First I’ll talk a little bit more about some of the elements of a platform and why it’s better than the traditional approach. One of the reasons is because you provide a framework. And by framework what I mean is that you have well defined concepts and integration points. What are all the ways that I can protect it in both stream form and block form? And in file form or in motion. It gives you a very consistent ways of dealing with data. And what that means is that when new things come along, new Cloud services or new mobile services, you already have a place built into your architecture where you can add support for that. It’s not a whole new reengineering and rearchitecture because the framework has accounted for fundamentally what the structure of the problem is.
We’ve all seen lots of frameworks. Some of which have then been successful and some have not. But this is an important element to find the domain that we’re dealing with, the problem domain in a very extensible way. You need to be allow other people to plug into that framework at those different extension points and they should be both internal and also external for third parties to plugin. For example if I’m sharing data with a third party I need to be able to allow them to establish an identity with me, and so one of the things that I need to have built into this data platform is the ability for them to plugin identities or establish an identity that I can trust at that time and in a dynamic way.
Next, data lifecycle node equivalency. Well that sounds really technical or complicated. But what it means is that all of these different things that data can flow through, the data’s always flowing to a system or from a system. And so it’s flowing to a home PC or to an iPad or to the Cloud, and as it does that all of those need to be able to be treated in some way as equal peers. And we need to be able to establish that all have a certain degree of threat or vulnerability associated with them. They all have a certain risk posture associated with them. And so there’s an equivalency in the sense that they can all be represented in the same way as having some basic characteristics. They all have like I said, the vulnerability. They all then require a certain amount of protection based on whatever their vulnerability posture is. And so that way the system can treat them all unique, even though they’re diverse different platforms, you know the way you would protect something on one may not be equivalent to the way that you would protect it on another. A tablet versus an internal server for example in the data center. You may not choose to protect the data the same way, but you need to be able to look at all of those things as nodes and simplify your management so you can set up high level policies and then let the system intelligently protect the data and enforce the data protection policies. And that’s the next item.
Once you can look at all the different nodes then what you can do is you can have the system say okay, my administrator’s set up preferences wants to prefer hardware encryption where possible locally on a box. If the hardware encryption’s not present then I want to prefer an OS base, then I want to prefer a software base. And always when data leaves the box I want to have it be encrypted. And if I can’t protect certain paths I want to block them.
Now a big part of this then is okay now I’ve encrypted my data everywhere, great. At Credant we like to believe that the natural state of the data frankly is to be encrypted wherever it goes. That way the data owner stays in control. Now what you have to do is you have to have an integrated authentication managed centrally. You have to be able to unlock the keys and make sure that there are key rings moving around and group key management. Thus, you have to have authentication and key management integrated centrally into the solution from the start. And if you’re in an environment that needs strong authentication like smart cards, fingerprints, proximity cards, then that needs to be a part of the solution and fit into that framework that we talked about.
Finally you need to have collaboration and sharing policies and I can go on and on and on about all that. The benefits of such an approach obviously the more the platform can automate the less work for IT and the less impact on the end-user. There’s a lot of benefits in terms of improved security, lower cost. Such a framework is extensible for the future. But most importantly it gives us now a way where we don’t have to say okay, on my Macs I’m doing this, on my servers I’m doing that. On my handheld I’m doing something else. If it’s all tied together through this kind of unified solution then that really makes a lot of sense.
As I turn the corner to wrap up here real quickly, just give you a short overview of what we’ve done. Credant is 100 percent focused on solving this problem. And one of the ways that we’re doing that is by extending the work station, the handheld encryption and data protection that we have with mobile device management and cloud. And also with working with partners to establish a third party plugins into the solution so that customers who deploy a solution like ours, they can be sure that that decision is a future proved decision because we’re going to be there providing new plugins and new extensions with other partners in the future. We’re now supporting all of those things except for the Cloud and that’s coming here in a couple of months. But all in an integrated way from one platform, from one console so that it makes it easy to manage. Key management obviously very important in our system. No administrator touches key, and no administrator ever has to individually manage keys. The keys flow automatically and transparently. So that’s a great simplification that we’ve provided as part of the platform. Auditing and reporting. Obviously also huge and important aspects of the platform includes enterprise integration into your directories and your security and event management.
