Protecting Customer Data at the Browser Level

Once information appears in a browser, users can copy or print it as they please. Security managers have a new option for safeguarding such content.

Can protecting information at the browser level stem identity theft?

The Federal Trade Commission says identity theft is the fastest-growing crime, costing businesses $47.6 billion last year and affecting one in eight Americans. When it comes to safeguarding customers’ information, or corporate secrets, companies are looking for any help they can get.

Yet despite the growing problem, “until now, most companies haven’t done enough to protect their customer data, whether the employees accessing the data are located in-house or outsourced to a third party,” notes Don Bell, president of MailboxSecurity, an application-security provider of Authentica and OmniTrust Security Systems products.

“Most organizations do deploy encryption, virtual private [networks], and firewall security measures, but you still have the human factor. While the vast majority of workers are honest, it only takes one to ruin a customer financially.”

Locking down content, however, is difficult, especially given the wide use of browsers to give easy access to many different enterprise applications. Companies need employees to have free and easy access to applications. Often, workers need fast and easy access to sensitive information, especially in a call-center or other customer-oriented setting, when representatives might be verifying credit card numbers and maiden names, and concluding customer interactions as quickly as possible.

Here’s the problem: browsers don’t restrict what users can do with what appears onscreen. Once HTML information appears in a browser, users can copy or print it as they please.

Now, however, security managers have a new option for safeguarding content: selectively disabling Windows features, such as copying or printing, to circumvent inappropriate use of sensitive information. One product able to do this is Protected Browser from OmniTrust.

With Protected Browser, sensitive data can be viewed and protected fields can be altered, but security administrators can restrict printing, copying, saving, or even use of the Windows “screen-capture” feature. Though such screen grabs are images, any text on them is easy fodder of optical-character recognition software.

By restricting what users can do with information, short of writing sensitive information down, it’s more difficult for them to steal sensitive data.

Protected Browser is a combination of server- and client-side software. OmniTrust’s Web server software arbitrates any requests for protected content, designated by directories on the server. On the client side, an Internet Explorer plug-in allows users to view the protected, HTML-based content. The plug-in remains hidden until users actually attempt to view protected content, when the words “protected” appear in a toolbar, indicating they have restricted options for dealing with it.

Too often, people “don’t have any idea how easy it has become for people to obtain and distribute or sell their private information to outsiders,” says Michael Mansouri, OmniTrust’s president and CEO. “We developed this product … so that consumers can do business with vendors without fear of personal information abuse.”

OmniTrust says companies outsourcing sensitive customer information—say, to a third-party call center—can better ensure the information doesn’t walk out the door. Newer regulations, including the Gramm-Leach-Bliley Act, require companies to safeguard sensitive customer data, even if it’s supplied to a third party.

Early users of the technology include a Spanish stock-analysis firm, which protects its investment advice to consumers; secure distribution of exams at a university; and a publisher of law texts, which distributes the texts online but requires a protected browser to view them.

Related Stories:

Combating Apathy with Free Security Check

Combating Identify Theft and Fraud in Real Time

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.