Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Video Small Company Wants to Make Encryption Key Management Into a Commodity (Video) 63

Video no longer available.
StrongAuth helps protect data with strong encryption, so that even if a company's network infrastructure is breached, its critical data -- including customers' credit card numbers, for example -- is still safe. Their software is open source, and their objective is to "become like the Toyota Camry of encryption key management," says StrongAuth CTO Arshad Noor. "Everybody should be able to afford it." These are big words from a company that only has 12 employees, all in Silicon Valley, but it's a company that not only has a strong reputation among its small and medium-sized business clients, but is starting to get acceptance from Fortune 500 behemoths, too. In this video interview (and in the transcript), Arshad not only talks about data security, but about how his company makes money while developing and relying purely on open source software. And did somebody ask about Linux? Yes, their software is all based on Linux. CentOS, to be exact.

Arshad Noor: StrongAuth started off as a systems integration company building key management solutions, mostly public key infrastructure, but of late we have been focusing on public key infrastructure as well as symmetric key management. Data protection is extremely important to a lot of companies all over the world. There are regulations in countries, there are industry specific regulations like payment card industry, data security standards, HIPAA, FFIEC, and the list goes on and on. Every single one of them wants data, sensitive data protected.

The challenge has been that even though cryptography has been around for 30 or 40 years, it is very hard to get it done right. It is not the kind of programing that most business application developers do on a regular basis. So it’s almost all this hard to get cryptography and key management right. What StrongAuth has done is from the years of experience we’ve had in this field, we’ve leveraged open source, the best of open source, and whenever we’ve noticed a gap in the open source technology, we filled that gap by creating products that are also open source, integrating it with hardware and selling it as a solution to customers.

Tim: Now you used the word solution. Can you be a little more specific about what it is that your company provides?

Arshad: So a very good example is our key appliance. The payment card industry of the 150 controls that they have, they require that you protect the credit card number. And you manage the cryptographic keys very securely. Now they expect you to follow industry best practices. But what are those practices? From the 12 years that StrongAuth has been around, focused on key management, we’ve found that you need to integrate cryptographic hardware modules, software, procedures, policies – all of this has to come together and be delivered as a solution.

What StrongAuth has done is we’ve taken industry standard hardware, hardware that includes a trusted platform module, created software, integrated software on this industry standard appliance, and deliver it as a key appliance. So that customers can implement it in two days in their infrastructure and start encrypting data immediately without having to know about how does AES work, how does RSA, how does the TPM work. All of these things we’ve encapsulated in a single box and deliver it as a very low cost solution.

Tim: So do people get an x86 box in a rack that contains all your software in it?

Arshad: That’s exactly right. We OEM our hardware from Dell, Hewlett-Packard, IBM, when appropriate but all of them must have a trusted platform module; occasionally, we get hardware security modules for some of our customers. And we created the glue that puts an open source stack, except for one commercial piece of licensed software for HSMs, more than 99 percent of our stack is open source.

Tim: And what are some examples of what this allows people to actually protect? You talked about key infrastructure; is there anything else?

Arshad: Absolutely. So protecting credit card numbers, social security numbers. One of our customers has a contract for processing Medicare payments for a state, and they are actually processing open source crypto engines which will encrypt files of any type, any size, whilst keying the key appliance, it can store the encrypted data anywhere, either on network storage, in a public cloud, private cloud, and that is essentially what some of our customers can do. More recently for a very very large company that creates a marketplace for tickets, they are using a new concept called data encryption infrastructure to process millions of tickets through this infrastructure where they are encrypted and stored and managed centrally without the application developer actually having to know how all of this works.

v I mean today if an application developer wants to get to an IP address of some computer on the network, all they have to do is call the main service library and say get host by name. They don’t have to know DNS works, how it is architected, how it replicates – none of that. That’s exactly what we’ve done for cryptography.

Tim: Now since a lot of this software that you are using is open source, if someone wanted to implement it themselves, they could?

Arshad: Of course. Absolutely. I mean what we’ve got is not a secret. Cryptography has been around, there are wonderful textbooks, there is absolutely great open source software out there, but it is like building it is like you want transportation, you want to drive a car, but the industry where it is right now, you have to buy the tires separately, the engine, the transmission, and you have to design and build your car before you get to drive it. What we deliver is the car. You turn the ignition and you start driving.

Tim: Now there are also a lot of proprietary companies that are protecting information like this in all kinds of ways. So how different is it to buy something that is an integrated solution like this?

