Arshad Noor: StrongAuth started off as a systems integration company building key management solutions, mostly public key infrastructure, but of late we have been focusing on public key infrastructure as well as symmetric key management. Data protection is extremely important to a lot of companies all over the world. There are regulations in countries, there are industry specific regulations like payment card industry, data security standards, HIPAA, FFIEC, and the list goes on and on. Every single one of them wants data, sensitive data protected.
The challenge has been that even though cryptography has been around for 30 or 40 years, it is very hard to get it done right. It is not the kind of programing that most business application developers do on a regular basis. So it’s almost all this hard to get cryptography and key management right. What StrongAuth has done is from the years of experience we’ve had in this field, we’ve leveraged open source, the best of open source, and whenever we’ve noticed a gap in the open source technology, we filled that gap by creating products that are also open source, integrating it with hardware and selling it as a solution to customers.
Tim: Now you used the word solution. Can you be a little more specific about what it is that your company provides?
Arshad: So a very good example is our key appliance. The payment card industry of the 150 controls that they have, they require that you protect the credit card number. And you manage the cryptographic keys very securely. Now they expect you to follow industry best practices. But what are those practices? From the 12 years that StrongAuth has been around, focused on key management, we’ve found that you need to integrate cryptographic hardware modules, software, procedures, policies – all of this has to come together and be delivered as a solution.
What StrongAuth has done is we’ve taken industry standard hardware, hardware that includes a trusted platform module, created software, integrated software on this industry standard appliance, and deliver it as a key appliance. So that customers can implement it in two days in their infrastructure and start encrypting data immediately without having to know about how does AES work, how does RSA, how does the TPM work. All of these things we’ve encapsulated in a single box and deliver it as a very low cost solution.
Tim: So do people get an x86 box in a rack that contains all your software in it?
Arshad: That’s exactly right. We OEM our hardware from Dell, Hewlett-Packard, IBM, when appropriate but all of them must have a trusted platform module; occasionally, we get hardware security modules for some of our customers. And we created the glue that puts an open source stack, except for one commercial piece of licensed software for HSMs, more than 99 percent of our stack is open source.
Tim: And what are some examples of what this allows people to actually protect? You talked about key infrastructure; is there anything else?
Arshad: Absolutely. So protecting credit card numbers, social security numbers. One of our customers has a contract for processing Medicare payments for a state, and they are actually processing open source crypto engines which will encrypt files of any type, any size, whilst keying the key appliance, it can store the encrypted data anywhere, either on network storage, in a public cloud, private cloud, and that is essentially what some of our customers can do. More recently for a very very large company that creates a marketplace for tickets, they are using a new concept called data encryption infrastructure to process millions of tickets through this infrastructure where they are encrypted and stored and managed centrally without the application developer actually having to know how all of this works.
v I mean today if an application developer wants to get to an IP address of some computer on the network, all they have to do is call the main service library and say get host by name. They don’t have to know DNS works, how it is architected, how it replicates – none of that. That’s exactly what we’ve done for cryptography.
Tim: Now since a lot of this software that you are using is open source, if someone wanted to implement it themselves, they could?
Arshad: Of course. Absolutely. I mean what we’ve got is not a secret. Cryptography has been around, there are wonderful textbooks, there is absolutely great open source software out there, but it is like building it is like you want transportation, you want to drive a car, but the industry where it is right now, you have to buy the tires separately, the engine, the transmission, and you have to design and build your car before you get to drive it. What we deliver is the car. You turn the ignition and you start driving.
Tim: Now there are also a lot of proprietary companies that are protecting information like this in all kinds of ways. So how different is it to buy something that is an integrated solution like this?
Arshad: Key management is not always the easiest solution to buy because it has to be integrated into applications, so every project is almost always custom. But we’ve simplified it to the point by providing web services. There are no proprietary libraries or APIs to link into; it is a standard web service. And application developers can typically integrate the web service into their applications in as little as an hour. One of our customers actually clocked their programmer and timed him at 62 minutes.
Tim: I want you to talk a little bit more about the fact that you are using open source as the basis of your business; was that obvious from the get-go?
Arshad: It was. I’ve been working in the computer industry for 27 years, and I started working with Unix a very very long time ago, and I really loved it. And I realized that the open source movement had some very interesting technology components out there – it is great for tinkerers. It is absolutely wonderful for tinkerers to play with open source technology because there is no one to buy from; you don’t have to wait, you can download, and you can start looking into the code, and you can start working with it within minutes or hours at the latest.
