Locking up agency information
- By William Matthews
- Mar 26, 2000
If the CIA had owned PageVault software, the John Deutch scandal never would
have happened, contends PageVault developer Authentica Inc. And if its WebVault
product were available for the Energy Department to use, Wen Ho Lee might
be just another scientist.
Deutch and Lee's sagas are the most recent high-profile examples of
government employees who have violated information security policies. Deutch,
the former CIA director, kept classified information on a nonsecure computer
at home, and Lee, the DOE scientist, transferred secrets to storage tapes.
Both lapses could have been blocked, or at least minimized, if information
owners, including the CIA and DOE, had a way to control information even
after users have transferred it out of agency-owned computers.
That may sound impossible, but Waltham, Mass.-based Authentica says
it has developed three software packages that do just that. The capability
is called "dynamic post-delivery control," said Stevan Vigneaux, Authentica
vice president of marketing.
"That means I can control whether you can print [information], copy
and paste it, save on your disk drive or forward it," he said.
No matter who obtains a copy of information or where it goes — even
out on the Internet — the owner retains control, Vigneaux said.
PageVault, WebVault and their sister application, MailVault, work by
encrypting information and requiring the user to get the decryption key
from the owner each time he wants to use it. In addition to holding the
access key, the information owner can control varying degrees of use, from
read-only to permitting copying, forwarding or altering information.
Vigneaux called it "persistent control. I will know every time you look
at each page for as long as I choose to," he said.
A House of Representatives committee — Vigneaux wouldn't say which one — uses PageVault to let members see sensitive material while ensuring that
it cannot be distributed to anyone not authorized to see it. Committee members
can read, but not copy, print or forward, information protected by PageVault.
And the software packages keep a comprehensive audit trail of who reads
what documents and when, Vigneaux said.
The three Vault products go beyond the simple encryption and public-key
infrastructure that many federal agencies are considering to help solve
privacy problems that stand in the way of electronic government.
While encryption and PKI may keep information from being accessed by
unauthorized users, once the infor-mation has been accessed, the provider
loses all control over it. Under these methods, an authorized user — such
as Lee, for example — can obtain information and then use it for unauthorized
purposes.
With the Authentica software, DOE could have let Lee view the information
but not allowed him to copy it to a tape or forward it. And once Deutch
stepped down as head spy, the CIA could have revoked his access to his decryption
key, thus denying him access to the secret information in his home computer.
More mundane uses are legion. With assured privacy, government agencies
and companies can use World Wide Web sites to distribute important but sensitive
information to their employees.
And for the first time, information can be made available on a rental
basis, Vigneaux said. It is possible for information owners to make it available
over the Internet on a pay-per-view basis.
PageVault has been available since last year. WebVault will begin shipping
this week, while MailVault is expected to begin shipping in May. Prices
range from $40 to $200 per user, depending on the number of licenses. More information is available on the Authenica Web site.