Missing Security Features in Enterprise RSS Tools

[Note from infoarch: Peter Verhoeven is a smart colleague of mine. One of the things he’s working on is selecting and implementing an Enterprise RSS solution for the company we work for. Peter did deep research on this topic and found some gaps in what current Enterprise RSS vendors are offering. I asked Peter to summarize his thoughts in the guest blog post you find below. Enjoy! And we would love to hear what you think. Peter's LinkedIn profile can be found here and he initiated and maintains a popular website, Magnifiers.org.]

Introduction

Last months we evaluated two Enterprise RSS solutions: Attensa Feed Server (AFS) from Attensa and NewsGator Enterprise Server (NGES) from NewsGator, to replace our self-made Enterprise RSS solution.

Both products are missing an essential feature for us, namely good support of “secured feeds” and options to share “secured feeds” with employees with the same permissions.

What are “secured feeds”?

A “secured feed” can be defined as an RSS feed, that can only be accessed by employees with enough permissions.

Within the company firewall think about an RSS feed on a Sharepoint site, where project members are collaborating.

Outside the company Firewall think about services that need any type of authentication, for example accessing company related RSS feeds on Yammer.

What all “secured RSS” feeds have in common is, that you can access them by entering a valid username and password combination.

Why Use Secured RSS feeds?

The security policy in our company is that you can only see information you are allowed to see.

If for example members of “Project X” are sharing information in a Wiki “Project X” and want information in this “Project X” Wiki to be restricted to members of “Project X”, then employees not working on “Project X” are not allowed to access RSS feeds on the “Project X” Wiki.

Most websites in our company like Wiki’s, Blogs, Sharepoint, the intranet portal, require that you are a member of our Windows Domain.

To access these websites employees must be logged onto our network.

As a result, all RSS feeds on the above mentioned websites, need authentication to access and are secure RSS feeds.

Enterprise RSS Secured Feed Requirement

Two important advantages are frequently mentioned to implement an Enterprise RSS solution within the company, instead of using individual RSS client software:

  1. Network Bandwidth reduction.
  2. Improved collaboration by sharing RSS feeds.

This is exactly what we think are advantages of an Enterprise RSS solution, but these advantages should also work for secured RSS feeds, since more than 90% of our RSS feeds are secure.

To explain our requirement regarding secure feeds in an Enterprise RSS solution I’ll give you the simple example below.

Example:

  1. “Person A” and “Person B” are members of “Project X”.
  2. “Person A” and “Person C” are members of “Project Y”.
  3. “Project X” has a secure RSS feed “Feed X”, that can be accessed by “Person A” and “Person B” and not by “Person C”.
  4. “Project Y” has an RSS feed “Feed Y”, that can be accessed by “Person A” and “Person C” and not by “Person B”.

After “Person A” subscribed to “Feed X” in an Enterprise RSS solution:

  1. “Person B” and all other members of “Project X” accessing the Enterprise RSS solution, must be able to see and subscribe to “Feed X” in the Enterprise RSS solution (Feed sharing).
  2. “Person C” and all employees who are not a member of “Project X”, do not see “Feed X” in the Enterprise RSS solution and are not able to subscribe to it.
  3. If 3 members of “Project X” have a subscription on “Feed X”, the Enterprise RSS solution polls only once for new news items, instead of doing this for any subscribed person (network bandwidth reduction).

“Person C” add “Feed Y” of “Project Y” to the Enterprise RSS solution:

  1. “Person A” can see and subscribe to this feed, because he or she is also a member of “Project Y”.
  2. “Person B” does not see and can not subscribe to “Feed Y”, because he or she is not a member of the project “Project Y”.
  3. All project members of “Project Y” can see and subscribe “Feed Y” in the Enterprise RSS solution (RSS feed sharing).
  4. “Feed Y” is polled once for all project members of “Project Y”, who have a subscription on “Feed Y” in the Enterprise RSS solution.

Secure RSS feeds in NewsGator Enterprise Server

In NewsGator Enterprise Server (NGES) secure RSS feeds ‘work’ as follows:

  1. An administrator can add a secure feed to the company taxonomy. By doing this all employees can see and subscribe the secure RSS feed, without using their own username and password.
    The advantage of this is that all those secured RSS feeds added by an administrator can be shared (RSS feed sharing) and are polled once for all subscribers with the administrator permissions (Network bandwidth reduction).
    This can work for RSS feeds only requiring that you are a member of the ADS Group Domain Members. It does not work for RSS Feeds with a higher security level.
  2. Secure feeds added by individuals, instead of administrators, are not visible by others and therefore cannot be shared. Also the advantage of network bandwidth reduction does not work for these individually added RSS feeds.
    If 100 employees individually add secure feed “Feed A” to their subscriptions in NGES, this feed will be polled 100 times and there is no network bandwidth reduction.

Secure RSS Feeds in Attensa Feed Server

And, AFS ‘works’ in this way:

  1. In Attensa Feed Server (AFS) individuals can add secure RSS feeds. All these RSS feeds can be shared with others.
  2. When trying to subscribe to a shared secure RSS feed in AFS, the subscription always fails. The only way to get the same RSS feed in your own subscriptions, is by adding the RSS feed by yourself again.
  3. When clicking on an RSS feed, for which you do not have enough permissions on the source website, you can read the titles of the items in the RSS feed. This is really a lack of security in AFS.
  4. Network bandwidth reduction does not work in AFS for secure RSS feeds.

Conclusion

Currently, both NGES and AFS do not support our requirement for secure RSS feeds.

Are you implementing an Enterprise RSS solution? How are things going? Have you also run into security issues? How did you address them?

Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)