Video Small Company Wants to Make Encryption Key Management Into a Commodity (Video) 63
Arshad Noor: StrongAuth started off as a systems integration company building key management solutions, mostly public key infrastructure, but of late we have been focusing on public key infrastructure as well as symmetric key management. Data protection is extremely important to a lot of companies all over the world. There are regulations in countries, there are industry specific regulations like payment card industry, data security standards, HIPAA, FFIEC, and the list goes on and on. Every single one of them wants data, sensitive data protected.
The challenge has been that even though cryptography has been around for 30 or 40 years, it is very hard to get it done right. It is not the kind of programing that most business application developers do on a regular basis. So it’s almost all this hard to get cryptography and key management right. What StrongAuth has done is from the years of experience we’ve had in this field, we’ve leveraged open source, the best of open source, and whenever we’ve noticed a gap in the open source technology, we filled that gap by creating products that are also open source, integrating it with hardware and selling it as a solution to customers.
Tim: Now you used the word solution. Can you be a little more specific about what it is that your company provides?
Arshad: So a very good example is our key appliance. The payment card industry of the 150 controls that they have, they require that you protect the credit card number. And you manage the cryptographic keys very securely. Now they expect you to follow industry best practices. But what are those practices? From the 12 years that StrongAuth has been around, focused on key management, we’ve found that you need to integrate cryptographic hardware modules, software, procedures, policies – all of this has to come together and be delivered as a solution.
What StrongAuth has done is we’ve taken industry standard hardware, hardware that includes a trusted platform module, created software, integrated software on this industry standard appliance, and deliver it as a key appliance. So that customers can implement it in two days in their infrastructure and start encrypting data immediately without having to know about how does AES work, how does RSA, how does the TPM work. All of these things we’ve encapsulated in a single box and deliver it as a very low cost solution.
Tim: So do people get an x86 box in a rack that contains all your software in it?
Arshad: That’s exactly right. We OEM our hardware from Dell, Hewlett-Packard, IBM, when appropriate but all of them must have a trusted platform module; occasionally, we get hardware security modules for some of our customers. And we created the glue that puts an open source stack, except for one commercial piece of licensed software for HSMs, more than 99 percent of our stack is open source.
Tim: And what are some examples of what this allows people to actually protect? You talked about key infrastructure; is there anything else?
Arshad: Absolutely. So protecting credit card numbers, social security numbers. One of our customers has a contract for processing Medicare payments for a state, and they are actually processing open source crypto engines which will encrypt files of any type, any size, whilst keying the key appliance, it can store the encrypted data anywhere, either on network storage, in a public cloud, private cloud, and that is essentially what some of our customers can do. More recently for a very very large company that creates a marketplace for tickets, they are using a new concept called data encryption infrastructure to process millions of tickets through this infrastructure where they are encrypted and stored and managed centrally without the application developer actually having to know how all of this works.
v
I mean today if an application developer wants to get to an IP address of some computer on the network, all they have to do is call the main service library and say get host by name. They don’t have to know DNS works, how it is architected, how it replicates – none of that. That’s exactly what we’ve done for cryptography.
Tim: Now since a lot of this software that you are using is open source, if someone wanted to implement it themselves, they could?
Arshad: Of course. Absolutely. I mean what we’ve got is not a secret. Cryptography has been around, there are wonderful textbooks, there is absolutely great open source software out there, but it is like building it is like you want transportation, you want to drive a car, but the industry where it is right now, you have to buy the tires separately, the engine, the transmission, and you have to design and build your car before you get to drive it. What we deliver is the car. You turn the ignition and you start driving.
Tim: Now there are also a lot of proprietary companies that are protecting information like this in all kinds of ways. So how different is it to buy something that is an integrated solution like this?
Arshad: Key management is not always the easiest solution to buy because it has to be integrated into applications, so every project is almost always custom. But we’ve simplified it to the point by providing web services. There are no proprietary libraries or APIs to link into; it is a standard web service. And application developers can typically integrate the web service into their applications in as little as an hour. One of our customers actually clocked their programmer and timed him at 62 minutes.