So then what is managed? What is managed is the nodes of this fabric, this data protection fabric include the work station – endpoints, the mobile device, servers. In the future we’re moving even towards storage, Cloud and enterprise application. And things recently we’ve added have been support for Windows server, virtual servers, VDI environments. We’ve got several banks deploying our solution and VDI settings to protect removal media because one of the biggest trends we see right now is the need for finance and healthcare in particular to protect data that flows through USB thumb drives. One of the things that we think is exciting is the potential for an SDK into the system and that’s a clear need in terms of supporting that extensibility goal of a platform.
In summary, traditional bolt-on approaches really don’t meet the current challenges much less the emerging challenges. So we really believe that enterprises need to be looking for security for the full data lifecycle. And thinking about how can I have one system that’s going to protect my server data, my Mac, my Windows, my endpoints and all the data that moves between them and into the Cloud. And finally, we think the best way to do that is through a platform approach. And we don’t see a lot of those platforms really in existence today, but we think that they’re coming and we tend to lead the way to provide a real platform. And people have talked about it. But in terms of automating, giving it the automation and extensibility and the framework, plugin capability, we think there’s a lot of room to innovate in the market to help you solve your really important and pressing problems right now.
So what’s the alternative? Well the alternative really is what we’re calling here the data protection platform, and a platform that can provide a central set of services where the data protection goes with the data as the data moves across the data life cycle.
So what you do is you encrypt the data within your enterprise and as the data moves it stays encrypted. There are some challenges with doing that – which I’ll talk about later. But some of the core tenants that you need to be a successful platform is you need obviously to have simple control and management visibility into where your data is, how it’s being protected, how to recover access to it. How to manage and report on the system in terms of keys and compliance and collaboration and how to report and audit that you’re complying.
Now of course to make something like that happen you have to be able to automate as much as possible. So you do need software that does automation and you need to be able to have a very flexible policy system that lets you specify rules for how you protect data wherever it goes. But another important piece is it needs to be extensible. We already said that there are more and more services coming on all the time…but the one thing consistent is those things all tend to use data as files, as discrete chunks of data. And those things can be protected. Data that moves into Dropbox or into Amazon tends to be file based data by and large unless you’re going into a proprietary system. And then where there are proprietary systems, there is a list of standards.
A platform needs to be based on standards as much as possible and avoid the proprietary nature some systems will lock into. If you can use standards, and you provide a framework for extensibility than you can get this ability to add on to the system after it’s been deployed and add services. And that’s really where we need to go. So that you can provide new safe paths for your users as new Cloud offerings or new mobile devices come on line.
Obviously it has to support your existing IT infrastructure so you have to integrate with other operational processes like AD, log management, security, event management and information event management. All those things have to be supported by the platform as well. And then you have to, fundamentally stay out of your user’s way. You have to maintain a real strong sense of transparency. You have to provide very easy paths for your consumers to be safe. And the security can’t get in the way of that.
So next I’ll discuss why a data protection platform is better….
What would that new approach look like then? What are the solutions to integrating security? There’s at least two options. The traditional approach – let’s implement security for data of each type or each type of end point or service. And then a new approach – one that spans all (data of each type or each type of end point or service).
Now the benefit in the past of taking door number one, if you will, the individual technology choice for each platform type. The benefit is that you go deep on each type of platform, and you have a lot of different service and protection offering. The challenge with it is it is really complex and expensive. And as more and more options for end-users grow, we believe this approach becomes untenable. That if you go deep on every platform and you have to have a deep kind of level code and all that goes into maintaining and managing that on every single platform and every single device, that your employees use and that your partners use that’s ultimately going to be a scenario where you can’t win.
