ZSentry means less work with IT and users. Encrypt and decrypt with one click, including two-factor user authentication. Your ZSentry-secured solutions will feel exactly like what you use today on the desktop and phone, and your recipients' solutions will also benefit from your use of ZSentry and yet feel exactly like what they use today, with no changes.
HOW IT WORKS
Security goes BAD (Bring-Any-Device)
Attackers do not play nice. Security must work even when people Bring Any Device.For more than 15 years, the security of online applications has taken the front seat to what users want, even to usability itself. Today, online security has become a contradiction in terms. How did we get here?
This is easy to understand if we consider that The Most Important Property of an IT system is the forgotten usability. In practice, users will rather use an insecure IT system that is easy to use than a secure IT system where even the help text may look intimidating. The secure IT system has to be easy enough to use when compared with simple, familiar, regular systems — not when compared with other secure IT systems. If security is too difficult or annoying, users may give up on it altogether.
For example, before ZSentry people thought that secure email was one of those things that you can't really explain to people. It was seen as something that senders and recipients had to see in action, something that they both had to experience.
The often common state of affairs today is that it has become necessary to circumvent security in the workplace, so that work can “get done”. For example, the practice of sending confidential information by regular email and adding a DISCLAIMER in case it leaks. Thus, lack of usability has become a key business issue and in many cases, albeit indirectly, stands at the root of the most significant losses and threats facing organizations and government entities.
Intellectual property, trade secrets, and critical customer data are often used with internal and external online applications. But organizations have more at stake than data. A security breach may lead to fines, regulatory investigation, public exposure, mandatory notices to each person affected, legal liability, and other actions, so that the organization's reputation and brand will also almost certainly be harmed. As a result, the importance for online applications security is growing.
But, what happens when users want BYOD (Bring-Your-Own-Device) today and go BAD (Bring-Any-Device) tomorrow? Cybersecurity should not crumble if an attacker does not play nice, so why should it crumble if a user behaves as... a user?
ZSentry was designed with the principle that security must work also when people do what is not expected, even hostile, or when they just go BAD (Bring-Any-Device). And ease of use is considered by the ZSentry Team to be a self-evident need in all IT security systems.
How can I make our online applications “hacker proof”?
You probably heard the phrase “Any computer can be compromised”. This phrase accurately reflects the yet-unsolved security problem of protecting servers and clients against penetration attacks.
So, as many people realize too late, the question “How can I make our online applications hacker proof?“ is the wrong approach.
In our approach, called ZSentry, the security of our solutions is assured not by some fictitious "Fort Knox" type of security that would (vainly) promise to prevent all attacks. As the next item explains, the ZSentry technology simply prevents attacks by the sheer lack of existence of user data to attack, anywhere.
ZSentry Sans Target
The ultimate and fail-safe defense against data theft is to not have the data in the first place. In IT security terms, ZSentry shifts the information security solution space from the hard and yet-unsolved security problem of protecting servers and clients against penetration attacks to a connection reliability problem that is solvable today.
Uniquely, the ZSentry Sans Target technology eliminates common online targets such as such as username/password lists, names, email addresses, plain text user data, meta-data, and even the encryption/decryption keys themselves. There is also no shared-secret storage (not even encrypted), which presence would be a target enabling dangerous silent breaches including RSA's notorious SecurId breaches.
Why Z? Because it is 'easy' to use and forms a Z with four sentries that protect your data with Authorization, Spoof Prevention, Authentication, and Access Control (see image).
The ZSentry Sans Target technology also allows your solutions to work without ever exposing the users' private data, passwords, keys, or data, and provides multiple levels of protection.
ZSentry Sans Target allows services to operate with the simplicity of conventional password systems but without their security limitations. Neither in the servers providing the service nor in the user's desktop or laptop client accessing the service, the user data and keys are never in danger from outside or inside attacks. If there is an attempt to breach security somewhere (including at a client point), even by physical removal, no customer access data or customer data can be recognized or compromised. Physical Sans Target protection is thereby afforded to customer login data and user keys, which are not stored or made available anywhere.
The ZSentry Sans Target technology further enables a legal Safe Harbor (for example, in HIPAA/HITECH rules) that cuts costs and liability, including a legal obligation to disclose breaches. Even though one can argue that an attack may eventually succeed, for example in the case of an attacker who may even physically walk away with any number of servers, with ZSentry no user data would be compromised. ZSentry Safe Harbor compliance also cuts & avoids legal conflicts and costs in ancillary contracts with customers.
The ZSentry Sans Target is also applied for web site security, in what we call Software-as-a-Service Sans Target (SaaS-ST).
Cloud Data Privacy And Security
The Sans Target approach also allows ZSentry to effectively address user and cloud provider trust concerns regarding cloud data privacy and security. Read more »
Comparison with X.509/PKI and PGP
ZSentry complies with and extends X.509/PKI and PGP security standards, allowing secure first contact and reply without previous interaction (e.g., exchanging passwords, requiring registration) or work (e.g., searching a directory, solving puzzles). ZSentry also supports SAML and SSO, so that it can be part of a federated-identity ecosystem.
For example, the X.509/PKI standards define a "user certificate" (also called "public key certificate"), allowing an association between a user's name, email address, and the user's public-key. This association is rendered unforgeable and verifiable by using the cryptographic private key of the certification authority which issued the user certificate.
Likewise, unforgeable (cryptographic) authentication of both the user's name and email address is enforced by ZSentry.
This functionality is provided by ZSentry in order to protect the user's identity and help prevent spam (by recipients who use ZSentry). However, the unforgeable authentication provided by ZSentry solves some critical usability and security problems relating to key-signing and certificate distribution in X.509/PKI, and is digitally equivalent to X.509/PKI unforgeable authentication, but operates without purchasing a CA certificate and having to safe-keep the private-key.
Trust and Verify
Even though ZSentry security is automated and requires little to no user intervention, humans should not be required to blindly trust computers. To help allay spoofing and phishing concerns we find that it is often useful to provide visual clues that humans can easily verify, in addition to protocols that computers verify. For example, all ZSentry secure pages and messages must begin with https://zsentry.com/, which is a short unique name that is easy to verify visually with no potentially confusing character exchanges (as one could visually spoof https://pineapple.com/ with https://pineapp1e.com/ where the letter "l" has been changed to the number "1").
ZSentry also avoids the "red flags" that are inherent to conventional security technologies, such as the key-escrow weakness in IBE (ie, by design all user keys are known to the administration), notorious lack of usability with PKI, and lack of reliable certificate revocation with PGP.
|Main Technical Notes|