We realized that we want to give the same experience for businesses so that they can take our solution and immediately start playing with it, without having to wait through drawn out sales cycles, license negotiations, price negotiations. So right from the beginning, we decided we were going to only use open source and produce only open source. We were going to price our products at a very very low price so that there is no negotiation.
Tim: Is the basis of these appliances that you ship, is it a Linux system underneath, or is it a Unix system, or some other variety?
Arshad: 100 percent Linux. Open source Linux. It is a downstream release of one of the largest branch center of Linux. We use the open source MySQL database, we use their application server, Bouncy Castle, Cryptographic Library, a library for trusted Java out of the University of Austria. All of these are open source licenses and we create whatever we create we ship the source code on every single appliance.
Tim: And you told me earlier that is available on SourceForge. You told me earlier that it is available on SourceForge. Is that right?
Arshad: Indeed. Most of our open source technology, in fact, all of our open source technology is available on SourceForge. The open source software in our appliances is distributed only through the appliances because we have bills to pay too. So the little money that we make for the systems integration, and the support that we provide our customers, it helps to keep us in business, and continue to innovate and bring more solutions to the market. Open source.
Tim: And you’ve got, I think you said, about a dozen employees, is that right?
Arshad: That’s right. We are a small company. We produce everything right here in Silicon Valley. We don’t outsource anything, we don’t offshore anything, and we have customers on six continents who are buying from us. And we support all of them right from Silicon Valley.
Tim: And have you gotten attention from a lot of other companies?
Arshad: Quite a few of them. Quite a few of them. So in the beginning we were hearing from a lot of small and medium sized businesses who couldn’t afford the very large commercial solutions out there, but now we are starting to hear from Fortune 500 companies because they are beginning to realize the value of what we are providing and it doesn’t matter to them that it is open source. It is a mission critical solution because it is in the pathway of their e-commerce. So this is revenue generation. They cannot afford to take chances, but they are convinced that what we have is the best value out there.
Tim: More and more things are moving toward being distributed in this way?
Arshad: I am not familiar with anyone else that’s doing it exactly like we are.
Tim: What I mean to say there are more and more applications where this sort of security layer seems important.
Arshad: Oh absolutely. Absolutely. I cannot tell you how important it is for businesses to start protecting all types of data information. I read a report recently that Sony, the PlayStation Network unfortunately cost them $170 million for the cleanup effort. And apparently they lost $1 billion in revenue after the breach. And when you look at the breach, on the PlayStation Network, all they breached were email addresses, home numbers, home addresses, no social security numbers, no credit card numbers, no passwords. And just today there was another report that investors are valuing companies that have been breached a whole lot lower than companies that haven’t been breached. So I think there is a lot of sensitivity to data breaches in the market. And the market is finally starting to pay attention to good housekeeping practices in the security industry.
The one thing I would encourage people to think about is data protection. I think and this is just my personal gut feeling, nine out of ten dollars in security is spent on network security. The problem is the network cannot be protected any more. If New York Times, Twitter, Facebook, Google, Apple, if they cannot protect their network, how on earth can anyone else can? So what companies should really be focusing on is protecting the data, encrypt the data first, manage your keys really strongly, and once you have done that, you can start defocusing on the network and save money.
Tim: I want to ask you one more thing about your licensing. You are using the LGPL license. Is that your basic open source license?
Arshad: Indeed. We are using LGPL version 2. I haven’t looked at version 3 because I don’t have the time to read legalese. LGPL 2 works for us, and we have software that people can embed in their open source solutions if they need to. We have web services that they can use in their commercial offerings, so it is absolutely great.
Tim: Have you gotten contributions to your source from outside the company?
Arshad: No, we haven’t. And it is only because we want to make sure cryptography is very hard to control. It is very hard to do. And there are a lot of very smart people out there, and they are working on different projects. What we have done is we’ve taken suggestions from individuals who have told us of features that they would like to see, and the product has been evolving. The key appliance, for example, what it is, what it was three years ago, and what it is today is very different. And it is all because of suggestions from customers. Our philosophy is if a customer wants a particular feature, we will deliver it to them for a very modest fee. But that feature becomes part of the standard key appliance license under LGPL.
Tim: So everyone gets it in the end?
Arshad: Everybody gets it in the end. We want to make encryption and key management a commodity. We want to become like the Toyota Camry of encryption key management. Everybody should be able to afford it.