Software lets agencies limit use of data

Infraworks Corp. this month released a new product that will enable agencies to control how their information is used, even once it leaves their networks.

While it has become commonplace for federal agencies to control the use of information within their networks with encryption, passwords or other forms of authorization, there has been no way for administrators to enforce how the information is handled once a user has access.

Infraworks' InTether uses several layers of file security to enable information owners to set levels of permission for users. If a user tries to get around the restrictions, the data is destroyed. Administrators can set restrictions such as limiting the time information is available or denying the ability to copy or download a file. The result is that users can only access data in the manner an administrator wants.

"It gives the owner or the sender of the information complete control over how the receiver can use it," said Robert Gomes, president of Infraworks. "They want to have information exchange with certain conditions or strings attached to it."

This level of control is something for which many organizations have been waiting a long time, analysts said.

"It'll certainly meet a pent-up demand," said Jim Hurley, managing director of information security at Aberdeen Group. "The lack of control over information that is distributed over the Internet is a problem that has bothered administrators for some time."

Beyond its obvious benefits, the key to InTether is that it is the only product that will provide this kind of control for all files, regardless of format or application, Hurley said.

"The lack of restriction in terms of a data file format means that anyone can use this for all their information," he said.

Other companies are focusing mainly on establishing control over a single file format, usually Adobe Systems Inc. Acrobat Portable Document Format files, and are using methods that make the protection too inconvenient to use regularly, Hurley said.

The first level of security in the product comes from making the file invisible to a user's file directory system, which can block any or all of the user's authority to change, copy or move the data.

Within those parameters, users can only access the files by using the InTether receiver, which automatically can be included in the secured file or downloaded for free from the Infraworks World Wide Web site.

The enforcement behind InTether is based on one of the company's other products, Shredder. Shredder provides true deletion of files by overwriting the file and is being used extensively throughout civilian and intelligence agencies, Gomes said. Whenever users try to do something with a file for which they are not "permitted," Shredder will completely delete the information, effectively blocking unauthorized access.

The need for this technology became clear to the military in the early 1990s, said George Friedman, chairman and chief technology officer at Infraworks. Classified encrypted images and information were being sent to warfighters in the field, but once the files were decrypted by recipients, there was no way to tell who was authorized to view them, he said.

This technology also could solve security problems such as those experienced by the Energy Department at the Los Alamos National Laboratory, where an authorized user allegedly removed classified information from the lab. Such problems could be avoided by using InTether to block the ability to download and take files out of the network, Gomes said.

The beta version of InTether will be available in mid-November, with the final product expected by the beginning of December.