The State of Information Security

1
The State of Information Security
Allen RogersVP of EngineeringAuthentica, Inc.
2
The Business Environment

• Need to share information with suppliers,
  partners and customers
• Integrated supply chains
• Partnership one day, competition the next
• Partners who serve your competitors as well as
  your company
• High employee turnover, increased use of
  contractors
• Compliance Pressures HIPAA, Gramm-Leach-Bliley
• Everythings digital and distributed

• Result Loss of control over sensitive
  information

3
What Is The Problem?
377 Billion in annual losses to US companies

• Not defensible with traditional access-based
  security solutions
• There needs to be a solution that protects the
  information itself

Source 2001 CSI/FBI Computer Crime and Security
Survey
4
How Does It Effect Us?

• Business Week prints secret Microsoft memo
• Los Alamos secrets leaked by authorized user
• Former CIA head has classified docs on home PC
• State department looses a laptop full of
  secrets
• Lehman Brothers financial data published on web
• Salaries of Senior partners in a legal firm
  leaked to the New York Times

Note 1 All these occurred after delivery Note 2
Involves a variety of media types Note 3
Traditional Security cant help
5
Securing the Information

• Firewalls
• Symmetric file encryption
• Asymmetric encryption
• PGP
• S-MIME
• Web access control

6
Whats Missing?

• The ability to control and protect the
  information after its delivered
• Change access rules after it is delivered
• Expire access and restrict forwarding
• Restrict print and copy rights
• Continual audit trail
• Protection independent from delivery
• The ability to lend, rent, or purchase digital
  media

7
Some New Alternatives

• Secure delivery services
• Secure Web document delivery
• E-mail notification and server encryption
• Traditional Digital Rights Management (DRM)
• Secure wrappers for digital media
• Dynamic DRM (Active Rights Management)
• Information encrypted and key and policy managed
  centrally

8
Secure Document Delivery
MS
MS
Internet
Web Browser
Web Browser
9
Digital Rights Management
10
Active Rights Management
Information Owner
Recipient

• Pros
• Always encrypted
• Persistent use control and audit
• Not transferable
• Revocable
• Dynamic policy control
• Cons
• Requires client
• Requires connectivity to view

11
Considerations

• Easy to use
• Simple model
• Native environment
• Dependable Security
• Dependable Authentication
• Persistent and Dynamic Control
• Use control (copy and print)
• Comprehensive Auditing
• Supports breadth of content types
• Scalable and deployable

12
Case Study
Manufacturer

• Semiconductor manufacturer
• Problem Need easier way to share confidential
  design information with suppliers and system
  manufacturers
• Issues
• High cost of paper (people, logistics)
• Delay to market with to new product
• No protection from copying, difficult to
  retrieve
• Multiple levels of sensitivity
• Solution
• Persistently protect specs
• Distribute via web and CD
• Dynamically control access on need to know basis
• Revoke access when relationship changes or need
  expires
• Monitor activity on documents

Supplier Network
13
Future of information security

• Encryption pushed to the desktop
• Control applied at the object level
• i.e individual message, document, web page or
  file
• Technologies for persistent protection, dynamic
  use control, revocation/expiration and continuous
  audit will be utilized
• Applied to ever expanding classes of content

14
Allen Rogers VP of Engineering Authentica,
Inc. (781)487-2600 x 220 arogers_at_authentica.com