For example a customer once said, well I want to allow my billing partners to have my data, but I want to force them to run this software that modifies all the office applications as well and I want you to build this kind of deep windows solution. The thing that I pointed out to him was every time Windows updates now you’re responsible for all the customer support for your partners, because a solution like that is so dependent and so deep into the operating system and office apps for example would no doubt be brutal and you can’t predict what Microsoft will change. The whole approach is basically flawed because now you’re going to take on the support burden for your partners, and you can’t do that. It just doesn’t make sense. It’s the right idea and the right motivation to protect the data and want the data to be safe wherever it goes. But the implementation approach of doing a particular deep solution for every platform and every place the data goes, won’t scale. It just can’t scale.
Stay tuned for what’s behind door number 2….
To illustrate the point just in the area of key management, a Computer Weekly survey found that 88 percent of organizations had multiple administrators managing their encryption keys. And that doesn’t mean that those multiple administrators are required to look over one another’s shoulder when other keys are accessed, it means that they have a lot of different people who have to have access to the keys. And 22 percent have ten or more. This basically means that there’s a lot of opportunity for things like collusion or wiki leaks or insider threats. It also speaks to the complexity of the environments and the need to have all these people trained on these systems just to understand them. Interestingly, 42 percent of administrators are managing encryption technologies from at least four suppliers while eight percent are dealing with more than ten suppliers. This is amazing considering the complexity that can exist in one encryption system and then having to deal with ten is just remarkable. But I can also understand why people say well I need to protect my servers, I need to protect my Macs, I need to protect my Windows devices, my handheld devices, etc. It’s understandable how you could quickly get to four or more technology platforms for encryption.
But it doesn’t have to be that way. What really then is the core problem that’s driving the complexity and the change is the fact that the traditional approaches just aren’t working. There are a lot of problems organizations are dealing with but one of the fundamental problems is the fact that users are now self-sufficient. We have a self-sufficient population. I mean they don’t wait for IT. They move data immediately to solve business problems. That’s what they’re paid to do. They do that 24/7 because nobody works a regular day anymore. So, our users are self-sufficient and the technologies they use are more self-serving now.
There’s lots of different technologies and startups out there trying to make technology more and more simple. Today, you can have what might’ve took IT six months to develop in years past – instantly. You can have computed storage in minutes now, at the most hours. That kind of pace, that kind of rate of change means that data flows instantly. And so, we have to set up systems that first of all anticipate that and where data protection is built in what our users are going to do. Giving them paths that are approved, good paths to follow instead of blocking or missing the paths that users come to follow. And obviously this is not a trend that’s going to change. This is only going to get worse going forward.
So there’s a new approach really that we need to take. We need to not depend on setting up perimeters. And of course everybody’s heard this for years. We’ve been talking about it in the security industry – the perimeter’s dead. I remember years ago we used to talk about how there is no perimeter. And there’s a lot of good work done by the Jericho Group and others who tried to get that message out and I think by and large people have received that message. But what we have not really gotten to is what is the unified consistent data protection strategy.
Stay tuned for my next post on the solutions to this….
I want to start off with essentially the bad news – we’re seeing more and more security challenges arise. I’m going to walk through why traditional approaches and traditional thinking for solving data protection problems is beginning to fail. The big three challenges that we’re facing right now include:
- BYOD (what used to be called consumerization) – the concept is that end-users in organizations are in more and more control, they want more and more services and they use their mobile devices to get it.
- The Cloud – this next one plays on those mobile devices and the need to access the Cloud.
- Mobility – the underlying trend here is just that the workforces and populations in general are more and more mobile now a days.
