In-Depth

Locking Down Digital Documents

CYA software controls who sees what and when

• By Mathew Schwartz
• 04/30/2003

“Today, once the enterprise puts information in the hands of an end user, the enterprise is at the mercy of the end user, [who] has the ability once information is on the desktop to copy, paste, forward and print,” says Elaine Price, president and CEO of CYA in Trumbull, Conn. Where information needs to be, she notes, is at a level where its creator stays in control. In other words, only accessible to people who should have access.

No doubt about it—information getting into the wrong hands is a problem for companies. According to the American Society for Industrial Security, from June 2000 to June 2001, information theft cost U.S. companies $59 billion. Any software that controls access could help companies take a chunk out of those losses.

The CYA platform consists primarily of a server and a viewer. The server connects to enterprise content management systems, information repositories, and databases, supports common file formats such as Microsoft Office documents and Adobe PDF, and audits all end-user activities to maintain compliance with security policies.

Here’s how CYA works: The document owner creates the information, puts it into the CYA UniVault Secure Collaboration Server, and selects who gets to see it and under what rules—can it be copied, printed, viewed more than a certain number of times, will it expire? Selected collaborators automatically receive an e-mail with a link to the content. To view it, a user needs online access and a viewer called the CYA Passport client, which is free. Security is enhanced because “content is not being brought down to their workstations, what's being brought down is a link,” says Bruce Rudolph, chief technology officer of CYA.

The set-up doesn’t replace enterprise collaboration or content management technology, but works with it. To facilitate enterprise rollouts, security administrators can create templates for the CYA software, so that a particular type of content can have preset security and collaboration options.

CYA is covering new territory here. There’s “no one directly head on” competing, says Carl Frappaolo, executive vice president and co-founder of Delphi Group in Boston. Secure content or collaboration players include Aegisoft, Authentica, IBM, InfraWorks, InterTrust, and Xerox’s Content Guard. “So there are folks out there looking at how you protect e-content—not just by putting it behind the firewall, but how you integrate the content with the security and how you create secure, collaborative environments. But CYA is somewhat different."

Frappaolo says the product fills an existing gap in document security. “I think the need is absolutely huge, but that is my personal opinion." Judging by the various organizations he works with, “the move to an e-based environment is not even in progress anymore, it has happened.” Yet companies still grapple with how to secure documents. Examples of where this technology could find a fit: “Anywhere where folks are sharing content.”

Take mergers and acquisitions. If the process is near completion and legal counsel from both companies share documents, and then the deal falls through, the paper-based documents get recalled. With CYA, any electronic versions could just be deactivated.

The same thing goes for pharmaceutical companies partnering with outside companies, especially when proof-of-patent means showing the earliest documentation of a concept. On a more mundane level, companies could use it to control access to sensitive documents, along with having an audit trail and easy deactivation when an employee leaves.

One potential problem with secure e-reader software is that it has to be transparent or people won’t use it—they’ll continue to swap Word documents via e-mail. Frappaolo says the product is indeed transparent, if not to administrators at least to end users. “You could set it up in such a way that users don't even know it's there until it bites them, meaning the user tries to do something they're not allowed to.”

That will be crucial for people to actually want to use the software. Frappaolo notes: “So many organizations see security as an inhibitor, the more they tighten the screws, the less they can actually do. What we're saying is, if you take an intelligent approach to security, the tighter you make it, the more open you can be, because you can trust that it's not going to fall into the wrong hands."