Vormetric's co-founder Phil Grasso says the company's new CoreGuard access controls are a file-based approach to data security that improves on the conventional firewall- and super-user model by deploying specific data-defense technologies inside infrastructure rather than building a wall around the whole system. A U.S. government intelligence agency is a Vormetric customer, as are several large financial institutions. Vormetric's authentication system is wrapped to validate user and application credentials. For authorization, users and applications are restricted to specific file operations and data. For auditing, all administration actions, access events, and attempted violations are logged. CoreGuard has the following context attributes: Who, which constitutes users or groups that may gain access to the protected data and applications such users may deploy for access to protected data; What, which constitutes file system operations available to subjects specified in Who; Where, which identifies protected data, whether files, directory, or wildcard; When, which verifies a time window for authenticated access for window-sensitive tasks, including backups and contract employees; and How, which separates the ability to gain access data from an ability to view data. Among topics covered are pharmas using Oracle, which is a Vormetric security partner; Vormetric hardware and software, which encrypt raw data in specified folders but leave metadata in the clear; software that allows files to be opened only by specific applications, an ability that is specified and controlled by Vormetric's system; and testing of Vormetric by a large pharma and the purchase of Vormetric by the University of Texas Health Science Center.