Tim: I want you to talk a little bit more about the fact that you are using open source as the basis of your business; was that obvious from the get-go?
Arshad: It was. I’ve been working in the computer industry for 27 years, and I started working with Unix a very very long time ago, and I really loved it. And I realized that the open source movement had some very interesting technology components out there – it is great for tinkerers. It is absolutely wonderful for tinkerers to play with open source technology because there is no one to buy from; you don’t have to wait, you can download, and you can start looking into the code, and you can start working with it within minutes or hours at the latest.
We realized that we want to give the same experience for businesses so that they can take our solution and immediately start playing with it, without having to wait through drawn out sales cycles, license negotiations, price negotiations. So right from the beginning, we decided we were going to only use open source and produce only open source. We were going to price our products at a very very low price so that there is no negotiation.
Tim: Is the basis of these appliances that you ship, is it a Linux system underneath, or is it a Unix system, or some other variety?
Arshad: 100 percent Linux. Open source Linux. It is a downstream release of one of the largest branch center of Linux. We use the open source MySQL database, we use their application server, Bouncy Castle, Cryptographic Library, a library for trusted Java out of the University of Austria. All of these are open source licenses and we create whatever we create we ship the source code on every single appliance.
Tim: And you told me earlier that is available on SourceForge. You told me earlier that it is available on SourceForge. Is that right?
Arshad: Indeed. Most of our open source technology, in fact, all of our open source technology is available on SourceForge. The open source software in our appliances is distributed only through the appliances because we have bills to pay too. So the little money that we make for the systems integration, and the support that we provide our customers, it helps to keep us in business, and continue to innovate and bring more solutions to the market. Open source.
Tim: And you’ve got, I think you said, about a dozen employees, is that right?
Arshad: That’s right. We are a small company. We produce everything right here in Silicon Valley. We don’t outsource anything, we don’t offshore anything, and we have customers on six continents who are buying from us. And we support all of them right from Silicon Valley.
Tim: And have you gotten attention from a lot of other companies?
Arshad: Quite a few of them. Quite a few of them. So in the beginning we were hearing from a lot of small and medium sized businesses who couldn’t afford the very large commercial solutions out there, but now we are starting to hear from Fortune 500 companies because they are beginning to realize the value of what we are providing and it doesn’t matter to them that it is open source. It is a mission critical solution because it is in the pathway of their e-commerce. So this is revenue generation. They cannot afford to take chances, but they are convinced that what we have is the best value out there.
Tim: More and more things are moving toward being distributed in this way?
Arshad: I am not familiar with anyone else that’s doing it exactly like we are.
Tim: What I mean to say there are more and more applications where this sort of security layer seems important.
Arshad: Oh absolutely. Absolutely. I cannot tell you how important it is for businesses to start protecting all types of data information. I read a report recently that Sony, the PlayStation Network unfortunately cost them $170 million for the cleanup effort. And apparently they lost $1 billion in revenue after the breach. And when you look at the breach, on the PlayStation Network, all they breached were email addresses, home numbers, home addresses, no social security numbers, no credit card numbers, no passwords. And just today there was another report that investors are valuing companies that have been breached a whole lot lower than companies that haven’t been breached. So I think there is a lot of sensitivity to data breaches in the market. And the market is finally starting to pay attention to good housekeeping practices in the security industry.
The one thing I would encourage people to think about is data protection. I think and this is just my personal gut feeling, nine out of ten dollars in security is spent on network security. The problem is the network cannot be protected any more. If New York Times, Twitter, Facebook, Google, Apple, if they cannot protect their network, how on earth can anyone else can? So what companies should really be focusing on is protecting the data, encrypt the data first, manage your keys really strongly, and once you have done that, you can start defocusing on the network and save money.
Tim: I want to ask you one more thing about your licensing. You are using the LGPL license. Is that your basic open source license?
