DATA SECURITY · Vormetric software guards data by restricting internal access
BY MARK D. UEHLING
October 14, 2004 | LAST MAY, FOR ONCE, Microsoft didn't have to endure the taunts of the world's most nefarious hackers. The FBI began investigating the theft of source code from Cisco Systems. Hackers had brazenly posted 800 MB of stolen Cisco code online to prove they committed the heist.
Cisco acknowledged the FBI investigation. It was proof that any electronic wall around the modern corporate castle is permeable. For if there is one company that should be able to protect its perimeter, it's Cisco — the company that builds the Internet's firewalls and routers.
Now, however, there is a new file-based approach to data security from Vormetric, a tiny 55-person company out of Santa Clara, Calif. Phil Grasso, one of the founders, says the traditional approach to data security — one based on firewalls and super-users with vast privileges — holds many perils. "Building a wall around the whole thing is not the answer," Grasso says. "If you're not deploying specific data-defending technologies inside your infrastructure, you're not solving this problem."
At least one U.S. government intelligence agency is a Vormetric customer. So are a variety of large financial institutions. As Grasso points out, the big threat to classified data, intellectual property, even mailing lists is not necessarily a disgruntled employee. Rather, it's the fact that someone with a sysadmin password — which can be acquired with guile or money — can wreak havoc.
Consider what happened to Eli Lilly. In 2001, the Federal Trade Commission investigated how the e-mail addresses of thousands of patients taking Prozac fell into unauthorized hands. To quote the FTC, Lilly "has not employed measures and has not taken steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information." In a May 2002 settlement, Lilly agreed to identify "internal and external risks" and fix the problem.
In pharma, even with highly secure Oracle databases, Grasso notes, many individuals might have the privileges to copy a set of data files and read them offsite. "We call those bypassing attacks," he says. "You're going around all that good security that Oracle puts in. It isn't Oracle's fault. This is outside the scope of what Oracle deals with." Oracle acknowledges the risk, and Vormetric is one of its security partners.
|CoreGuard Access Controls
Authentication: Wraps authentication system to validate user and application credentials
Authorization: Restricts user/application to specific file operations and data
Audit: Logs all admin actions, access events, and attempted violations
||Users or groups that may access the protected data Applications those users may use to access protected data
||The file system operations available to the subject specified by “Who”
||Identifies the protected data (file(s), directory, wildcard)
||Verifies time window for authorized access for window-sensitive tasks (e.g., backup, contract employee)
||Separates the ability to access data from the ability to view data
The Vormetric solution is a combination of hardware (at least one $80,000 pair of servers) and software. The company encrypts raw data in specified folders and files but leaves metadata in the clear. That allows the data to be managed by a database administrator or system administrator — but not read by any unauthorized eyes. Grasso says the notion that such systems impose a performance penalty is false in an age of faster processors and better encryption algorithms.
The core concept in the Vormetric software is that files can be opened by only certain applications, and that access to both should be specified and controlled. In Vormetric's system, for example, it's easy to set up the computers to grant John in payroll only the ability to back up the data; and to let Mary only read them.
That's a compartmentalization of authority, and a departure from the current paradigm. At most companies, super-users have the ability to read anyone's e-mail or delete log files. "If you're a sysadmin," Grasso says, "you can change the settings. This is the problem. We're trying to manage the insider threat with security. The sysadmin access has to be something that we control."
Vormetric's answer is software that allows a person's role to determine what he or she can do with data. It's all auditable and can be programmed to send e-mail alerts to managers if Jim in manufacturing has suddenly been trying to read gigabyte after gigabyte of drug-discovery data.
Of course, if Grasso were the only person to think all this was a good idea, he wouldn't have much of a business. But big financial institutions in the United States and Japan are testing the technology, worrying about new regulations. There isn't the same urgency in pharma, with ongoing uncertainty over the aggressiveness with which the FDA will enforce 21 CFR Part 11.
Still, one Big Pharma firm on the East Coast is testing the technology, and the University of Texas Health Science Center has purchased it. Kevin Granhold, director of server and desktop services at the Houston medical center, with its 2,000 faculty members, says that some of his IT staff welcome the Vormetric technology's ability to insulate them from criticism that they may have meddled with a server. He views the technology as a morale booster as server logs become much more difficult to tamper with.
"If there becomes a problem, you can't point the finger at the administrator," Granhold points out. "You can look somewhere else." There has been no performance degradation at all, he reports. HIPAA was one driver for the purchase, he says. Another was the breadth of the solution — the technology and its cost could be easily split across many departments in the university.