House committee moves to control sent documents

House committee moves to control sent documents

Legislators seek to track everything that happens to a document, down to the page and time it's read

By Shruti Dat'

GCN Staff

A House committee recently decided to try to take control of its own data security with software that restricts who can send a piece of information via e-mail, who can read the electronic missive and what recipients can do with it to protect sensitive information and cut routing time.

Securing information whizzing between IP addresses has typically been limited to preventing users from routing information to unauthorized people or locations. But some public- and private-sector officials who handle sensitive information say real security lies in controlling the information after clicking the send button.

'Last year, we decided to go to an electronic solution by routing documents through e-mail,' said the information technology director of the committee, which often handles sensitive information. 'On top of that, we wanted to track who was doing what to the document when. We wanted to be able to keep our arms around the documents.'

The staff installed PageVault 4.1 from Authentica Inc. of Waltham, Mass., which took about an hour to upload into the committee's system.

Greater control

'The whole idea is to give the owner control over content, not just security, but control that never ends,' said Steven Vigneaux, Authentica vice president for marketing. 'Instead of trying to stop people from sending, we stop people from reading.'

PageVault requires senders to specify the time and IP addresses from which recipients may access information, Vigneaux said. For example, a senior staff member may want to send sensitive documents to another senior colleague with 24-hour access at any IP address, but may limit an intern's access from 9 a.m. to 5 p.m. at an IP address in the office.

The committee divided its 25 members into full-, medium- and administrative-access classifications, the staff member said. Users can configure customized policies for access and dissemination, Vigneaux said.

The committee can also stipulate which page or pages recipients can read, and whether they have permission to print, copy, paste, forward or watermark a document.

Staff members also indicate which version recipients should view, and when access should expire, Vigneaux said.

Committee staff members send internal classified Adobe Portable Document Format files by registering the file with the committee's PageVault server, housed in the committee's office on Capitol Hill, by selecting 'encrypt' in the PageVault drop-down menu bar.

Senders must provide profile names and passwords to log on to PageVault servers, Vigneaux said. Authentica runs under SunSoft Solaris and Microsoft Windows NT. The PageVault application, written in C and Java, does not include authentication capabilities, but it can integrate public-key infrastructure, biometrics or other identity verification tools, he said.

PageVault encrypts individual pages by placing a 128-bit key, stored on the user's server, into an RC4 encryption algorithmfrom RSA Security Inc. of Bedford, Mass.

Committee staff members send documents via Microsoft Outlook 5.5, the IT director said. The system stores the original and an encrypted version of each file on a sender's desktop PC, Vigneaux said.

Documents can be stored on a floppy disk, e-mailed or posted on a public Web site, but cannot be read until the reader connects to the committee's PageVault server with a profile name and password.

'They may have the file, but they can't read it,' Vigneaux said. 'It's like getting shredded paper.'

The server checks the entered information against its Oracle8i database to determine whether access requirements are met; if so, the server releases one key per page to decrypt the document, Vigneaux said.

No one outside the committee can access the documents, the IT director said. The committee previously maintained manual records, database logs and locked cabinets to secure nearly 100,000 pages of sensitive information annually.

It took typically three weeks to route a document to a group of four people, the IT director said. 'It took entirely too long to route a document. The time has been cut by 99 percent. It's almost instantaneous.'

inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group