Sealing CracksBy Baselinemag | Posted 2007-02-14 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The HMO wanted to encrypt confidential e-mail messages, but some employees were not following the rules.
To mitigate that risk, Patterson's team initiated three e-mail security projects in 2006: e-mail encryption, file-based encryption and outbound e-mail content filtering. In total, Harvard Pilgrim spent less than $500,000 on e-mail security systems for its workforce of 2,200, according to Patterson, or less than $230 per employee.
First, in February the HMO rolled out PGP's Universal Server, an encryption system that works with the organization's Lotus Notes 6.5 e-mail system.
Under Harvard Pilgrim's current policy, whenever employees send out an e-mail containing confidential data, such as a Social Security number, they must click on a button in the Notes software that says "PGP Send." That tells the PGP server to scramble the contents of that e-mail. An outside user who receives a PGP-encrypted message sees instructions for downloading a certificate from a Harvard Pilgrim Web server, which allows the e-mail program to decrypt the contents of the message.
Still, analysts say that any approach for encrypting e-mail will require correspondents to jump through some hoops. "At some point, [encryption] typically gets in the way of people communicating," says Eric Ogren, a security analyst for the Enterprise Strategy Group, a Milford, Mass.-based research firm.
But to meet Harvard Pilgrim's privacy goals, Patterson wanted to ensure that e-mail messages were encrypted no matter where they physically resided.
"It's hard to sniff the data over the Internet," he says. "I'm worried about mail going to an Internet service provider's servers and it's going to sit there."
On the heels of the PGP project, Harvard Pilgrim deployed file-encryption software from Credant Technologies on 2,200 PCs. That software automatically encrypts all of the data on its laptop and desktop computers, so if any of those PCs were stolen, the data would be meaningless to a thief without the right password.
According to Patterson, a big benefit of the Credant software is that it works with Microsoft's Active Directory authentication scheme, so that employees don't need to enter a separate password when they log on to their computers. Moreover, Harvard Pilgrim deploys a self-service password retrieval system from Courion that uses voice-recognition technology: An employee can verify his or her identity by speaking a key phrase over the phone to the Courion system, which then resets the password in Active Directory.