IT Compliance Institute, August 17, 2004:

Trends and Technologies

Tackling Compliance for Lotus Notes

Most companies don't know if security information is leaving an organization via e-mail, and few tools address Lotus Notes specifically. Here's one that does.

By Mathew Schwartz

Who touched what, when did they touch it, and why? Regulations including Sarbanes-Oxley, HIPAA, and Gramm-Leach Bliley stipulate audit trails for sensitive corporate, medical, and financial information, plus appropriate controls to prevent it from falling into the wrong hands. If the information does get out, good intentions don’t matter; organizations are liable.

Given that pressure, a number of tools exist to help organizations keep information secure, though options for Lotus Notes have been scarce. PortAuthority for Lotus Notes, from Los Angeles-based Vidius Inc., however, can help Notes shops close the gap. PortAuthority fingerprints sensitive information inside companies, then ensures that digital information—or parts thereof—follow security policy guidelines about where and to whom it can (and can’t) go. ComplianceNOW spoke with Assaf Litai, vice president of technical services at Vidius, about how regulated industries, and even the FBI, safeguard information.

Do most companies know if e-mails containing sensitive information are leaving the organization?

A lot of times, if you ask [companies], people will tell you they have no idea. Now … if you look at Sarbanes-Oxley … you say, I know my information is secure. Well, how do you know that? If you have half a million e-mails going out [per] month and you have no idea what’s in them, how can you say you know what’s happening with your information? As a chief security officer, how can you say it’s protected if you don’t know what it’s doing?

At the White House, they have an air gap. They have a lot of somebodies that sit there and read the e-mails going out, and transfer them, by disk, to the external network. But if you ask a lot of companies, they’ll say it’s too expensive [to do that].

What’s your approach?

[PortAuthority] gives you concurrent audits of information as it’s distributed within and to the outside of an organization. So basically, you have private information. A bank might have lists of Social Security numbers, lists of credit card information, and so forth. Or an organization might protect HR and patent records.

Our system … learns that information, then any e-mail that is sent, Web posts made, etc., are scanned and identified if they contain that information. One of the very important things is we do it very transparently to the user.

What are drivers for using this type of technology?

The Gramm-Leach-Bliley Act, Sarbanes-Oxley, and California SB 1386 have been very influential.

How does PortAuthority protect the information?

First, you… tell PortAuthority what it is you’d like to protect … [such as] a directory devoted to project plans … Then PortAuthority [crawls the information] … Similar to a backup system, it would read every file in the system—it opens the document itself, or … a ZIP file [with documents inside] … [and] strips any formatting information. Then it starts creating fingerprints of that information. And I’m not talking about one or two hashes, we’re talking many hashes … [Also] if you find that [exact] information somewhere else and create a fingerprint from it, the fingerprints would correlate … So it would do that for every single file that you point the [application] at.

So PortAuthority uses these fingerprints to search outgoing information?

We create a library of fingerprints, and one of the important things is, if you change a document—say you take a 20-page document and retype a couple of paragraphs from it—PortAuthority will recognize the document.

Then … we sit on the external mail server and basically scan everything. Every e-mail going through, we see there are attachments, body text, and it creates signatures for those, very quickly, and correlates that with what’s stored in the database. [It asks,] "Okay, did we see any of those before?" and if so, we read the policy. Let’s say [it’s a hospital] and [because of HIPAA, some things] can only go to the doctor’s group, not to nurses or administration. Okay, so where’s this e-mail going? To doctors? Okay. But if it’s going to nurses or administration, then we have to notify the user that this information did not go through, so he gets that e-mail. Then we notify the security administrator. Then we notify the document owner—we give him a copy of the e-mail that was sent—and we enable the management of it.

So let’s say, for example, one of the members of the R&D team sends [a document] to the outside world for review, and this was okayed by the head of the R&D team. Then all he has to do to allow the message is reply to the PortAuthority console alert [via e-mail].

How does this work for protecting financial services information, say for Gramm-Leach-Bliley compliance?

We … work with a lot of financial institutions, and … [for them] instead of signing random documents, we hook up with the main financial system. The bank will tell us, we want to protect the clients’ debit card numbers, Social Security numbers, [and] the driver’s license numbers. Then PortAuthority will read that information from the core system and protect each and every piece of information there. Basically banks want to know that this type of information is not being sent out.

What can an end user do if PortAuthority blocks his or her e-mail for violating the security policy?

[When it catches something] it comes back … and says you have to retype the e-mail. So what happens is, because of this aspect of having to rewrite the information twice, [employees] become very sensitive, so you have to make sure those—and excuse the word—damn numbers, that make me work harder, aren’t there. So now everyone is looking for those damn numbers and covering them up with X’s.

So this is education, with an incentive?

It’s typically a byproduct. The incentive is typically once an organization understands they have this huge gaping hole, and they understand that if they don’t patch it … it’s an imminent regulatory requirement [anyway].

What did banks do before this type of technology was available?

If you called most banks and asked them did they know what was being sent out of their networks … eventually the CEO [would] admit to having no clue what … went out [in e-mail].

Was it difficult to introduce intellectual property protection to the Notes environment?

IBM actually wrote the interface for PortAuthority to the Lotus Notes application … We work with any internal SMTP or POP solution. On external mail, we work with anything, almost, that’s SMTP-based. We have lot of GroupWise customers, Lotus, Exchange, and any of the Linux applications.

Is this a software application?

It’s a software application that typically resides near the e-mail gateway.

PortAuthority can block non-fingerprinted information from leaving. What about information that suddenly goes from common to confidential?

We have FBI offices that use this, and they have an interesting problem. Let’s say you find there’s a kid selling drugs on some street corner in Los Angeles. And it’s a kid, and … typically those things aren’t [classified] … [So] they have a little stakeout, they’re about to catch him. Then, say, they just figure out he’s connected to a drug lord they’ve been trying to catch for 10 years. Suddenly this kid is hot potatoes. You don’t want to touch him and taint him. Suddenly this drug lord [is the target] …

So how do you stuff the cat back in the bag? What you do is tell PortAuthority that this information is now classified, and if anything happens with the information, alert me. That’s [another] application, and really the mail is just a small part of it.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.