Keeping your information on lockdown

A Head-to-Head with Absolute Software and Ascertia Ltd

CXO asked two leading experts in IT security about the burning issues taking up most of their time. Over to William Pound, VP International Operations, Absolute Software and Rod Crook, Solutions Director for Ascertia Ltd.

Cxo. What’s driving the need for electronic identity verification today?
Rod Crook. With paper-based processes people felt comfortable about detecting fraudulent changes, the evidence of signed documents was persistent. In today’s e-business world any electronic document can be changed without trace, although of course, with forensics one can determine perhaps when it may have been changed and possibly by whom. But this level of inspection is not practical in on-line business. Digital identities are needed to provide access control, role-based authorisation and then to further provide digital signatures and encryption options for various document types. Without such protection services there can be no real trust and e-business processes are open to manipulation and abuse – just look at the recent European bank trader frauds.

CXO. Which is of greater concern at the moment: external threats or internal threats?
William Pound. Companies are constantly being bombarded by security threats, and in my opinion most emphasis is usually put onto network security from an external perspective. That being the case, the internal threat should be of greater concern. The real issue is that more and more people are carrying more sensitive information outside of the office. Whether through loss, theft or inappropriate procedures and adherence to them, mobility represents a challenge for most organisations to deal with. If you consider the recent loss of the HMRC CDs in the post, that was down to staff not adhering to process. The results were very damaging in terms of reputation and the risk that this puts on the business is high.

CXO. What sort of benefits can different industries gain from changing to eID and digital signatures?
RC. I can summarise this in one word: trust. Naturally digital identities need to be managed (issued, suspended or revoked) with due care, but this is not hard to do. HR and line management must take responsibility for knowing where their people are and what their current status, role and rights are. Applications can check these identities and permissions and use these to enforce a tight binding of security, like ‘who are you’, ‘what are you trying to do’, ‘let me check your authority’, ‘okay I need you to sign and approve this’, (repeat for an approver). For a recipient they can follow a similar process ‘here is an instruction or document + here is the verifiable evidence of who authorised this, who has approved it’. In a trusted workflow process people cannot deny their involvement, unauthorised changes cannot go undetected, unsigned documents cannot be mistaken for those that are approved. Such processes substantially enhance internal controls, aids audit and reduces risks and potential liabilities. They also ensure compliance with a myriad of legislative and regulatory requirements.

CXO. Is end-point security still of importance?
WP. Yes. I would say that endpoint security is critical to an effective IT security strategy. As I said above, if we take the meaning of endpoint security to be a computer or laptop; these devices have been the main cause of the majority of data loss headlines in recent months. It is imperative to safeguard the data kept on these devices, not least to stop it getting into the wrong hands, but also to safeguard the reputation of the business, the damage of which can be an inevitable side effect of data loss.

It is critical that a number of precautions are taken to secure endpoint devices. Everything from only allowing authorised staff and machines off the company premises, to password protection, encryption and tracking and recovery software. It is important that each and every device can be accounted for.

CXO. How is customer feedback enabling you to build better products? 
RC. Customer feedback is essential – we work with our customers to understand their requirements and we proactively update our products as we see common market requirements emerging. Discussion about real business workflows also shows when the existing flexible options within the products need to be extended and how this might best be done within ERP, CRM, ECM and other environments.

CXO. What is the one thing that most enterprises are still failing to do to protect themselves?
WP. Probably the biggest single issue that I can see is that no one outside of IT departments thinks enough about security until something happens. As such, there are very real barriers in the ability to garner sufficient funding and in ensuring that security policies and processes are adhered to by every single member of staff. Again, with reference to a number of the high profile data loss incidents, they have been caused by either unauthorised staff making the wrong decisions or negligence.

The thing that I come across frequently is disjointed security products that have been deployed to solve a particular issue, normally after an incident. It is imperative that a holistic approach is taken, which is future-proof. We don’t know what the next threats will be, but we need to protect against them. Otherwise we run the risk of closing the stable door after the horse has bolted, or in this case, after the data has gone missing and the business’ reputation is in shreds.

CXO. Are there any technologies or developments around that corner that you see coming onto the market and benefiting customers?
RC. The world is just starting to become familiar with the basics of digital identities. We believe there will be a quick progression to a level of use such that these elements will be needed:
• Timestamp authorities - to confirm the data and time at which a document was evidenced or notarised;
• Historic validation services - to be able to check older documents;
• Long-term signatures that remain verifiable beyond the relatively short life of the signer’s certificate;
• Archiving solutions – to ensure that documents can be kept securely for decades to come and perhaps up to one hundred years or more.

CXO. How can your solutions best help companies stay safe?
RC. Ascertia focuses on providing easy to implement, easy to use digital signature technology. In the past databases were big and complex, now everyone uses them with ease. We are doing the same for digital signatures. Business managers do not want to see the technology, they do not want to be asked complicated questions about which certificate, which format, what key length, etc and so we don’t. The products can be configured to understand multiple signing profiles, verification profiles defined once by an administrator and used many times by applications and end-users.

Our products enable end-users to sign on desktop and servers and enable corporate applications to sign with corporate digital identities. In addition the products enable the simple yet effective use of internal or trusted external identities. EU Qualified Digital Certificates have legal weight across Europe and our products enable trust across both Europe and around the World.  

WP. Our product, ComputraceOne can help businesses on a number of levels. Our business is built on a simple premise: You can’t secure what you don’t control, and you can’t control what you don’t know you have.

It was developed primarily to help businesses keep track of all of their devices and extend their control to those devices once they might have lost physical possession. How many companies actually know the number of devices that they actually have? All of those devices contain varying degrees of sensitive information about the company, customers or partners. Once an employee has left the business, for whatever reason, it is imperative that all devices are given back to the business. You would be shocked at how many ‘go missing’ without anyone realising.

The second function of ComputraceOne is that it allows laptops to be tracked and recovered in the event of them being lost or stolen. This is great from the point of view of actually getting the device back, as well as bringing the thief to justice.

The third, and probably most interesting function of ComputraceOne is its ability to remotely delete sensitive and confidential files and if necessary disable a lost or stolen laptop entirely.

Rod Crook is the Solutions Director for Ascertia Ltd. Over the last 20 years, he has advised various organisations on the most effective ways to deliver trust services. The solution components include identity management, traceability, accountability, digital signature creation, verification, data encryption and role based management services.

William Pound is VP International Operations for Absolute Software.