Arshad: Indeed. We are using LGPL version 2. I haven’t looked at version 3 because I don’t have the time to read legalese. LGPL 2 works for us, and we have software that people can embed in their open source solutions if they need to. We have web services that they can use in their commercial offerings, so it is absolutely great.
Tim: Have you gotten contributions to your source from outside the company?
Arshad: No, we haven’t. And it is only because we want to make sure cryptography is very hard to control. It is very hard to do. And there are a lot of very smart people out there, and they are working on different projects. What we have done is we’ve taken suggestions from individuals who have told us of features that they would like to see, and the product has been evolving. The key appliance, for example, what it is, what it was three years ago, and what it is today is very different. And it is all because of suggestions from customers. Our philosophy is if a customer wants a particular feature, we will deliver it to them for a very modest fee. But that feature becomes part of the standard key appliance license under LGPL.
Tim: So everyone gets it in the end?
Arshad: Everybody gets it in the end. We want to make encryption and key management a commodity. We want to become like the Toyota Camry of encryption key management. Everybody should be able to afford it.
Re:Given Time... (Score:4, Insightful)
Given time, the Sun will become a red giant and destroy Earth. Given time, Dark Energy will rip the universe apart.
The question is will the keys break before or after that.
Re: (Score:2, Insightful)
The question is will the keys break before or after that.
Secret information is usually time-sensitive. The question is: Can the keys be broken before the information is worthless (de-classified)?
It's been included many times before, but here is the obligatory XKCD: http://xkcd.com/538/
As the cartoon and Schneider reveal, those using the security system can be exploited, if one can find them. That's been mentioned many times on 'National security letter' stories where the government is intruding into someone's online life.
Re: (Score:1)
Well, as one who is working on the project, I don't think that... ... wait a minute: the project is open source?!?!!? My boss never told me that; that's crazy. So much for using the industry standard strong encryption, ROT26. I may have to go back to my old job. They've got to be more clear about these things on job applications.
Re: (Score:3)
Given time, the Sun will become a red giant and destroy Earth.
Actually, now it's gonna be by courtesy of Oracle, but same difference.
Slashvertising (Score:2, Informative)
Anyone "should" be able to afford it? Everyone IS able to afford it. Right now.
Re: (Score:1)
While this is technically true and this article is definitely a slashvertisement, actually implementing data security is Hard(tm) as the tools are very clunky and information is sparse. Data security should be fairly trivial to implement, but as it stands, everyone has to figure out all the nitty gritty implementation details and roll their own based on low-level encryption algorithms. There is no "just put the password in the database with this function", instead it's a free-for-all navigating what the b
Re: (Score:2)
Basic security is fairly easy to implement and typically requires a little bit of common sense and business sense. Turning on https on a web server doesn't require a security expert. It all depends on who you think may target you, obviously the Chinese government has more potential to break in than a basement neckbeard. However, the Chinese government isn't interested in 99.9% of IP addresses despite the title of the other fear-monging article on /.
Re: (Score:2)
Turning on https on a web server doesn't require a security expert.
So, you have a cert, and a webserver. Is that cert protected by a password?
- if no, then anyone that gains access to the server and/or cert can break all transmissions. For example, do you have a backup of the cert? Is it floating around in an email somewhere? How many people can get access to it? etc.
- if yes, then where is that password? How do you go about protecting the password that protects the cert? You'll run into some of the same problems in protecting the password. That's one of the main problems
Re: (Score:2)
Whoever signed the cert would house the key... Verisign, Comodo, etc... that's the trick, neither party has the key and a "secure" middle man does, but certs are end point authenticators, https is what would actually encrypt the traffic.
Re: (Score:2)
You're still missing the point entirely.
What protects your cert? Is it just filesystem permissions? Is it encrypted with a password that must be entered when the webserver restarts, or encrypted and the webserver config (or helper script) holds a password, or not encrypted?