Arshad: Key management is not always the easiest solution to buy because it has to be integrated into applications, so every project is almost always custom. But we’ve simplified it to the point by providing web services. There are no proprietary libraries or APIs to link into; it is a standard web service. And application developers can typically integrate the web service into their applications in as little as an hour. One of our customers actually clocked their programmer and timed him at 62 minutes.

Tim: I want you to talk a little bit more about the fact that you are using open source as the basis of your business; was that obvious from the get-go?

Arshad: It was. I’ve been working in the computer industry for 27 years, and I started working with Unix a very very long time ago, and I really loved it. And I realized that the open source movement had some very interesting technology components out there – it is great for tinkerers. It is absolutely wonderful for tinkerers to play with open source technology because there is no one to buy from; you don’t have to wait, you can download, and you can start looking into the code, and you can start working with it within minutes or hours at the latest.

We realized that we want to give the same experience for businesses so that they can take our solution and immediately start playing with it, without having to wait through drawn out sales cycles, license negotiations, price negotiations. So right from the beginning, we decided we were going to only use open source and produce only open source. We were going to price our products at a very very low price so that there is no negotiation.

Tim: Is the basis of these appliances that you ship, is it a Linux system underneath, or is it a Unix system, or some other variety?

Arshad: 100 percent Linux. Open source Linux. It is a downstream release of one of the largest branch center of Linux. We use the open source MySQL database, we use their application server, Bouncy Castle, Cryptographic Library, a library for trusted Java out of the University of Austria. All of these are open source licenses and we create whatever we create we ship the source code on every single appliance.

Tim: And you told me earlier that is available on SourceForge. You told me earlier that it is available on SourceForge. Is that right?

Arshad: Indeed. Most of our open source technology, in fact, all of our open source technology is available on SourceForge. The open source software in our appliances is distributed only through the appliances because we have bills to pay too. So the little money that we make for the systems integration, and the support that we provide our customers, it helps to keep us in business, and continue to innovate and bring more solutions to the market. Open source.

Tim: And you’ve got, I think you said, about a dozen employees, is that right?

Arshad: That’s right. We are a small company. We produce everything right here in Silicon Valley. We don’t outsource anything, we don’t offshore anything, and we have customers on six continents who are buying from us. And we support all of them right from Silicon Valley.

Tim: And have you gotten attention from a lot of other companies?

Arshad: Quite a few of them. Quite a few of them. So in the beginning we were hearing from a lot of small and medium sized businesses who couldn’t afford the very large commercial solutions out there, but now we are starting to hear from Fortune 500 companies because they are beginning to realize the value of what we are providing and it doesn’t matter to them that it is open source. It is a mission critical solution because it is in the pathway of their e-commerce. So this is revenue generation. They cannot afford to take chances, but they are convinced that what we have is the best value out there.

Tim: More and more things are moving toward being distributed in this way?

Arshad: I am not familiar with anyone else that’s doing it exactly like we are.

Tim: What I mean to say there are more and more applications where this sort of security layer seems important.

Arshad: Oh absolutely. Absolutely. I cannot tell you how important it is for businesses to start protecting all types of data information. I read a report recently that Sony, the PlayStation Network unfortunately cost them $170 million for the cleanup effort. And apparently they lost $1 billion in revenue after the breach. And when you look at the breach, on the PlayStation Network, all they breached were email addresses, home numbers, home addresses, no social security numbers, no credit card numbers, no passwords. And just today there was another report that investors are valuing companies that have been breached a whole lot lower than companies that haven’t been breached. So I think there is a lot of sensitivity to data breaches in the market. And the market is finally starting to pay attention to good housekeeping practices in the security industry.

The one thing I would encourage people to think about is data protection. I think and this is just my personal gut feeling, nine out of ten dollars in security is spent on network security. The problem is the network cannot be protected any more. If New York Times, Twitter, Facebook, Google, Apple, if they cannot protect their network, how on earth can anyone else can? So what companies should really be focusing on is protecting the data, encrypt the data first, manage your keys really strongly, and once you have done that, you can start defocusing on the network and save money.

Tim: I want to ask you one more thing about your licensing. You are using the LGPL license. Is that your basic open source license?

Arshad: Indeed. We are using LGPL version 2. I haven’t looked at version 3 because I don’t have the time to read legalese. LGPL 2 works for us, and we have software that people can embed in their open source solutions if they need to. We have web services that they can use in their commercial offerings, so it is absolutely great.

Tim: Have you gotten contributions to your source from outside the company?

Arshad: No, we haven’t. And it is only because we want to make sure cryptography is very hard to control. It is very hard to do. And there are a lot of very smart people out there, and they are working on different projects. What we have done is we’ve taken suggestions from individuals who have told us of features that they would like to see, and the product has been evolving. The key appliance, for example, what it is, what it was three years ago, and what it is today is very different. And it is all because of suggestions from customers. Our philosophy is if a customer wants a particular feature, we will deliver it to them for a very modest fee. But that feature becomes part of the standard key appliance license under LGPL.