So what’s IT trying to achieve? Today, IT departments still have traditional full time employment, essentially 100 percent utilized just trying to meet their day job. Typically they’re focused on how do we manage what we already have deployed so that we can enable our business, how do we drive cost out of that operationally and, then how do we plan for the future? And take those savings that we drive and reinvest them back in the business strategically. Oh, and by the way we need to make sure that our data is protected because in this day and age certainly compliance of our corporate data is a huge, huge return.
Thus the challenge then is while we have these new trends coming on and we have these existing functions we have to do, they don’t always align with one another, so the very things that we do sometimes to keep the lights on and keep the business going doesn’t always cover the new things that are coming in, and new services needed. Every day there are new Cloud services coming up from do it yourself Clouds. Basically build your own Cloud and synch to it. So, employees and partners are trying to solve their own problems. And sometimes the methods and the procedures and the tools that we’ve had in place in the past don’t extend and don’t leverage the new technologies that are needed to solve the problem.
But wait…it gets worse - this is a trend that will continue. Users are just going to want even more and more connectivity in the future and it’s going to lead to more extremes. With the iPhone app craze essentially there’s no reason why, in most user’s minds, why they shouldn’t have all IT services available as an app on their iPhone or their iPad. It’s a huge challenge. And it’s not just applications, it’s also the concept that your data is actually moving, and it’s going places that we don’t fully recognize all the time. So, there is in fact in order to get our organizations moving at the rate that they need to, the data has to move, too. And that data flows from our corporate servers to work stations to handheld devices, to the Cloud and beyond.
For example, one of our customers found 8,000 users were using Cloud services without any specific corporate approval. The team wanted to shut off access to these services (Dropbox and SugarSync) but the CIO decided no because the organization clearly needed it. So it’s become important for businesses to find a way to secure it.
What does this all mean? The fact that obviously solutions that solve these kinds of problems are very, very complex, and complexity is bad for security. The more complex, the more different platforms you have, different databases, different back in systems, different kinds of applications and employee scenarios makes the challenge great. Are they inside my network? Are they outside my network? Are they working from home? All of this complexity is really a challenge to manage. Particularly when you think about all the systems that we have in place and the traditional ways we think about, I need to install agents, I need to use a firewall for this, and I need to use an AB product for that, and it gets very cumbersome quickly.
Stay tuned for my next couple of posts on overcoming these challenges…
Ten years ago I took a risk. The Internet bubble was bursting. People I respected told me that investment dollars were fewer and harder to get. But several of us had an idea. We had a concept but no details. We believed that data was leaking from organizations through mobile devices and other avenues and that this data represented a tremendous risk to people and organizations. We believed that people’s privacy was at stake if companies lost individual data and that it could be damaging to both the people and companies. We believed that people deserved for their personal and corporate data to be safe—no matter where or how it was used. The market was nascent, but we believed there was a need that many did not see yet.
We didn’t really know how to meet that need, but we believed we could hire a good team and figure it out together quickly. The founders didn’t even really know each other that well. By our original plan, we had 10 months of runway and the most important thing to do in that 10 months was to hire a development team to build a product and get at least one company to show enough interest that we could raise more funds. All that was true before 9/11 happened. There was even greater urgency after 9/11.
On the personal side, my kids were young (7, 4 and 3). I remember telling my wife that 85% of all startups fail within the first 3 years, so statistically this one probably would fail. I asked if she was ready for that. She told me it would not fail. She was right.
In spite of all the risk and everything that has happened, we are still here 10 years later and there have been many rewards in addition to the risks. After those first years, the biggest reward has been the people that have joined us—the team of dedicated men and women who have worked so hard to secure data for our customers. Some of my greatest friends and the people I respect most in my professional life have worked or still work at CREDANT. I’m proud to be part of a team where integrity is more than just a word. It’s something we strive to live out every day. Over the last 10 years, I’ve seen that exemplified, and I’ve done my best to do the same. I’m also proud of the culture we’ve created. A place where we win or lose as a team, as ONE. A place where we don’t look to dominate each other or play politics but all look to work together to create new and innovative ways to protect data for our customers.
