Comments on: What’s Wrong with Google’s Enterprise Search Security? (Part 1)

By: Search Done Right » Blog Archive » Enterprise Searching To Surpass Web Searching?

Tue, 19 Feb 2008 20:48:17 +0000

[…] this is changing. When administrators can rely on error-free operations in terms of security, there is no reason, except for lack of budget, ambition, or imagination, to withhold the most […]

By: Search Done Right » Blog Archive » How to Evaluate a Clustering Search Engine

Tue, 13 Mar 2007 20:50:03 +0000

[…] clustered within an acceptable response time. If user authentication is an issue (note discussion here), then the response time should include the time for the search engine to verify that the user can […]

By: Shad

Shad — Tue, 13 Feb 2007 22:23:46 +0000

re: your timing attack on late binding.

It only tells the user if content matching the query is available.
This is only a problem if you have a case where very untrusted users
can query against a higher security search index or a search index
with multiple security levels.

It would be very hard to build up a picture of the content of a single
document using this technique. You don’t have an identifier to work
off of. You cannot be sure that you are accessing the same document.

Examples where this would be useful anyway:
You suspect the government of developing mind reading dachshunds.
If you searched for mind-reading-dachshunds and it took longer than
a garbage query, then you had a good case that they exist.

This timing attack would be quite interesting to try out. The search
engine can skew results by actually padding out low result searches by
doing another dummy search for something more common.

To maintain a higher level of security; if you have low security
users, they should not be allowed to query higher security search
index.

However….

If you have mixed security level content and are using a single index
for it, then you are already saying it’s okay for the user to know
that content exists. But a low security level user isn’t allowed to
see the whole thing. Content-for-pay would be a good example of this;
you have links describing pay-content, but you can’t view it unless
you pay.

An interesting version of this would be where each result is actually
an AJAX call to fill in the details. By using the actual content
management system’s ability to check the user’s credentials (AJAX is
client side) you prevent the search engine from having to have extra
logic to manage credentials (and yet thing to audit). You reveal that
a document exists, and even reveal it’s location. Ideal for a
content-for-pay system. You advertise without giving away the
information.

By: Jerome Pesenti

Jerome Pesenti — Tue, 13 Feb 2007 19:10:35 +0000

1/ “Late binding” is checking if each search result can be accessed with certain credentials - so whatever cache you get is only valid for a given URL and a given user which will be very limited. “Late binding” is often implemented by doing a “HEAD” request to the actual page passing the username & password of the end-user, i.e., it doesn’t involve any ACLs (that’s actually one point of Google’s post: it can be deployed without having to figure out the underlying ACLs).

2/ My post is a response to Google’s post claiming that “early binding” is not secure (because of latencies in the ACL indexing). My point is that in general it’s more secure than “late binding”. I gather from your first point that we actually somewhat agree here that “caching the ACL” is often not a big deal.

I disagree with you with regard to the performance of “late binding” (which, again, is not really an ACL check). It can be (and often is) very expensive. In the case of Sharepoint & Email search for example, it often requires doing hundreds of network requests per query (see Mark Bennett’s explanation in the original post).

3/ Re-entering user credential is not a strict requirement if you have implemented SSO across all your collections, but it’s very common for many security infrastructures (for example for people using Windows Integrated Authentication, see this post on the search appliance user group).

By: Jan

Jan — Sun, 11 Feb 2007 21:59:35 +0000

Hogwash.

1) The answer to performance issues for late binding is ACL caching - and no, it’s different from early binding. With early binding I have no choice as to the validity period of the ACL info - with ACL caching I have ultimate control and can determine on a per-content-set basis how sensitive the ACL’s should be. For HR info I may well require a per-query check, on my published white papers I may be happy with the ACL’s sticking around for days at a time.

2) Highly insecure??? Like anything, I suppose late binding could be implemented in a way that leaks information, but come on - most companies struggle with getting the ACL’s right on their most sensitive content, never mind this. Besides, the ACL check overhead for most systems is very low - I cannot imagine a user (with a stopwatch no less!) gaining any meaningful information this way. There are way too many variables here - this point is just scaremongering.

3) I’m not sure where you get the “need to re-enter user credentials” from. Any reasonable implementation will rely on existing user credentials, be it from the portal or from SSO framework - since you must have a shared authorisation credentials system to make sense of the ACL’s in the first place why would you not use it??

By: » Posted on CMS Watch - Blogosphere responds to Google’s appliance upgrade - My Webmaster News Blog

Fri, 09 Feb 2007 19:17:01 +0000

[…] A competitor asks whether GSA’s approach to document security remains too trivial (all caveats about casting stones apply)… […]

By: Jerome Pesenti

Jerome Pesenti — Fri, 09 Feb 2007 16:55:10 +0000

This is a good point that I am going to address in more details in Part #2. The short answer is that for the most common repositories, the search vendor should be able to offer connectors handling the security framework(s) properly. Vivisimo Velocity for example provides out-of-the-box connectors to Unix & Windows file systems, Lotus Notes, Sharepoint, Documentum, Email servers, Email archives, etc. For each of these systems, the security framework is known and documented and our software takes care of collecting and mapping out the ACLs properly. The fact that they use different frameworks is not an issue. The only part left to the administrator is to figure what user ids apply (for example if the Lotus Notes ID is different from the Windows ID) in which case an extra call to a directory service might be required, but that’s also true of “late binding” anyway.

For unknown or poorly documented repositories (likely to be crawled rather than connected to through an API), “late binding” might be the only practical solution but “early binding” should be used without difficulties with all others (often containing the majority of the enterprise content).

By: googfan

googfan — Thu, 08 Feb 2007 16:22:02 +0000

What you failed to cover was how someone would actually deploy an early binding method. Early binding puts a massive deployment effort on the part of the consultant or IT department deploying the search system. In our search deployment and content management operation, we often find companies who strive to implement early binding-based deployments, but after weeks of “business analysis” and technical prototyping realize that its just not technically practical in their heterogeneous environment. You see, the real issue is that most (if not all) enterprises don’t have one nice ACL store that has the access information for all of their various content systems. If they did, this problem would be a no-brainer. The work of some security vendors like CA are trending toward this, but they’ll be the first to admit that adoption is very slow and rework high in order to implement centralized or homogeneous distributed policy stores.