With the UK’s largest trade show on information security, Infosecurity Europe 2011, taking place in London, it is interesting to see that, like similar shows globally, a hot topic is that of ‘user awareness’. Indeed it is the subject of one of this year’s keynote speeches. In his keynote, Martyn Styles from the law firm Allen & Overy LLP, will discuss how users, often ignored in the quest to find technical solutions for security threats, can be the single biggest weakness in a company’s defences. He’ll also discuss how good user awareness programmes can be not only extremely effective, but often delivered at little-to-no cost.
The industry is now getting the message, that it’s not enough merely to rely on the mechanics of the ‘backend system’ to catch potential information leaks. Certainly, investing in a complex Data Loss Prevention (DLP) system is worthwhile, but for some organizations the cost is prohibitive. If organizations don’t have DLP, then increasingly they will need to rely on more than just end-user training to enforce data security. Even if they do invest in DLP, and mistakes like hitting the ‘Send’ button on an email containing salary information out to a competitor instead of to the CEO are caught by the system, the employee may not know of his error for several hours or even overnight until the system can notify him; hence impacting productivity. Result: work deadline missed.
This problem is amplified considerably when one considers that the number of file types in common use in the workplace is growing alarmingly. No longer do we merely rely on a staple diet of Microsoft Word, PowerPoint and Excel. Increasingly, PDFs are used for better portability and security, as well as multimedia files for video, audio and images, then there are the industry specific file types such as for drawing packages. Every day these files are created, edited, emailed, shared in the cloud and collaborated upon, as part of just another day at the office.
The latter offers a view of an additional problem – that of data movement. A one gigabyte USB flash drive, thought of as futuristic just several years ago is now handed out in tradeshow booths just like logo pens were ten years ago. My point: these and other methods are great for easily transporting & sharing information. Almost too great one might say.
So the need classify these data files has never been greater. The need for user awareness has never been greater. So just develop a product that classifies all these file types. Simple right? Well, not quite.
Applying some classification level, such as ‘Top Secret’, or ‘Company Confidential’ to a file so that humans can read this is only one part of the story. Metadata (data about the file) also has to be applied to the file so that other computers such as DLP systems, email systems and the like can read these classifications. You see, to date, the standard method of doing this has been to place the metadata ‘alongside’ the file. Technically it’s not that complex to do this for any file type. For the more tech savvy amongst you this involves the use of ‘Alternate Data Streams’. The problem here is portability. Once that file is attached to an email or moved to a USB drive, the metadata is lost. So this approach is fine if you want to keep your data in one place, but pretty useless if you live in our collaborative real world.
This is why at Infosecurity Europe this week, TITUS is launching a brand new product – TITUS Classification for Desktop. Touted by ‘Network World’ magazine as one of their ‘Products of the Week’, and having previously garnered attention when introduced as RSA 2011 in San Francisco, this product addresses what is a technically complex problem with a blindingly simple-to-use offering.
Users simply right-click on a file on their Windows Desktop (typically wherever they view their files; usually in an explorer window, or on their desktop itself). They apply a security classification level to the file from a range of levels assigned to them by their systems administrator. They do this either via a simple windows-style fly-out menu or for users with more complicated classification levels via several mouse clicks on a dialog. Simple. The file icon is then stamped to show the user that the file has been classified. No training needed on the user’s part. Here’s a screen shot:
Now here’s the really cleaver part: that metadata I mentioned earlier is inserted as an integral part of the file itself, so it always travels with the file wherever it goes. We looked at the files most used in finance, aerospace, government and military environments and these are all supported right out of the box. Installation, administration and maintenance are all straightforward.
So, on the front end you have user awareness – users doing the right thing – securing their data appropriately and, doing it in a way that is truly portable to other systems. An industry first.
In addition, if you have an application that needs to read or write metadata to files, we can help. We are working to make the technology available to others that may want to access our metadata APIs.
If you’re going to be at Infosecurity Europe this week, they please drop by stand J61 and check our new product.