A bit more than twenty years ago, at a software vendor long since vanished from the planet, a colleague suggested to our VP of Engineering that we should get an Internet connection. His response, enshrined in the memories of all who heard it: “Who will we talk to?”
OK, so he clearly wasn’t a visionary (which we knew too well already). And admittedly, nobody at the time was predicting the Internet’s full impact, or at least, how quickly it would come about. But here we are, two decades later, living on the Web—using it for shopping, reference, research, and more.
In fact, few people that I know would make a major purchase (or, often, even a minor one) without first researching it online. Being able to read real-world product opinions and reviews—crowd-sourced research, if you will—is but one aspect of the disintermediation that is one of the Internet’s big benefits. Today we can make much more informed decisions about which TV, car, or pair of jeans to buy, without having to just believe a salesperson’s claims, or hope that Consumer Reports covered the segment.
So it’s surprising and sad that when buying security products, people who would never believe a sales rep’s spiel when making a personal purchase will blindly accept vendor claims for much larger business purchases. Part of this is because it’s more difficult with enterprise software in general, and particularly with security—the market is relatively specialized, and companies are often particularly reluctant to discuss their usage of and experience with security products—but queries on mailing lists are vanishingly few, and responses even scarcer. When you add in the fact that the higher mathematics involved in things like encryption are well beyond the capabilities of most of us Mere Mortals, the challenge of making an informed decision becomes even more intractable.
The good news is that for the mathematical aspects of security, there’s another way to gain some assurance that the mathematics part, at least, is legitimate: third-party security proofs. I discussed proofs in Cryptography for Mere Mortals #5, but with a somewhat different focus.
There are security products on the market right now that make wild claims—“unbreakable security” is a favorite—without providing anything resembling security proofs. Others provide “proofs” created by the authors of the algorithm, or other parties associated with the company, and thus are not really “third-party”.
Andy Tanenbaum famously wrote, “The nice thing about standards is that you have so many to choose from”, which many take as an indictment of the whole concept of standards. This misses the points of both standards and Mr. Tanenbaum’s comment: because standards have been vetted by a group of experts, a product that adheres to a standard instantly gains imprimatur. And standards are related to proofs, because proofs are typically involved in creating security-related standards.
Voltage Security, Inc. has solicited third-party security proofs of its innovations, and has been involved with standards at various levels, since its inception in 2002. Voltage products are based on NIST, ANSI, IEEE, and other standardized algorithms (AES, KDFs, et al.), and third-party security proofs are available for Voltage Identity-Based Encryption (IEEE standard 1363.3), Voltage Format-Preserving Encryption (NIST draft standard 800-38G), and Voltage Secure Stateless Tokenization (ANSI X9 standards work proceeding). Voltage staffers sit on standards committees and Voltage methods are peer-reviewed and vetted by independent experts, available to our customers for their own independent analysis.
Other vendors hide behind obscurity, using proprietary algorithms that are kept secret. The risk for enterprises using such products is not only that the algorithms may not be inherently secure, but—even more insidious—that the method of implementation may add insecurity.
For example, cryptographic operations must be sufficiently isolated from application code that a malicious user cannot force a memory dump or hack the application code to obtain information to bypass security. This may not be possible if the operation takes place in the same address space as the application.
The only way to truly ensure security in such cases is to isolate the operations in another address space—on the same system, if address space isolation is secure on that platform, or on another server entirely. And many solutions use this approach: the popularity of Web services to perform encryption and tokenization operations is an example. By performing the encryption and tokenization on a separate server, the sensitive data exists only in that other server’s memory.
Yet, as with proofs and standards, some vendors choose the insecure approach. The obvious appeal is that by removing the interprocess call overhead and complexity, products run faster and with less overhead. With any security solution, performance is important, but trading security for performance is the wrong choice—and when such a product is breached, there can be no safe harbor for the company who employed it. It is thus critical to understand both the security and performance aspects of potential solutions, and where a question of trading off security for performance arises, the answer should always be “No”.
When building its solutions, Voltage Security, Inc. considers both issues: we design in high security and also test performance for every release, and optimization is an active area for enhancement. The result is that Voltage products offer excellent performance with proven security, as demonstrated by our numerous enterprise customers.