Caption: Prof. Lam Kwok Yan, founder and CEO of PrivyLink that specialises in application-level security solutions.

May 2008: Frauds committed by insiders or employees inside an organisation are on the rise. Such activities are usually carried out over a long period of time without being detected, as in the case at financial services giant Société Générale Group early this year.

But internal threats can be neutralised by using strong cryptographic protection of sensitive data during storage and transit, enforcement of accountability of every employee, and complying with a set of well-crafted security policies.

RidgeVault gives strong cryptographic protection

In the case of strong cryptographic protection, consider homegrown PrivyLink’s RidgeVault launched in 2007. It is the latest in the company’s suite of data protection and user authentication products. Specifically it is designed to protect confidential and sensitive information.

A conventional way to verify that a user is indeed who he said he was, is to check his fingerprint against fingerprint data stored in the system. RidgeVault, however, does not require the storage of the user’s fingerprint and other biometric images, thus getting around difficult issues of privacy.

Instead, RidgeVault integrates cryptography and biometrics. It uses fingerprint images to encrypt data strings or private keys, which in turn can be used to sign a document or to encrypt critical data. The encrypted data strings or private keys are called “biometric vaults” which do not store any biometric information. As such, the biometric vaults can safely be stored in smart cards, computers or mobile devices without additional protection and issues related to key management.

The cryptographic keys or strong passwords in the biometric vaults can readily be revoked and renewed as per the security policies of enterprises. This makes the solution versatile, secure and easy to use. RidgeVault is unique in its class as it delivers ultra-strong assurance and non-repudiation capability to applications in e-commerce, enterprise and homeland security.

Non-repudiation is crucial, because if you have been identified as the user in an earlier transaction, there is no way you can later repudiate or disown your action! In this way, RidgeVault forces you to be accountable for your actions, especially when it comes to recording and changing sensitive data.

The product has now extended its strong non-repudiation function to cover more general applications such as online authentication, secure document exchange, document approval applications, and secure log-on in Microsoft Windows environment using strong user passwords.

Even more important, RidgeVault has also been integrated to enforce approval accountability for documents created in the popular Adobe PDF file format, by adding another authentication layer to the standard PDF documents.

RidgeVault also enables document approval in a typical business or enterprise workflow to meet the stringent non-repudiation requirements, which call for the possession of private keys as well as the physical presence of the signers.

As a result, the product is suitable in a wide spectrum of applications and users, from large organisations to SMEs and even individuals.

Founded in 1997, PrivyLink has established itself as a provider of technology solutions for meeting the security needs of large organisations in the handling of complex information systems.

PrivyLink’s application-level security solutions have been successfully deployed in many financial institutions and government agencies for application systems such as Web-based transactions, mobile banking, online electronic payment, e-citizen authentication, and mission-critical applications.

Its flagship product SLIFT (Secure Lightweight Information and File Transfer) comprises a comprehensive suite of application software for securing data and files against unauthorised access. SLIFT is used by individuals, application developers, companies and government departments for securely exchanging documents via e-mail, FTP and HTTP.

It has been successfully adopted by all government agencies in Singapore and Hong Kong since its launch in Oct 2003. In fact, SLIFT has become the de facto software product for companies which need to transact and communicate with the government agencies.

Widely respected as an e-security expert, founder and CEO Prof Lam Kwok Yan had advised the Monetary Authority of Singapore on its “IT Strategy for Singapore’s Financial Services Sector” study in 1998.

Prof Lam was also chief security consultant for numerous e-government systems in the region, and has a strong track record in the security design and review of mission-critical applications relating to national security systems such as border control and national ID systems.

Besides holding a professorship in Tsinghua University, China since 2002, he is also director of Key Laboratory for Information Systems Security, in China’s education ministry.

Prof Lam says his company is well-positioned to partner other firms in the design and development of innovative information systems for homeland security applications such as border control, identification of privacy-conscious people, accountability enforcement in e-government systems, and so on…

In fact, the patent-pending RidgeVault was developed with the twin objective of meeting the special needs of people identification without infringing personal privacy; and accountability enforcement without causing user inconvenience.

Recent fraud at Soc-Gen

The most recent mammoth fraud was reported at Société Générale which lost 4.9 billion euro (US$7.44 billion). The bogus transactions by one mid-level trader have raised questions on how he did it and got away for so long without being detected.

The trader combined several fraudulent methods to avoid the controls in place. For example, he chose specific operations with no cash movements or margin calls, he misappropriated IT access codes, and falsified documents allowing him to justify the entry of fictitious operations.

The result was he took massive fraudulent directional positions in 2007 and 2008 far beyond his limited authority.

Have a success story to share?
Email us at contact_isg@portalcity.com.sg to request for your story to be featured.