Business-Suitable Document Authentication System?

ram.loss writes "The company I work for has decided to go paperless for all memos and internal correspondence. In addition to the central administration, the company has three more or less autonomous, physically separated divisions; that means we do not have a common IT infrastructure across all of them. Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software). My initial thought was to use a document management system like Plone (this is the system I'm familiar with); from what I have read, that would take care of the management part, but what about authentication? We need each document to be signed, and a fully auditable system that keeps track of who signed what document, who received it and when. It also must take into account the handling of external correspondence in the future, where a recipient outside the company must have the means to return an authenticated document as a response. I'm aware that I'm leaving out a lot of details, like how the documents will be signed, the legal implications, etc., but for the time being I'm only interested in the experiences of the Slashdot crowd with such systems, and hopefully finding out enough information to hand over the matter to (or hiring) somebody more qualified, once I know what to look for. Has anybody out there used a similar system? Am I in way over my head?"

SharePoint

Microsoft SharePoint can handle most of what you need out of box, and you can configure and customize what you need for the rest, I believe.

Re:SharePoint

[klubar]

SharePoint is underrated-- it really has gotten pretty goood. Although you say that the firm doesn't have a common infrastructure, it's likely that you've standardized on Microsoft Office. If you're using (or can upgrade to) Office 2007 (or 2010), sharepoint plays extremely well with Office. SharePoint will handle all your office documents. If you need a comprehensive solution for scanned paper or integration with other applications, I'd look at some of the commercial document management solutioms (Documentum).

Don't cheap out and try to put together some homebrew solution. Remember as Click and Clack the Tappit Brothers say, it's the cheap man/women who spends the most.

Re:SharePoint

[YrWrstNtmr]

One of the main issues with SharePoint (aside from the whole MS ecosystem) is that it is a large complex beast. Once you move beyond the base SharePoint Services and into SharePoint Server, the maintenance will drown you. Especially if you are only one deep.
And I say this as a SharePoint admin/developer for a large US govt organization.

But yes, the base SharePoint Services 3.0 and upcoming SP Foundation(2010) will do pretty much everything he's asking for. And it's free (beer), if you are already running Server2003 or Server2008.

Also, FAR more requirements gathering is needed. What do the bosses really want?

Re:SharePoint

[Kaboom13]

Please, enlighten me why sharepoint costs $50,000? I have several customers who run it on a single server, that also has other duties (unless you have a very large number of users, sharepoint server uses little resources). You will need licensing of Office and Windows for every employee, but the majority of offices in the real world already have that. At the end of the day, sharepoint is just a web server, it does not need anything special from the hardware. So lets say 2 redundant servers, about 2.5k each. Licenses for server 2008, iirc around $700 each. If they are a Windows shop already (and if not, then sharepoint is a bad idea_ they already have CALs and office licenses for all their users, so that's not an issue. Lets say $1k for some sort of backup solution. So before labor, and there's a ton of competition in the sharepoint world so labor is fairly cheap, we are at what, $7400 in "dedicated hardware and licenses" for a solution that could probably serve a few thousand users quite well depending on the nature of how they use it. I'm assuming of course the actual documents are stored on a separate file server/SAN hardware already. Seeing how his whole division has no real IT staff, I doubt they even have that many users.

There's a lot of things not to like about Sharepoint, it's a proprietary solution with the usual problems proprietary solutions have. But it integrates quite well with Office and is easy enough to use and customize the secretary can figure it out. To be honest, I would probably not recommend Sharepoint for his situation simply because when amateurs try to maintain a Sharepoint installation things tend to go horribly wrong, mostly because the patches and upgrades can be a bit of a clusterfuck if you don't carefully follow the steps to prepare for them. Where you came up with $50,000, especially without even knowing the number of end users, is a mystery to me.

Try Knowledgetree

[PdbAqB]

Try Knowledgetree - It's open source, has workflow and it is fully audited: http://www.knowledgetree.com/solutions/industry-solutions We use it in our law firm (I manage it - we are relatively small http://1p.com.au/ and it runs without any specific expertise. I have previously tried other solutions without success. We also really appreciate knowledgetree's ability to interact seamlessly with MSOffice etc. Good luck

What? Are you trying to do?

[Manip]

Sounds like you have serious requirement overload. You need to go back and ask them what they ACTUALLY want.