Tim: So everyone gets it in the end?

Arshad: Everybody gets it in the end. We want to make encryption and key management a commodity. We want to become like the Toyota Camry of encryption key management. Everybody should be able to afford it.

This discussion has been archived. No new comments can be posted.

Small Company Wants to Make Encryption Key Management Into a Commodity (Video)

Comments Filter:
  • Slashvertising (Score:2, Informative)

    by Anonymous Coward

    Anyone "should" be able to afford it? Everyone IS able to afford it. Right now.

    • by Anonymous Coward

      While this is technically true and this article is definitely a slashvertisement, actually implementing data security is Hard(tm) as the tools are very clunky and information is sparse. Data security should be fairly trivial to implement, but as it stands, everyone has to figure out all the nitty gritty implementation details and roll their own based on low-level encryption algorithms. There is no "just put the password in the database with this function", instead it's a free-for-all navigating what the b

      • Basic security is fairly easy to implement and typically requires a little bit of common sense and business sense. Turning on https on a web server doesn't require a security expert. It all depends on who you think may target you, obviously the Chinese government has more potential to break in than a basement neckbeard. However, the Chinese government isn't interested in 99.9% of IP addresses despite the title of the other fear-monging article on /.

        • by unrtst ( 777550 )

          Turning on https on a web server doesn't require a security expert.

          So, you have a cert, and a webserver. Is that cert protected by a password?

          - if no, then anyone that gains access to the server and/or cert can break all transmissions. For example, do you have a backup of the cert? Is it floating around in an email somewhere? How many people can get access to it? etc.

          - if yes, then where is that password? How do you go about protecting the password that protects the cert? You'll run into some of the same problems in protecting the password. That's one of the main problems

          • Whoever signed the cert would house the key... Verisign, Comodo, etc... that's the trick, neither party has the key and a "secure" middle man does, but certs are end point authenticators, https is what would actually encrypt the traffic.

            • by unrtst ( 777550 )

              You're still missing the point entirely.
              What protects your cert? Is it just filesystem permissions? Is it encrypted with a password that must be entered when the webserver restarts, or encrypted and the webserver config (or helper script) holds a password, or not encrypted?
              The cert authenticates who you are. So if someone gets a copy of your private cert, they can pretend to be you.

              To keep the cert secure, it should be encrypted. A key server serves to provide decryption (or a key to decrypt) the cert in a

    • by CKW ( 409971 )

      Afford, yes. Implement? PROPERLY?

      I kid you not, 90% of general purpose software developers are not sharp enough to "touch" security related code or systems without leaving GAPING holes because they totally don't understand or misunderstand simple things.

      They can write an if/else or a while loop, but other more advanced things ... just beyond them. And even the moderately smart senior personnel will accidentally leave something in a "prototype" state and accidentally ship it because of deadlines.

      This is t

  • by Kenja ( 541830 ) on Wednesday April 10, 2013 @01:15PM (#43414425)
    The cost of implementing strong encryption is the time it takes and the CPU cycles to run it. There has never been a high dollar cost that I am aware of other then these two factors. The former issue is alleviated through a standard frame-work, of which there are already a great many. The later can not be reduced, and can be a significant factor on virtual environments where CPU time is at a premium.
    • Interestingly, I do a lot of encryption related work and those two parts are the least of our worries. Key management takes up 90% of the time that is applied to encryption and it is a constant and on going thing that puts data at horrible risk if it's not done right. From both sides, you need to secure the keys well enough that only the people that need them can get them but no so well that the people that need them can lock them selves out.

      • Agreed. You need someone that knows what they're doing to keep track of them... those types of people cost, minimum $50k/year... but they rarely ever need do anything at all. It's hard to convince management to keep them on. But when they aren't around and you need them.... whoa unto you.

    • by Alsee ( 515537 )

      CPU cycles isn't much of an issue here. They are selling a Trusted Computing scheme with a Trusted Platform Module preforming the core functions.

      From one of their FAQ's: [strongauth.com]
      StrongAuthKey Appliance: Cryptographic hardware (TPM or HSM) included in appliance
      StrongKey: Cryptographic hardware must be integrated separately
      (This refers to a TPM built into your PC)

      It's bad enough Slashdot has basically dumped an ADVERTIZEMENT here as a front page story, but it's particularly disgusting that they did it for a g

      • by mlts ( 1038732 ) *

        I looked at their appliances... nothing really special that I can't buy from IBM or HP, except IBM has the HSM for keys on a PCI-E card -- no rack space needed.

