Open Competition 5 - Information Technology

Security Architecture for Component-Based Email with Application to Clinical Trials Data Management

Sponsor: Umbanet Inc.

• Project Performance Period: 7/1/2002 - 9/9/2005
• Total project (est.): $2,391,600.00
• Requested ATP funds: $2,000,000.00

As business and industry turn more and more to the Internet to network among operating units or to reach and service customers, there is a growing need for reliable security systems that are easy to implement and use, and still provide strong protection for data that must be kept confidential and secure from tampering. Today, this largely is handled either by using the so-called Secure Sockets Layer of web protocols to establish a secure connection between a web browser and a web server, or, within a company, by using encryption systems to establish a "Virtual Private Network" over the Internet. The web approach, however, has been plagued by serious security holes, and VPNs impose significant management burdens and aren't very useful outside of the organization. Umbanet proposes instead to build a security architecture around Internet email that could be adapted readily for a wide variety of organizations and applications, such as bill presentment, on-line banking, insurance, and healthcare. The initial target application will be in exchanging data during clinical trials, an area where data security is essential, where two-way secure communications between many remote sites and a central collection point is necessary, and where there is the potential for significant savings for the healthcare industry. To be sure, encryption systems for email and a growing Public Key Infrastructure (PKI) already exist, but the reality is that setting up and using the existing systems is too complex for ordinary users to bother with and so these systems are rarely used. Umbanet plans instead to embed its security architecture in "middleware" component software that will integrate seamlessly -- and largely transparently -- with the user's existing email software. The user, for example, will not have to actively manage cryptographic keys. The ambitious system envisioned by Umbanet will include, among other features, a central certifying authority that not only will verify the identities of the users but also handle key management, verify the integrity of the software components on the users' computers, and handle secure downloading and installation of updated components. The system will be tailored to specific applications -- clinical trials data, for example -- by adding components for specific data structures and forms. The task of building a system which is at once cryptographically secure against sophisticated attacks, seamlessly integrated into existing email products such as Microsoft Outlook{Tm} or Qualcomm's Eudora{Tm}, and requiring little extra work or security consciousness on the part of the average user will require path-breaking advances in cryptographic technique. The planned architecture will meet stringent requirements for reliable user authentication, data access control, reliable audit trails, confidentiality, data and program integrity, and non-repudiation to meet the requirements for health-care applications established by the Health Insurance Portability and Accountability Act (HIPAA). A small start-up company, Umbanet has been unable to raise research funding for this high-risk effort and would be unable to pursue it without ATP support. The City University of New York will participate in the analysis, design, and implementation of security components for the system. By extending secure systems technology directly to individual doctors and patients across the Internet, Umbanet's technology could enable healthcare providers to comply with HIPAA regulations and significantly reduce costs through the on-line transmission of medical records and other information.

For project information:

Michelle Baker, (212) 633-7026
michelle@umbanet.com

ATP Project Manager

Barbara Cuthill, (301) 975-3273
barbara.cuthill@nist.gov