The cert authenticates who you are. So if someone gets a copy of your private cert, they can pretend to be you.
To keep the cert secure, it should be encrypted. A key server serves to provide decryption (or a key to decrypt) the cert in a
Re: (Score:2)
Afford, yes. Implement? PROPERLY?
I kid you not, 90% of general purpose software developers are not sharp enough to "touch" security related code or systems without leaving GAPING holes because they totally don't understand or misunderstand simple things.
They can write an if/else or a while loop, but other more advanced things ... just beyond them. And even the moderately smart senior personnel will accidentally leave something in a "prototype" state and accidentally ship it because of deadlines.
This is t
Encryption costs time and CPU, not dollars. (Score:3)
Re: (Score:3)
Interestingly, I do a lot of encryption related work and those two parts are the least of our worries. Key management takes up 90% of the time that is applied to encryption and it is a constant and on going thing that puts data at horrible risk if it's not done right. From both sides, you need to secure the keys well enough that only the people that need them can get them but no so well that the people that need them can lock them selves out.
Re: (Score:2)
Agreed. You need someone that knows what they're doing to keep track of them... those types of people cost, minimum $50k/year... but they rarely ever need do anything at all. It's hard to convince management to keep them on. But when they aren't around and you need them.... whoa unto you.
Re: (Score:1)
CPU cycles isn't much of an issue here. They are selling a Trusted Computing scheme with a Trusted Platform Module preforming the core functions.
From one of their FAQ's: [strongauth.com]
StrongAuthKey Appliance: Cryptographic hardware (TPM or HSM) included in appliance
StrongKey: Cryptographic hardware must be integrated separately (This refers to a TPM built into your PC)
It's bad enough Slashdot has basically dumped an ADVERTIZEMENT here as a front page story, but it's particularly disgusting that they did it for a g
Re: (Score:2)
I looked at their appliances... nothing really special that I can't buy from IBM or HP, except IBM has the HSM for keys on a PCI-E card -- no rack space needed.
I remember in a previous life working for one company. A vendor approached us for a backup solution that was this magic black-box appliance that stored an encryption key for every tape. As the company I worked for had tens of thousands of LTO-4 and LTO-5 tapes, that was a concern. I asked the sales rep how to back up the keys. His reply, "the dev
Slashvertisement. You're doing it right. (Score:3)
You even got SlashDot to post a video from a 1990's-style trade show, for God's sake.
>> Yes, their software is all based on Linux. CentOS, to be exact.
Er...just one distribution?
And the interested parties are... (Score:2)
Comment removed (Score:3)
Re: (Score:2)
Hey, it's this new Linux thing. They've heard that it's all the rage with these computer kids.
Backfired (Score:1)
I was looking into their products, but after this blatant slashvertisement, I'm going to take my business elsewhere. You're making slashdot even worse dice. I won't support companies that help you kill yourself.
Slashdot. STAHP. (Score:5, Insightful)
Dear "Editors":
This is a new low, even for slashvertising.
Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites. You've just done the exact opposite. In fact, remember when The Atlantic posted a Scientology ad as editorial content [slashdot.org]? Remember the outcry that went up about the distinction between advertising and news? Well, you've just done the exact same thing.
Knock it the fuck off. Slashdot was supposed to be "news for nerds." If you want to sell out, do it on your personal time, not here.
Re:Slashdot. STAHP. (Score:4, Insightful)
FYI - none of these videos are paid ads.
Then it's free advertising. Still not seeing the distinction, except that StrongAuth got an even better deal than we thought.
Those who want to believe otherwise are free to do so, but that doesn't alter the facts.
Slashvertising is a common enough practice that it has its own portmanteau. That's a fact. And I don't know what you think constitutes journalism, but to me, it doesn't mean sitting down one-on-one with a company talking head and tossing him a bunch of softball questions. That's public relations at best, marketing at worst, but it is not journalism.
Also FYI: America's elected president wasn't born in Kenya and little blue men don't truck the sun around the earth on an invisible track every day.