We’ve built some cool technology over the years and created a product platform that millions of devices are protected by. We’ve led the way over the years in central management and policy enforcement across heterogeneous platforms. We pioneered intelligent encryption that avoids operational overhead and end-user headaches. It’s exciting to think about all the data we’ve protected!
However, the world is changing fast and the risks are greater than ever. Risks to data through new usage models, mobile devices, the cloud and a pace of technological and social change are arising faster than ever before. And there are not that many entities out there looking to protect that data. Not many are positioned as we are to see the need and have the tools and expertise to fill this need. After 10 years, we are perfectly positioned to solve the exact problem before us now – protecting data across mobile devices, cloud and enterprise storage and applications. And as we protect that data we will enable new secure collaboration and sharing models that have not before existed in a way that can be safe and audited by the data owner.
As with every opportunity, we must move quickly and work hard to meet this new challenge and fulfill the role we’ve been positioned for. Risks still abound and must be overcome, but as I look forward to the next decade, I am more excited than ever! We have such an amazing opportunity and when I think of all that we’ve overcome to get here and the people who are my teammates that help meet the challenges moving forward, I find that I am more than ready to for the risks (and rewards) of the next 10 years!
Chief Technology Officer and Co-founder
It is interesting to note that it’s possible for a 3rd party to add data security for enterprises to Dropbox. What would need to be done by such a 3rd party to make Dropbox safe for enterprise data? What are the specific problems we need to solve to allow our most sensitive data to move into cloud storage?
- Encrypt all data – We need to ensure all data is encrypted with a key that we control and the storage provider does not. This means the storage provider can never have our encryption key when its open.
- Replace file names – We also need to make sure we rename files so we avoid leaking information about the file from the file name itself. One way to address this is to simply rename the file with a GUID-based filename.
- We need to track who is putting what files in the cloud. In other words, we need audit information that will give us visibility into how data is being used in the cloud so we know where our data is going.
- We need to be able to allow collaboration and sharing of data between users.
- We need to be able to report on confidentiality of all data moving into the cloud for compliance purposes.
- We need to be able to automate the enforcement of policies, key management, auditing and reporting of all of this.
- We need to be able to go to one central place to manage all of this.
These core capabilities are required for enterprises to be able to leverage cloud storage and allow their users to do the same. Fortunately, systems that support these kinds of capabilities are beginning to emerge from 3rd parties.
The link below contains a video that is an example of just such a solution currently in development at CREDANT Technologies. The video focuses on the end-user experience for enterprise encrypted Dropbox usage.
The solution provides seamless end-user usage of Dropbox while automatically enforcing data protection policies that replace filenames, encrypt files, report compliance and centrally manage the entire activity.
In this video, we examine how a security client can be added to a device that is using Dropbox. The user can then place their files in a new Secure Dropbox folder and the data will be secured and then transferred to the Dropbox folder which will sync the data as it normally does. This is just one possible approach to protecting data with services like Dropbox. In the future, we will demonstrate other approaches and discuss pros and cons more fully. In the meantime, we look forward to any feedback the community may have.
Click here for the video.
The other day I commented that we need to make DropBox safe for the enterprise. I mean there have got to be millions of users who put work stuff in DropBox so as an industry we need to make sure all that data is safe, right? Sure. Of course. But how?
Ah, that’s where it gets tricky. As any security professional will tell you, electronic privacy is hard to do well. It requires a host of technologies like encryption, key management, identity management and authentication. More fundamentally, it requires that the provider and the customer agree on something called a threat model or risk profile.
What this means in the case of DropBox and other storage providers is that users really should answer several questions:
1. Who owns the data I’m putting in DropBox? – This is the person or organization responsible ultimately for protecting the data. And this will be the party that law suits, subpoenas and other unpleasant realities affect if the data is inappropriately disclosed.
2. Who should be able to view the data I’m putting in DropBox? – Is the data owner okay with data going into DropBox being public or should it be kept private?
