DRM but also for general document classification and audit information. In general, documents and all of their associated information are becoming more self-identifiable, through semantic web technologies like RDF. This can only help records managers locate and manage electronic documents that have left the central repository, much like RFID can help them with physical assets.

Digital or Information Rights Management (DRM) takes embedded information, digital signatures and encryption a step further. With DRM a document publisher can also enforce the lock down of the document by embedding unalterable policy information into it. The policy information ensures that the document can only be read by the person it was assigned to as well as ensuring its effective destruction when it expires, even when it is outside of the repository. Think of this like the tape recorded message in Mission: Impossible that would self-destruct a few seconds after being played, or the ability of iTunes to prevent you sharing downloaded tracks.

EMC recently announced that it was pairing its Records Manager with DRM technology aquired from Authentica, enabling records managers to enforce their policies for all records, independent of custody. In principle this seems like a great pairing, but there are some issues to be addressed:

  • Seamless integration of the separate technologies is required to make DRM manageable from standard records policies without additional complexity
  • Handling legal holds to prevent the destruction of documents is virtually impossible
  • Automated destruction of records outside the repository may adversly affect business partners ability to retain records and may represent unexpected legal or compliance issues
  • Producing protected versions of every document retrieved by a user is processor intensive
  • Proprietary encryption and DRM typically ties an organization to that vendor for life

This final point is essential to bear in mind. Without the DRM infrastructure available to enable enforcement of the rights and policies an organization and its partners are left with a worthless set of files that can not be read, much like the proprietary storage systems of the 70's and 80's that required massively expensive migrations as systems reached the end of life.

The effective management of electronic records requires organizations to rethink the completely locked down records archive that was possible with physical assets. Web technologies offer many alternatives, and CIOs under the guidance of general counsel should ensure that they embrace opportunities based on standards that will truly benefit the organization long term.

Technorati tags:

No comments: