The advice often heard for deploying a secure messaging solution has been to install public key infrastructure technology (PKI). Proponents of PKI, namely the leaders in the field - RSA, Entrust and Verisign - talk long and loud about its ability to encrypt data across the Internet and to authenticate the identity of the sender and recipients of data. But PKI overlooks a highly desirable aspect of messaging - the protection and control of data after a recipient receives it. What's more, the difficulty of using and maintaining private and public keys and the corresponding passwords make PKI technology clumsy and a deterrent from vigilant use.
Meanwhile, examples of accidental and deliberate information disclosure abound. Southcorp's corporate affairs manager, Glen Cunningham, recently e-mailed some analysts seeking to clarify the effects of the poor 2000 vintage. He estimated net debt levels on their forecasts and suggested they may "wish to review" those forecasts. The information leaked and Southcorp subsequently experienced an approximate 20 per cent drop in its share price.
According to the 2002 FBI/CSI survey, 80 per cent of all data theft occurs from internal rather than external sources. This doesn't mean that 80 per cent of staff have deliberate intentions of stealing proprietary data. Rather, this statistic highlights the lack of security tools and corporate policies in place to adequately protect the confidential or valuable information shared daily between business units, partners and colleagues via electronic means.
What the corporate market desperately requires is a tool that can control information after delivery and this is what David Pensak, the creator of the highly acclaimed Raptor firewall, has delivered in Authentica. Authentica lets organisations or individuals control e-mail, documents and Web pages after recipients access them. Not only does it ensure that information is only accessed by authorised individuals, but it lets the sender (a) determine whether recipients can print, copy or select text, (b) prevent information from being forwarded, (c) expire information, even after it's accessed, and (d) track what recipients do with the information (read or print, for example) after they download it.
The software runs on the policy server (Windows NT, Solaris, Unix, not Linux) which manages the keys on the back end without any involvement from users. For the sender it is just like posting a normal e-mail or document. On the other end of the line, the non-Authentica user downloads a once-only plug-in which goes in search of the policy server to authenticate access to the protected e-mail. This check kicks in each time access to the e-mail is attempted. The plug-in also overrides the copy, paste, print and print screen functions of the recipient's Lotus Notes, MS Exchange/Outlook or Eudora mail application, as well as Navigator and Internet Explorer HTML browsers.
These controls eliminate the probability of errant e-mails causing havoc and financial losses such as that experienced by Southcorp. Compaq, part of the new HP, and PricewaterhouseCoopers are already convinced of the tool's value proposition for corporate clients, and have signed as global resellers.
Keys are issued and managed by a certificate authority (RSA, Verisign and Entrust are all authorised) and are a means of authentication. The sender of data has a private key, which they use to validate themselves to the certificate authority. They also have a public key to which they designate a password and give to a desired recipient to access whatever information they wish to share. The problem with this technology is that the sender can attain numerous public keys, which need to be kept track of and if he/she loses a key then no recipients can open his/her e-mails or data. For the average PC user, learning how to use PKI is challenging and once in use it can be time consuming. At the end of the day, the greatest concern is that there are ways around PKI technology -- there is nothing to stop recipients copying the document and disseminating it.
Darren Ash is the director of Melbourne distributor Validate Technologies.