Protecting sensitive information is a difficult problem, affecting information and privacy rights alike. Unintended, mischievous, or malicious attacks can occur in order to access sensitive (i.e., private, personal, or commercially valuable) information and data. Techniques such as spoofing (e.g., phishing), pharming, trojans, viruses, worms, and the like are often used to intercept, modify, delete, or transfer sensitive data found in messages and transactions. Sensitive data can include personal (e.g., name, address, social security numbers, family information, and other personally identifiable information, and the like), financial (e.g., bank account and routing numbers, credit card numbers, billing addresses, and the like), business or commercial (e.g., trade secrets, confidential business information, partner and customer lists, sales data, and the like) and other data and information, which may be intercepted and used for unauthorized or malicious purposes, often harming the original or genuine user due to identity theft, business disparagement, several financial loss, and credit history damage. Protecting sensitive data transmitted from end user applications is difficult and conventional techniques are problematic.
Typically, data is secured (e.g., encrypted/decrypted) using security techniques such as passwords (i.e., authentication) and encryption. However, these measures are often indiscriminate and general, without regard to the type or nature of information and data being sent or used in a particular transaction. Web browsers and other applications provide warnings of sending any information over an unsecure channel, layer, or to an untrusted domain, but do not provide the user with options beyond either sending or aborting the message or transaction. Conventional solutions do not provide application-level security based on the specific nature of the message, information, data, or domain involved. Instead, users receive vague warnings of a potential unsecure transmission and are offered the opportunity to abort the transaction without an opportunity to perform any type of remedial action to correct the unsecure nature of the information. In other words, conventional techniques do not consider subjective factors such as the type of data being sent, the nature of the data being sent, or the application being used, which results in general security measures that offer only a choice of aborting a transmission or a warning, leading to delay, expense, and the expenditure of time and labor while attempting to correct the unsecure situation. Some conventional solutions provide data security at the network layer (i.e., OSI or Internet application architectural model), but these solutions rely on detecting system administrator-defined IT keywords in TCP/IP data packets, which are tailored to the enterprise, not a particular application nor a particular user. Conventional data security solutions (e.g., intrusion detection systems (IDS) and intrusion prevention systems (IPS)) are ineffective, inefficient, or burdensome, often providing false positives of threats, filtering data based on domain names, which can be spoofed, and leaving application data vulnerable to attack. Further, conventional data solutions can be subverted by sending data over an encrypted data channel (e.g., secure socket layer (SSL)) or sending encrypted messages (e.g., encrypted Form Definition Files (FDF)).
Thus, what is needed is data security without the limitations of conventional techniques.