|Do more ...|
SecurityThe security of online applications is a key business issue and in some cases represent the most significant threat for organizations.
Intellectual property, trade secrets, and critical customer data are often used with internal and external online applications. But organizations have more at stake than data. A security breach may lead to fines, regulatory investigation, public exposure, mandatory notices to each person affected, legal liability, and other actions, so that the organization's reputation and brand will also almost certainly be harmed. As a result, the importance for online applications security is growing.
How can I make our online applications hacker proof?
You probably heard the phrase "Any computer can be compromised". This phrase accurately reflects the yet-unsolved security problem of protecting servers and clients against penetration attacks.
So, as many people realize too late, the question "How can I make our online applications hacker proof?" is the wrong approach.
In our approach, called ZSentry, the security of our solutions is assured not by some fictitious "Fort Knox" type of security that would (vainly) promise to prevent all attacks. As the next item explains, the ZSentry technology simply prevents attacks by the sheer lack of existence of user data to attack, anywhere.
ZSentry Sans Target
The best defense against data theft is to not have the data in the first place. In IT security terms, ZSentry shifts the information security solution space from the hard and yet-unsolved security problem of protecting servers and clients against penetration attacks to a connection reliability problem that is solvable today.
Uniquely, the ZSentry Sans Target technology eliminates common online targets such as such as username/password lists, names, email addresses, plain text user data, meta-data, and even the encryption/decryption keys themselves. There is also no shared-secret storage (not even encrypted), which presence would be a target enabling dangerous silent breaches including RSA's notorious SecurId breaches.
Why Z? Because it is 'easy' to use and forms a Z with four sentries that protect your data with Authorization, Spoof Prevention, Authentication, and Access Control (see image).
The ZSentry Sans Target technology also allows your solutions to work without ever exposing the users' private data, passwords, keys, or data, and provides multiple levels of protection.
ZSentry Sans Target allows services to operate with the simplicity of conventional password systems but without their security limitations. Neither in the servers providing the service nor in the user's desktop or laptop client accessing the service, the user data and keys are never in danger from outside or inside attacks. If there is an attempt to breach security somewhere (including at a client point), even by physical removal, no customer access data or customer data can be recognized or compromised. Physical Sans Target protection is thereby afforded to customer login data and user keys, which are not stored or made available anywhere.
The ZSentry Sans Target technology further enables a legal Safe Harbor (for example, in HIPAA/HITECH rules) that cuts costs and liability, including a legal obligation to disclose breaches. Even though one can argue that an attack may eventually succeed, for example in the case of an attacker who may even physically walk away with any number of servers, with ZSentry no user data would be compromised. ZSentry Safe Harbor compliance also cuts & avoids legal conflicts and costs in ancillary contracts with customers.
The ZSentry Sans Target is also applied for web site security, in what we call Software-as-a-Service Sans Target (SaaS-ST).
Comparison with X.509/PKI and PGP
ZSentry complies with and extends X.509/PKI and PGP security standards, allowing secure first contact and reply without previous interaction (e.g., exchanging passwords, requiring registration) or work (e.g., searching a directory, solving puzzles). ZSentry also supports SAML and SSO, so that it can be part of a federated-identity ecosystem.
For example, the X.509/PKI standards define a "user certificate" (also called "public key certificate"), allowing an association between a user's name, email address, and the user's public-key. This association is rendered unforgeable and verifiable by using the cryptographic private key of the certification authority which issued the user certificate.
Likewise, unforgeable (cryptographic) authentication of both the user's name and email address is enforced by ZSentry.
This functionality is provided by ZSentry in order to protect the user's identity and help prevent spam (by recipients who use ZSentry). However, the unforgeable authentication provided by ZSentry solves some critical usability and security problems relating to key-signing and certificate distribution in X.509/PKI, and is digitally equivalent to X.509/PKI unforgeable authentication, but operates without purchasing a CA certificate and having to safe-keep the private-key.
Trust and Verify
Even though ZSentry security is automated and requires little to no user intervention, humans should not be required to blindly trust computers. To help allay spoofing and phishing concerns we find that it is often useful to provide visual clues that humans can easily verify, in addition to protocols that computers verify. For example, all ZSentry secure pages and messages must begin with https://zsentry.com/, which is a short unique name that is easy to verify visually with no potentially confusing character exchanges (as one could visually spoof https://pineapple.com/ with https://pineapp1e.com/ where the letter "l" has been changed to the number "1").
ZSentry also avoids the "red flags" that are inherent to conventional security technologies, such as the key-escrow weakness in IBE (ie, by design all user keys are known to the administration), notorious lack of usability with PKI, and lack of reliable certificate revocation with PGP.
|Main Technical Notes|