Thursday, 21 June 2007

Told you so.

I just got off the phone with Gretchen Hellman from Voltage and she asked if I would write something about them. I'm still digesting it really, but I have to say, they seem to have a pretty smart solution to some real business problems. This is what I love about Americans, everything's an opportunity, not an issue. I live in Spain.

Anyway, Voltage saw there was an issue around PKI administration, so they addressed it. They saw usability problems with email encryption when certificates were used, so they fixed it. They are now seeing lots of talk about holes in web applications making for vulnerabilities in online transactions, so they've looked at that too. People keep asking them about laptop encryption when they are talking about other forms of encryption (a common issue from experience), so they bought Safeboot - easy!

Voltage is yet another Dan Boneh company, he's another one of these guys that I've been aware of for my whole career. When I started, Dr. B (as I call him) was at RSA, he then helped found my chums Ingrian, and now he's at Voltage, who I hope will remain friends now too. Now this is what I want to do with my career - start up useful security companies which address real life business issues, that people are having now.

WebAppSec is something we hear a lot of in the SBN pages, not something I cover a great deal about because my view is that the apps "should" be secure, yes, but the data is really where the issue is, so as long as the apps do their job, so what if they were written by a 15 year old? Cheap development will never go away as long as there are teenagers and emerging nations to exploit. (Harsh, but true.)

I've talked about data-centric security for a long time now. It is my long held belief that applications, databases and transport mechanisms are redundant to a large degree in security. Voltage have helped move this argument forward for me, my little brain is cranking up once more, and I love them for it right now.

I will be writing more about this next week once I've seen a bit more proof and substance, but essentially it goes like this:

DBs and apps have issues with encrypted data because of formatting, so what choices do you have around data? Come on Mr. Data-Centric, get out of that one!

Well, you can choose not to encrypt or encrypt at the file level, either way, by the time you get your data to the application or database layer, it's no longer encrypted. That's no good.
You can choose to buy a column level encryption product and say goodbye to your IT budget, it won't necessarily interact with your application very nicely, and it's not really much of an investment.

But Voltage have implemented a very clever technology (lots of Maths, or Math to my American friends) to get around this - format preserving encryption. Great, now your database can store the data in its original format. Now we can encrypt data in the database, using the also very clever IBE (identity based encryption) product they have, and hey presto, the information remains encrypted throughout the transaction until an authorised user, with the correct ID tries to access it. This is perfection, scalable, data centric, simple ID based encryption. Once again I'm excited about some technology. I feel slightly vindicated, now if only everyone would go out and buy it, I could be your king.

[Oh yes, I didn't mention Martin Hellman to Gretchen (her father), but she brought him up right at the end. Deservedly proud I guess, and with an audience who she knew would appreciate the name drop, why the hell not? I feel writing this should earn me a meeting with the great man, another name for my Security Spotters Handbook.]

No comments: