“Don’t make it too difficult,” said Blair Canavan, vice-president of business development at Titus Labs Inc., in a presentation on secure information sharing and protective marking at the Microsoft Public Safety Symposium held at Microsoft Canada headquarters in Mississauga, Ont., last week.
Canavan encouraged the audience of Canadian police and military to take a look at Titus Labs’ Message and Document Classification solution, a tool based on the Microsoft platform that works with Outlook, Office, SharePoint and Windows Server 2008 R2.
The tool enforces adherence to policy and compliance regulations by requiring users to mark and label their e-mails before sending them. “They are the ones who typically know what the value of that information is in the context of what they do,” he said. According to Canavan, the tool is so easy to use, it doesn’t require training.
When an e-mail is composed, a pop-up box appears that requires the sender to select a classification label, which can be as simple as a choice between three options. More advanced features safeguard inadvertent mistakes by blocking e-mails that breech policy.
The built-in policy verifier, for example, can block users from sending messages to external domain names like Gmail or Hotmail, prevent e-mails with attachments marked confidential from being sent to unqualified recipients and block messages marked as internal from leaving the organization. A “send anyway” button allows users with permission to override policy if necessary.
The customizable tool embeds real time metadata into e-mails and adds visual indicators such as colour-coding to make it easier for end users to read. It also scans the content of e-mails and attached documents for certain expressions, key words and sensitive information like social insurance and credit card numbers to determine if encryption is required.
The tool can automatically encrypt e-mails based on the label selected, removing the need for end users to remember when they should or should not encrypt content. “The biggest challenge for any type of encryption technology is trying to train the user when to encrypt something,” said Canavan.
Government and military customers of Titus Labs include the Bank of Canada, Australian Department of Defense, Government of Scotland, MNF-Iraq, NATO and NASA. The company recently secured the Canadian Department of Defense as a client.
Getting people to use the technology is the biggest challenge for every IT manager, said Nick Mohamed, assistant IT manager for York Regional Police. “There is a tool out there for pretty much everything and really (the challenge) is that integration of that tool into the organization and the culture of the organization as well,” he said.
Mohamed plans to do further research on the U.K. model. Titus Labs appears to have a fairly simple user interface and easy integration into existing environments, he said. The technical challenge with tagging is the interoperability with other products, he said. “Similar to our experience with strong authentication on the desktop, or two-factor authentication, is how well it integrates with the system and does it prevent me from using something else,” he said.
Another challenge with tagging data is having to go back to older documents that have already been tagged, he said. Police organizations generally keep everything, so the life span of a document could be 10 or 20 years, he said. “Three to four years out from now, how do we go back and validate those documents so you have an upgrade path on it? Say you change a policy or you change the description or the category, how does that relate back to a document that was stored four years ago?” he said.
Canadian police forces have solutions in place, according to Mohamed, but centralizing all of the systems and bringing it under one umbrella to better manage it remains a challenge. “There is a high level of control on document management, but again, it comes back to different areas within the organizations having different technology being utilized,” he said.
Titus has automated a lot of tasks so in many cases people can build the types of controls that Titus has implemented on their own, said George Goodall, senior research analyst, Info-Tech Research Group Ltd. But it takes a tremendous amount of effort to get there, he said.
“We are still not beyond the customization phase of these things. There is a great toolkit there and they are very good at basically flagging confidential information and to secure information on both an ingoing and outgoing basis,” he said.
The Titus Labs tool “is effective for what it does, but without some of the other process complexities and process sophistication, it is just a part of a toolbox,” said Goodall. “It’s a great kind of traffic cop, but a traffic cop is kind of ineffective without the whole justice system built behind it.”
Part of the challenge with these types of tools is how effective you are at managing and auditing the data stores, said Goodall. “The implementation and the integration aren’t necessarily related to Titus Labs, but they are related to the degree of process sophistication and administration sophistication within the organization,” he said.