For example, what is a "document?" Who is signing it? How long should the audit trail be? How many millions are you investing in this needlessly complex internal system?

What you're after simply doesn't exist and likely never will. Even if it did implementing it would be hugely expensive and time consuming.

What I don't understand is how this can replacing a paper system? Paper systems lack almost all of the features you requested... So clearly do do not NEED this stuff and thus we came around full circle to requirement overload.
 

Re:What? Are you trying to do?

[twisteddk]

I couldn't agree more. As a comp.sci. major, you should be able to ask the questions of: What, why, where and who (and today probably also, how much).

You need to get a decent requirement spec going, and from then on choose the system you want. There's no need to spend more money and time on features or systems that wont be used. Buying a fully fledged EDHS would be nuts if you can make due with a common fileserver and an intranet bulletin board system. Also, you might want to look at the business you're supporting, maybe there's an industry standard that might be handy to keep up with if you suddenly need to cooperate with, buy or be bought by someone else in the industry.

Also, you'd want to mimic the current working processes as closely as possible. There's nothing more deadly to a project than employees unwilling to adapt to new systems. So make the system cater to their needs instead of making them having to do things differently. Include key personel in the implementation or descision process, so that they feel that their needs are being heard and met, so they will welcome the new system. Social engineering isn't just a skill for politicians, it's one for developers too ;)

Re:What? Are you trying to do?

[ram.loss]

Hi, original poster here.

Yes, I am aware there are too many details left hanging, that's why I need to hear from someone that has worked with a similar system to at least have an idea what kind of project are we dealing with. From listening to the managers, we need some serious talking to do before a formal proposal is made.

For starters, there's not much money available for the hypothetical system, so that will probably be a showstopper. When i say "documents" I mean anything that when printed on paper has to have a signature (as in "written with a pen") that identifies who wrote it/approved it, most likely a PDF file when talking about an electronic document.

I share your bafflement about the purpose of all this, presumably they want to eliminate all the time needed to move paper around four different locations, and it can't be done by e-mail due to the signature requirements (internal rules, legal implications among other things, lets not delve too much into that just now). But I think they really have not thought through all the added costs.

Re:What? Are you trying to do?

[obarthelemy]

This is a trap.

What your bosses want to do (go fully paperless, including all correspondence, contracts, worksheets...) is a very big project, that requires much thought, planning, management support, time, and money.

By asking you to do it on the cheap, your bosses show that they really don't understand what this is about, and when the whole thing blows, it will of course be your fault.

The one vital thing you must do is findexamples of companies of a comparable size / business that did it, with a broad idea of what it took it terms of money, time, manpower, glitches... Don't even touch the technical side, products... until you have those case studies. Pass them on to your bosses, and see if they want to go ahead.

As for getting a hold of such examples, try classmates, business partners, ask the bosses where they got the idea from, ask slashdot that question (instead of the technical one), ask potential providers for references (if you're an MS shop, MS may help)...

Lotus NotesDomino

[kirthn]

Lotus Notes/Domino by IBM takes care of all that...including external branches, ditigital signatures, track of who has been reading it, who where the previous readers etc etc... etc...we have been using it extensively and provides everything you just described.....

PGP + really any collaboration software

[DarkOx]

Give every a copy of PGP or gnupg and use your favorite collaboration program to store and version the documents. I would consider just signing the docs and not encrypting them when they are not sensitive, encryption just adds risk that you could lose data more easily. Its really important to know that it really was the comptroller who authorized the PO for that new delivery van but its not a secret the company purchased a new truck.

This should also give you some flexibility going forward. If you don't like the work flow solution you don't have to change the authentication solution or the other way around.

EPM

[hkabbaj]

Look at https://www.uspsepm.com/ document integrity and authentication. https://my.inscrybe.com/ supports workflow and multiple signings and incorporates the epm.

Try the LOPSA mailing list

[Saint+Aardvark]

Try posting this on the LOPSA mailing list. It's an excellent resource, with lots of sysadmins in different environments hanging out. If you're not a member, email me (aardvark atsign saintaardvarkthecarpeted dot com) if you'd like me to post to the list on your behalf. You might also want to try the IRC channel #lopsa on Freenode.

Membership is only $50/year, and access to the mailing list alone is worth every penny. I'm a member, and it's saved my butt on occasion. Even if you're not a sysadmin, this is definitely a sysadmin-type question, and I think you'd benefit from being able to ask questions on the list.