3. What consequences would result from public disclosure of this data? – Who could be hurt?
4. Is it possible that anyone would want to use this data for illegal or malicious purposes? – What might the impact of that be?
5. Would someone be able to tamper with this data without my knowledge? – How can I continue to trust the data?
These and other questions make what started to be something so simple to help users get their job done, a very serious consideration for most enterprises. When you stop to think about these questions, you reach one conclusion. Users should treat most providers like DropBox as publically visible file shares. In other words, only put files in DropBox if you are okay with those files being available publically at some point – because they just might become public someday.
But wait! There’s another side to this. Some vendors provide encryption to give user data privacy. That security may be built into the service or it may come as a 3rd party add-on.They say it’s military grade, AES-256 encryption. That’s the best encryption available, right? Right. So that takes care of it right? WRONG!
Cryptosystems are difficult to implement properly. So we are now back to the tricky part I mentioned earlier: we have to understand and agree on who we trust and what we want to prevent. Here are a few points to think about in assessing your risk posture with respect to services like DropBox (I’ll generalize a bit and call them cloud providers to avoid beating up poor DropBox unnecessarily since most of their competitors have the same issue):
1. Is it okay for the cloud provider to store your encryption keys? – this certainly makes it easier for you but what new risks does it expose you to?
2. Even if they don’t store the encryption keys, is it okay for the key to be open and used for encryption within the service? – In other words, will you allow the provider to use your open key to encrypt and decrypt data, even if they have to get the key from you? Why is that an issue? Because if they have your open encryption key, it’s possible that they or some malicious code could access your data.
3. How does the encryption key get opened? – Does it open automatically or require a user credential first? Obviously automatically is more transparent but prompting for a user password can be disruptive to your users. Where do you draw the line?
4. Is access to the data audited? – How do you know who is accessing or attempting to access your data?
5. Can you prove that the data is encrypted? – This is the fundamental question for auditors and a requirement if you want to show those pesky folks that as an enterprise you are taking the right steps to protect your data – even in the cloud.
The questions could go on and on, but you get the point. Not every user or enterprise has the same answers to all of these questions. There’s no one-size-fits all cloud security.Instead we need to start talking about Trust Models to better frame the conversation of what’s okay and what’s not okay in the cloud.
I feel for the folks at DropBox. I really do. They have built a fantastic service over the last years. It’s simple. It’s clean. It’s easy to use. It provides great value.
With this one service, I can keep data in sync across the many devices that have come into my life over the last 10 years: my laptop from work, my iPhone, iPad, home PC’s and even my wife’s Mac. I can even access this data from the browser on my kid’s Playstation. I can share work stuff with co-workers without waiting for someone to set up a share for me.
But there’s the rub. Work stuff. Yes, I CAN share work stuff with others or even use DropBox or many of its competitors as a virtual briefcase for taking work home. But SHOULD I?
Unfortunately, the answer currently is without a doubt – NO!
And that’s why I feel for folks at DropBox. They set out to do a great thing for the world and did it. But security is very hard and encryption among the hardest of security disciplines to get right. When you then try to make that security suit the needs of enterprises (remember the work stuff we talked about?) it’s a whole different story entirely.
What is needed is an enterprise encryption technology that supports DropBox and its many competitors. Such a solution would work with DropBox to support all the great capabilities they will continue to innovate while giving enterprises the ability to control the protection, audit the use and report compliance on their data in cloud services.Fundamental to these capabilities for enterprises is the ability for key management and encryption to stay in the enterprise itself. I’m looking forward to seeing solutions to this problem in the near future.
In the meantime, does that mean that of the millions of customers of DropBox, SugarSync, Box.net, Soonr and all the rest, no one is using work stuff (i.e. enterprise data) with those services? Not a chance! In fact, they are doing it at an alarming pace.And that is all the more reason for urgency in solving this problem – soon!