Right, because insulting your readers does wonders to bolster your credibility.
Re:Slashdot. STAHP. (Score:4, Insightful)
You're right. I shouldn't get upset by people who choose to believe things that aren't true. I apologize.
I understand the definition of journalism you're using. However, I do not believe that it's necessary to be negative at all times.
In this case, Tim had a pleasant conversation with the CTO of a company that releases the software it develops for free, under the LGPL.
What should Tim do? Thunder "How dare you do that!?" at the man?
Re portmanteaus: Anybody can create one. For instance, I could coin "Slashcretin" to describe some of our less intelligent readers.
But since I am supposed to absorb abuse, but never supposed to react to it, I will not use the word "Slashcretins" to describe even the most foul-mouthed, ignorant Slashdot readers. (And no, you are not one.)
So have a nice day, and thank you for your input. :)
- Robin
Re: (Score:2)
You're right. I shouldn't get upset by people who choose to believe things that aren't true. I apologize.
Good call. Life's too short. And getting upset by "people who choose to believe things that aren't true" is how religious crusades and emacs/vi flamewars start.
I understand the definition of journalism you're using. However, I do not believe that it's necessary to be negative at all times.
Neither do I. But it should be based on something more than, "[Subject name here] likes it." Something needs to be of interest to a large number of people in order to be news.
Re portmanteaus: Anybody can create one. For instance, I could coin "Slashcretin" to describe some of our less intelligent readers.
Yes, and when you can show me lists of articles on Slashdot tagged "Slashcretin," give me a holler. :)
Re: (Score:3)
by Roblimo (357)
FYI - none of these videos are paid ads.
It doesn't much matter - from the reader's point of view it's indistinguishable from a paid advertizement. Your readers are seriously put off by this article. That in itself is enough to establish that you blew it here
And note that the grandparent post said "Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites" - pretty well acknowledging that it may not be a paid advertizement, and that you blew it even if it wasn't paid.
Also FYI: America's elected president wasn't born in Kenya and little blue men don't truck the sun around the earth on an invisible track every day.
It looks like a pa
Re: (Score:2)
Nothing but a whorefest (Score:5, Informative)
Re: (Score:2)
So what do you want? something uncompromisingly negative to make up for something positive?
Why aren't Slashdot editors allowed to like anything? Hmm?
Re: (Score:3)
This thing doesn't even promote an actual solution it just delivers the rah rah pep talk these guys would have in the company meetings they subject their staff to. Lots of enthusiasm and feigned altruism, no content. I don't mind a slashvertisment slipping through now and again if it
Re: (Score:1)
Your life is a whorefest? All I can say is, make sure you get tested regularly!
Cleartext has to be available (Score:2)
The problem I see is that for software to process and work with the encrypted data it must be decrypted without human intervention. That means that either the software itself has to know the decryption key, the software has to know the authentication key used to get the decryption key from the crypto infrastructure, or the decryption key has to be available from the infrastructure without authentication. So while the encryption can protect against an intruder who's gained access to the network from the insi
Bad Name for a Company (Score:2)
>> StrongAuth helps protect data with strong encryption
So...why's it called "strong authentication"?
Wait...what? (Score:3)
Encryption Key Management IS a commodity. [gnupg.org] What in hell are these yahoos talking about?
Fundamental ignorance? (Score:1)
Slashvertisment (Score:2)
Re: (Score:2)
Re: (Score:2)
Stenography! I love it! (Score:2)
Unlike the other clueless commenters who revile this "slashvertizement", I recognize that this must be a form of stenographic encryption. Roblimo must have needed a way to send a secret message, or to permanantly store his PGP revocation key (I'm always losing that); Thus, this article was created to deliver the stenographically encoded payload in the text and/or video. You're not fooling me!.
Nice touch including the tags in the headline so you can easiliy retrieve the article later by searching "Manag
Can't I just download bouncy castle? (Score:2)