One of the key capabilities included in the Active Intelligence Engine (AIE) is Active Security, a next-generation solution to the significant problem of securely accessing aggregated information access across multiple silos. Active Security accepts and normalizes access control and related security information (users, groups, realms, etc) from connectors and stores them in tables, separate from the document content - just as a database does.

At query time, Active Security automatically re-writes the user's query into a JOIN that intersects the set of records that match the user's query with the set of records the user is authorized to see. This result set includes static and dynamically generated facets featuring exact counts, plus spelling suggestions, all respecting the user's security privileges.

Active Security is comparable to the average database solution in that changing the permissions on a record, set of records (such as a folder), or some other structure like a security group doesn't impact the content at all - there is no need to re-fetch and re-process documents or rows (from a database), rebuild the index to reflect changes in the group structure, etc. But unlike a database, Active Security supports the core principals of Unified Information Access — truly dynamic schema, arbitrary support for full-text and/or relational queries, including SQL support, and low-cost scaling to massive volumes using commodity servers. You can integrate information rapidly and without painful ETL processing and expose it through the consumption methods of your choice, but still retain the essential security information without respect for which it simply cannot be exposed.

Out of the box, Active Security can ingest and aggregate Microsoft Active Directory (AD) based models as well as custom security schemes built on any database (via our Database Connector). It draws on core AIE capabilities like tables and relational queries and adds a number of new ones, including:

• An Active Directory (AD) connector that ingests users, groups and group membership
• Extensions to our Microsoft Exchange, Sharepoint and Documentum connectors to collect ACLs along with content
• Extensions to our Windows file connector that collects Windows ACLs along with documents
• A Windows service to transmit ACL updates to AIE in real-time

The advantage of separate ingestion and storage of security metadata cannot be understated. As Greg George points out in his recent blog article, having user/group trees in the index allows Active Security to automatically propagate changes without re-ingesting content. Another cool advantage he describes is the ability to do cross-domain aliasing; this is essential for implementing SSO in a mixed unix/Windows environment.

Active Security also includes an extensible API that allows custom schemes involving users, groups, ACLs, and other potential elements to be quickly and easily supported. There is no "one-size-fits-all" solution when it comes to enterprise information security — at Attivio our goal is to keep Active Security evolving so that it seamlessly supports a variety of future use cases such as device-dependent security, hardware/software fingerprinting and behavioral authentication. (More on these in future blog posts.)

Perhaps most importantly, Active Security performs and scales — cheaply. One of our clients has an index of 50M content items and 75M security items. On a single ordinary Intel server, AIE answers 90% of user queries, each with 3 facets and spelling suggestions in less than 1 second. Their security model includes user and group level access, including explicit denial of access to individual documents. They duplicate the index to achieve high availability both within a single data center and across multiple data centers.

In our next release Attivio will add support for generic LDAP security schemes as well as CA's excellent SiteMinder product. For more general information about this critical capability, you may enjoy our webinar Information Access Control: Can you really have faster, safer AND cheaper?

TrackBack URI for this entry

Comments (1)