Security

It's no secret that every company possesses a wealth of information that languishes for lack of use. And that millions of frustrated workers could be more productive if only they had easy access to their company's buried information. Search has come a long way in bringing hidden knowledge to light, making it accessible to employees who need it. Solving that problem, however, quickly opened the door to another challenge: how to keep confidential information in the enterprise available only to those who should have access to it.

The Google Search Appliance indexes both public and privileged information and enforces your organisation’s document-level security policies at the time of search. It provides a mechanism for users to search for private information securely, so only content that should be accessible to the search user is returned in the results list. Google’s enterprise search technology integrates with your authentication and authorisation systems to provide secure search leveraging your existing access control investments.

The Google Search Appliance does not require a new set of user identities or user access control lists (ACLs) be created to implement secure search in the enterprise. Rather, Google leverages your existing identity management system and the access control policies already in place in your content systems today.

Most content systems and enterprise applications have capabilities built into the system that determine if a user is allowed to see a particular content or piece of information. By requesting the content just like a user would directly from the source system or application, Google allows the most granular security level - document-level security, with no additional security systems or access control policies required.

At crawling, the Google Search Appliance creates an index of information that it has acquired through the various onboard content access mechanisms – the web crawler, file system crawler, relational database crawler, and through the content feed interface. When acquiring and indexing this information, the appliance uses access credentials provided to it by the system administrator. These can include single sign-on (SSO) credentials for forms-based SSO systems, basic-auth credentials, NTLM credentials (username, password, domain), Kerberos, and X.509 client certificates. These credentials are used by the Google Search Appliance to access the content at indexing time.

The serving process occurs when users execute a query. At this moment, they can specify (through the search interface) if they want to search “public only” information or public and privileged (secure) information. If the latter is chosen, the user is then prompted for their access credentials based on which authentication and authorisation method(s) are configured.

For example, if the appliance is integrated with an enterprise single sign-on system, the user is directed to the SSO authentication server they can be authenticated and receive the SSO credentials. If the user is already authenticated by the SSO, then the user can search without any added authentication steps involved.

The Google Search Appliance executes the search against the index to retrieve the candidate list of all matching results. However, prior to returning the full results list to the user, the appliance uses the SSO cookie on behalf of the user to authorise the candidate results against the source system. Results that fail authorisation are filtered from the list, and only validated results are returned to the search user.

By performing the results access control checks in real-time, the Google Search Appliance ensures that users only see results that they are entitled to view. Alternative security approaches involving credential caching and recording access control permissions at crawl time are susceptible to fraud and synchronisation issues. Google provides enterprise-class security with the ease of out-of-the-box integration.

In addition to the various ways that Google can integrate into your enterprise right out of the box, the Google Search Appliance also supports native, SAML-based interfaces for authentication and authorisation. This SAML 2.0 based provider interface leverages the emerging XML standards to allow for third party user authentication and external results authorisation. With the authentication and authorisation service provider interfaces, the Google Search Appliance can be easily and securely integrated into all types of enterprise access control environments.

Read more about security and other features of the Google Search Appliance, or sign up for one of our seminars