Defence Business: Securing documents: Australia ahead of the game | ADM June 2012

Back in 2004, a little-known Canadian-based security software consulting company, Titus received an email request from the Australian Federal Police (AFP) for an email classification product. They wanted a customised tab for inserting the classification level in Microsoft Outlook, recalls Tim Upton, Titus’ president and founder.

Upton’s company offered a plug-in for Microsoft’s email client Outlook. It automated and reduced accidental errors or data loss prevention (DLP).

Though aware of Australia, Upton was unfamiliar with the AFP and undertook diligence checks such as calling back by phone to ensure the request was genuine. He discovered AFP was looking at making it easier for staffers to mark the security level of their emails more efficiently and reduce data spills. The AFP wanted a different set of classifications.

Upton’s first software customisation sale to the AFP accounted for 100 per cent of his sales of the product that year. Over the next few years other agencies including Defence, Finance & Deregulation and Taxation also bought the Titus product. At the time, no formal standard existed for defined markings such as UNCLASS IFIED, IN-CON FIDENCE, REST RICTED, CON FIDENTIAL, HIGHLY-PROT ECTED, SECRET and TOP -SECRET for email messages.

The dream was for email systems to be automated to manage the email message according to its classification, whether created within the agency or if received from another Government agency.

In October 2005, the first version of the Australian standard known as Email Protective Marking Standard (EPMS) was issued to agencies and endorsed by the Defence Signals Directorate (DSD) to help protect sensitive official information.

This followed DSD’s security clearance for RIM’s Blackberry mobile phones. Blackberry could be used for secure communications by Government employees in April 2005. While the security of the Blackberry handsets were looked after with a separate back-end server, front-end data spills could occur if a misclassified document was received, forwarded or posted. The EPMS has been in place since 2007 and is mandatory for all Federal Government agencies. It covers security marking of all government email.

“This standard gave Australia a head start in this field,” Upton said. “It also gave me an inkling that there was a demand for this, especially in security sensitive areas.” The Government has since revised the email protective marking policy (EPMS) to version 2011.1 in September 2011, in response to changes to security classifications by the Attorney-General’s Department in July that year.

AGIMO’s first assistant secretary for policy and planning, Glenn Archer, said that agencies were progressively moving to the 2011.1 arrangements. He said agencies were responsible for the procurement of email systems and any third party tools such as Titus that enabled protective email marking.

Other 3rd party vendors including local start-up JanusNet, which co-wrote the initial EPMS along with Titus have since updated their software products to comply with EPMS 2011.1. A further minor revision of the EPMS, codenamed 2012.1, is under development but is not a substantial change. It is understood to offer more options for dissemination limiting markers where disclosure may be limited or prohibited by legislation, or where emails may otherwise require special handling. Though a document may be unclassified there can still be personal or legal sensitivity about it, and the latest version offers more guidance on these matters and their tagging.

JanusNet also grew its customer base in Australia, selling to agencies such as Customs, Department of Education, Employment and Workplace Relations, Treasury, Broadband Communications & Digital Economy as well as smaller agencies. Aus-Tender, the Federal Government’s online record of Government contracts, estimates JanusNet has done about $375,079 worth of business since 2007. However Titus who attracted Defence did $1,043,636 worth of deals according to AusTender over a similar period. It also began to dominate the market globally and experienced seven years achieving 50 per cent of growth on average.

“Security has been good for us,” Upton told ADM.

At the time of the interview, Titus claims some 300 enterprise customers across all industries with some 2 million licenses. “We just closed the US Joint Chiefs of Staff as the customer 60 days ago. Our other customer is Interpol. We closed a sale with them too,” he said.

Given the rocket science complexity of some defence communications networks, Upton says the key to Titus’ success has been making tagging emails and other electronic documents simple and easy for the user. “We are not following anyone in this market. We built the widget for one customer (AFP), and we just listened to customers,” Upton said.

Upton attributes his success to specialising in document security and letting the heavy weights such as Sophos and Symantec worry about broader threat issues.

“We fit in with other security vendors and we make their products better,” he said. He concedes his initial product, the plug-in for Outlook seems trivial.

“That’s why we continue to exist. From a distance, it looks trivial. But it’s very hard to make something look easy.”

Building reliable software that has to run by every single user in the enterprise - some 2 million users worldwide – every single day, every single email, is actually quite challenging.

“What they touch is touched by us,” he said. “It’s hard to get that reliability and for it to work consistently and across Outlook 2003, 2007 and 2010, every single service pack every “hotfix”, 32-bit, 64 bit for Win7, WinXP, Vista - that for just one product.”

Titus has rolled out similar tagging products for Microsoft’s Word, Excel, Powerpoint, and Sharepoint. It is then integrated with McAfee, Symantec security software. He’s scheduled similar launches to support iPhone, iPad and Android and Blackberry.