SP-021: Realtime Collaboration Pattern
Description: Real-time Collaboration focuses on different users (both internals and externals) who have to work in parallel on the same document with the benefit of saving time, with the ability to merge of different document versions as well as save synchronization. A process for user provisioning over the whole life cycle is needed to meet the requirement that a user is granted access permission to specific files or folders.
Assumptions: It is assumed that shared information will be confidential and so the communication channel and the storage place should therefore be encrypted. There is also a high technical requirement to the availability to the document which is the working target of the real-time collaboration on documents. An other aspect is capacity of the available storage, it has to be assumed that documents are growing during the period of collaboration till the document becomes the final status. Audit trails have to be available. Simple process for user provisioning available.
Typical challenges: Real-time Collaboration on business documents is not an ad-hoc solution; there are permanent user accounts in conjunction with access to dedicated storage place. The challenge will be the user provisioning, to ensure that a user account is bounded to a contract or agreement and will be maintained according to the user life cycle process.
Indications: Internal and external partners must share documents and work at the same time such as collaboration on business documents such as project map, strategy plan. Other pointers: Browser based interface; Business is information owner and takes decision who gets access to which information; Strong two factor authentication by using MTAN, or token (i.e. OTP, certificates).
Contra-indications: Unable to distribute tokens.
Resistance against threats:The residual risk that will always stay is regarding the unmanaged Client of the external partner (data leakage). This risk varies depending whether it is a client of a trusted company or a client of a private person.
The following threats should be considered:
- Files can be stored by external users which are containing malicious code
- User gets to much permission or wrong folder access
- Versioning conflict if to many users working on the document during the same time
References: List of references TBD (e.g. URL's, publications that can give more information or have informed the approach).
Related patterns: Web conference is a very similar use case. The only difference lies on the timeframe, whereas a web conference is an ad-hoc solution, real-time collaboration on documents is used over a longer time period.
Release: 08.02 June 2010
Author(s): Patrick Greuter
Reviewer(s): Lukas Ruf
AC-02 Account Management
AC-17 Remote Access
AC-20 Use Of External Information Systems
AT-02 Security Awareness
AT-03 Security Training
AU-02 Auditable Events
AU-06 Audit Monitoring, Analysis, And Reporting
AU-09 Protection Of Audit Information
CA-02 Security Assessments
CA-03 Information System Connections
CM-03 Configuration Change Control
CP-09 Information System Backup
IA-02 User Identification And Authentication
IA-04 Identifier Management
IR-04 Incident Handling
IR-07 Incident Response Assistance
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SI-11 Error Handling