I am afraid...I see trouble ahead

[bogaboga]

Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software).

From what you say, I can conclude that your company's staffing is anaemic in the IT department. Because of this, I suggest that you abandon this project for the time being as you build up man power and expertise in IT. Hire more folks so that they can get to know the business logic and flow of information at your company then kick start this project.

Take a clue from Munich with its Linux migration efforts.

Bottom line: A drastic change in the way you work will create lots of headache for you given that as you say, "...Since I am the only resemblance we have to an IT department at my division...".

I worried for you, but wish you the best at the same time.

Possibly Lotus Domino; Need more info

[thebiss]

You'll need to elaborate on two things to get good answers:
  - What is a document? Rich text, or scanned paper, physical paper, or something else?
  - What is authentication? Tracking electronic versions from creation, through revisions, to finalization, or something different like confirming that physical document "A" is the same as physical document "B"?

I know of solutions for the case where documents are soft copy rich text with images and and attached scanned documents. A Lotus Notes database can be easily created to track such documents, prevent over-writes, track revision histories, etc. I work for a pretty big consulting firm, and we use Domino-based systems for things like this all the time.

Some caveats -
- Domino's is easily setup, but requires product knowledge to perform well and scale. How big is your firm?
- Users will need to have Notes IDs to work with the system, as ID (certificate) + password based PKI is the foundation of Domino's authentication mechanism.

Some benefits -
- Depending upon the setup, users will be able to work with documents via your corporate intranet.
- Depending upon the setup, replication (think synchronization) can enable users to keep local copies of this data, for access while they are outside of the intranet.

Access for outsiders is more complex.
- If the outsiders are trusted (e.g. auditors,) the solution may be to give them Notes IDs and grant them access to the intranet and this system.
- If the outsiders are end-users (e.g. E&Y clients submitting their 2010 US tax forms,) then you may be into custom application space. I'll skip the plug for my company.

All Good Suggestions For the Most Part...

[DarkKnightRadick]

...but everyone is ignoring the pink elephant in the room.

No common IT infrastructure? I'd tell them to attack that before implementing anything new company wide. Without a common IT infrastructure you'd have to get a poll for exactly what each division has (does each division have a common infrastructure, I hope so) and pray that each division has standardized on something whether it be *Nix, Windows, Mac or whatever. Once you have that, getting an electronic document handling system will be much easier as you'll have only to worry about file formats from one office suite (and possibly PDFs).

As for signing of documents, PDF is the only format that handles that internally, though I guess you could get people to get their own PGP keys, though I think the hassle would not be welcome.

To summarize:
1. Get company to implement standard IT infrastructure company wide
2. Get IT department to implement EDHS
3. ???
4. Profit! --- very important to companies, apparently less so to /.ers :p

Ask the other divisions?

[BitZtream]

I realize your company may not make it easy to do so, or the other departments may not help but ...

Have you considered, since you're the only one in your portion that asking them for help may useful?

I'm making a lot of assumptions about an ideal situation that may not apply to you, I realize that, so it may not be possible for you.

If it were though, you might find that you can save yourself a lot of time just by working with the other groups.

You could also very well create a new position for yourself, pull all 3 divisions together and save some money in IT and you might end up in charge of all of them. (if you want to do that, personally I still prefer to be in the trenches).

Either way, you may find that they've already done this research and found something that didn't work for them, but might work for you, OR might work for everyone if you all got together to do it, versus not being cost effective for one group to do it.

A company I worked for was bought out a long time ago, we basically continued to operate as 2 companies under one name for a long time. Then our IT department started pushing to integrate, taking the best parts of both companies and merging into a better structure overall. We ended up saving a lot of money.

Interestingly enough, our IT was killed off and released shortly after we suggested that moving the web servers that had a window view of wall street to somewhere that we could run them for 10 years for the same cost as single day in their current data center ... So you may want to be careful what you suggest.

Another interesting twist was that shortly after we got 'released', the company was bought once again, by a company near Atlanta, which promptly closed all the offices on Manhattan, including the one that was chosen over us. Senior management from our original company passed along the word that the new buyers made it clear that stupid choices like killing our data center and keeping one in Manhattan is exactly why they were now going to be looking for new jobs themselves.

We were vindicated, but some of us were still unemployed unfortunately. Either way, it may still be worth your while to try.