The Compliance Oriented Architecture - are we there yet?
Over a decade ago, Quocirca looked at the current means of securing data, and decided that there was something fundamentally wrong. The concept of solely relying on network edge protection, along with internal network and application defences misses the point. It has always been the data that matters - in fact, not really even the data, but the information and intellectual property that data represents.
To our minds, enterprise content management (ECM) has not lived up to expectations around information security: it only dealt with a very small subset of information; it was far too expensive; and has not evolved to support modern collaboration mechanisms. It is also easy to circumvent its use, and far too easy for information assets to escape from within its sphere of control.
As an increased need for decentralised collaboration evolved and cloud computing offered new ways of sharing information, the problem became more complex. There was an increase in the difficulty of defining the network edge as the value chain of contractors, consultants, suppliers, customers and prospects grew, and in ensuring that the new silos of data and information being held in places such as Dropbox, Box and other cloud-based data stores were secure. However, in contrast to the problems with ECM, the use of cloud-based information sharing systems was in trying to stop individuals from using them: usage has grown, and in many cases, the organisation is oblivious to these new data stores.
Sure, these silos have evolved to provide greater levels of security - but they are self-contained, with any such security being based primarily around encrypting files at the application or email level, or managing documents/files as long as they remain within the secure cloud repository or local secure 'container' (the encapsulation of a file in a proprietary manner to apply security on that file) on the host.
The problem with just using application- or email-based encryption is that if that passcode created by the user is not strong, it can be hacked. Keys also have to be distributed to each person that needs to have access to the data - and such sharing is difficult and insecure in itself. Each key created has to be managed by the owning organisation (even where key management tools are in place), which presents another problem when keys are lost and have to be recovered. However, all data that is outside of the central repository is now out there forever - once received and unlocked, it can be forwarded as emails, be modified, it leaves uncontrolled copies of itself all over the place.
The same with the use of containers to try and track and monitor how data is being dealt with. It is difficult, outside of a full digital/information rights management (DRM/IRM) platform to track data across a full value chain of suppliers and customers - and it is expensive. Using containerised defences within a system still has drawbacks: the security only works across those using the same system or cloud container. Once that file leaves the container, the data is in the clear for anyone to do whatever they wish with (as described above).
To try and address the problem, Quocirca came up with an idea we called a compliance oriented architecture, or a COA. The idea was to provide security directly to data, such that it was secure no matter where it was within or outside of a value chain. At the time, the best we could come up with to create a COA was a mix of encryption, data leak prevention (DLP) and DRM. We accepted that this would be expensive - and reasonably easy for individuals to work around.
Since then, we have seen many technical products that have gone some way towards information security, yet none, to our mind has hit the spot of the COA.
Now, we wonder whether FinalCode has come up with the closest system yet.
When Quocirca first spoke with FinalCode, although we liked the approach, we had worries over its interface and overall usability. We liked the technical approach - but felt that individuals may not have enough understanding of its value and operation to actually use it. With its latest release, FinalCode 5, Quocirca believes that the company has managed to come up with a system that offers the best COA approach to date.
What does FinalCode do? It acts as a secure proxy between an information asset and the individual. Either directly through its own graphical interface or through the use of its application program interface (API), documents can be secured as close to source as possible - with policy being enforced by the OS and through the application being used (e.g. Microsoft Office, CAD applications, etc) in most cases. So the sender and recipients work in the application they are accustomed to.
Once the document to be shared is put through FinalCode, the FinalCode system encrypts it with a one-time code, and manages keys as necessary. The information creator (or a corporate policy) applies rules around how the information can be used - and by whom. Joe may have read, edit and email forward capabilities; Jane may only have read. When the document reaches them, they first have to download a very small FinalCode client (a one-time activity). From there on, everything is automated - they do not have to know any keys, and they will be informed at every step what they can do.
So, if Jane tries to forward on the document, she will be informed that she is not allowed to do this. If she tries to cut and paste any content from the document to another one, she will be prevented.
It makes no odds where Jane is - she can be within the same organisation as the originator; could be a trusted partner in the value chain, or could be an accidental inclusion into an email list. All the actions that she can do are controlled by the file originator or a corporate policy. Should Jane have received the file by accident, she won't be able to do anything with it, as her name will not be in the list created by the originator for her to gain access to the content of the file itself. If a trusted person leaves the company they work for, then the files they have access can be remotely deleted by the originator. It also means that the document can be stored anywhere, distributed in any way - as FinalCode's capabilities are not container based, files can be used in whatever workflow suites the user or business requires; secured files can be output to a local disk, a network share or a cloud service - and all its restrictions and functionalities are maintained.
Other functions include setting the number of times a document can be opened, including a visible or invisible watermark on documents and allowing recipients access to a file for a set time period only.
This is all managed without FinalCode 'owning' the data at all. Although FinalCode operates as a cloud service, it is only really operating as a key management and functional control mechanism. As far as it is concerned, all information is just ones and zeros; it never actually sees the data in the clear. Encryption is carried out at the originating client; decryption is carried out at the receiving client. And the receiving client obtains the usage permissions all maintained by the FinalCode server.
With pricing being based on low-cost subscriptions, FinalCode is a system that can be rolled out pretty much to everyone within an organisation, providing this high level of a COA. There will be problems for FinalCode - there always are for vendors. It is, as yet, still not a well-known name. It also runs the risk of being confused with the likes of Dropbox and Box. However, with the right messaging, FinalCode can deal with the second problem (indeed, it should be able to work well alongside such cloud stores) - and as its usage grows, its name should spread organically.
So, when the business asks from the back seat as to whether they are there yet in their seemingly endless journey to a COA, IT can now honestly respond with an "almost there, yes". (Note: since writing this article, another company, Vera, has come to Quocirca's attention that looks similar. We will be investigating...)