        I remember in a previous life working for one company. A vendor approached us for a backup solution that was this magic black-box appliance that stored an encryption key for every tape. As the company I worked for had tens of thousands of LTO-4 and LTO-5 tapes, that was a concern. I asked the sales rep how to back up the keys. His reply, "the dev

  • by xxxJonBoyxxx ( 565205 ) on Wednesday April 10, 2013 @01:19PM (#43414467)

    You even got SlashDot to post a video from a 1990's-style trade show, for God's sake.

    >> Yes, their software is all based on Linux. CentOS, to be exact.

    Er...just one distribution?

  • the Playstation Network?
  • by account_deleted ( 4530225 ) on Wednesday April 10, 2013 @01:22PM (#43414501)
    Comment removed based on user account deletion
  • by Anonymous Coward

    I was looking into their products, but after this blatant slashvertisement, I'm going to take my business elsewhere. You're making slashdot even worse dice. I won't support companies that help you kill yourself.

  • Slashdot. STAHP. (Score:5, Insightful)

    by PhxBlue ( 562201 ) on Wednesday April 10, 2013 @01:45PM (#43414729) Homepage Journal

    Dear "Editors":

    This is a new low, even for slashvertising.

    Responsible journalists do their damnedest to make sure their work looks nothing like the ads that appear on their sites. You've just done the exact opposite. In fact, remember when The Atlantic posted a Scientology ad as editorial content [slashdot.org]? Remember the outcry that went up about the distinction between advertising and news? Well, you've just done the exact same thing.

    Knock it the fuck off. Slashdot was supposed to be "news for nerds." If you want to sell out, do it on your personal time, not here.

  • by shaitand ( 626655 ) on Wednesday April 10, 2013 @01:53PM (#43414783) Journal
    I get this everywhere else. I don't need it on Slashdot too.
    • by Roblimo ( 357 )

      So what do you want? something uncompromisingly negative to make up for something positive?

      Why aren't Slashdot editors allowed to like anything? Hmm?

      • Sure but at least put it up in a way that PRETENDS not to be an advertisement. I think a fair number of us work in the enterprise tech world and browse Slashdot to escape it for awhile. This stuff floods our inbox all day long.

        This thing doesn't even promote an actual solution it just delivers the rah rah pep talk these guys would have in the company meetings they subject their staff to. Lots of enthusiasm and feigned altruism, no content. I don't mind a slashvertisment slipping through now and again if it
    • Your life is a whorefest? All I can say is, make sure you get tested regularly!

  • The problem I see is that for software to process and work with the encrypted data it must be decrypted without human intervention. That means that either the software itself has to know the decryption key, the software has to know the authentication key used to get the decryption key from the crypto infrastructure, or the decryption key has to be available from the infrastructure without authentication. So while the encryption can protect against an intruder who's gained access to the network from the insi

  • >> StrongAuth helps protect data with strong encryption

    So...why's it called "strong authentication"?

  • by Chris Mattern ( 191822 ) on Wednesday April 10, 2013 @02:28PM (#43415049)

    Encryption Key Management IS a commodity. [gnupg.org] What in hell are these yahoos talking about?

  • From their website: "DES and the International Data Encryption Algorithm (IDEA) are the two most commonly used symmetric techniques." Totally wrong. Doesn't make you feel good about them as a security company.
  • Ugh. I haven't logged in to post for some time. This kind of story is why. I hope they paid for this and the standard of posting hasn't just sunk to a new low without $$$ exchanged.
    • by cusco ( 717999 )
      Higher up the thread Roblimo said that none of the videos are paid ads.
      • Yes, and I had read that before posting my comment. I want to believe, but find it harder to do so recently. To state the obvious: Dice have a credibility problem with some of the slashdot crowd. They need to go out of their way to avoid the *appearance* of paid-for-journalism. IMHO they didn't get this one right. However well intentioned it may or may not have been; it doesn't *appear* to be well intentioned. It's not the first time, and I dare say it won't be the last. They should be worried when their au
  • Unlike the other clueless commenters who revile this "slashvertizement", I recognize that this must be a form of stenographic encryption. Roblimo must have needed a way to send a secret message, or to permanantly store his PGP revocation key (I'm always losing that); Thus, this article was created to deliver the stenographically encoded payload in the text and/or video. You're not fooling me!.

    Nice touch including the tags in the headline so you can easiliy retrieve the article later by searching "Manag

  • If you're writing Java it's easy. It's a bit more trouble with .Net because nobody's bothered with a good tutorial.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...