April 2013 | SafeLogic

Archive for April, 2013

30 Apr 2013

Open Forum at LinkedIn

Over the weekend, I decided to create a new discussion group on LinkedIn, the FIPS 140 Open Forum, to promote the knowledge base of the standard.  I’ve been blown away by the support and rapid growth of the membership, and I hope to see you there!

The mission for the group is to create an open atmosphere for peer sharing, and I hope that a strong mix of professional roles will contribute to and learn from the discussion.  While there are other places on the web to find information on FIPS 140 and related topics, it can be challenging to find real feedback from live people with expertise in the area.

LinkedIn logo So please share your successes, your war stories, your issues, your questions, and your expertise at the FIPS 140 Open Forum.  I can’t wait to see what you have to say!

I’m very excited to see what will happen when folks from various perspectives can work together to share without being censored or restricted.  As CEO of SafeLogic, I have a brand to build and a product to protect, but that is not at odds with the best interests of the community.  By sharing our collective insight on FIPS 140, we all stand to gain.  Choose your favorite metaphor: What’s good for the goose is good for the gander, or a rising tide lifts all ships.

Information security is an industry that thrives when we all contribute. Let’s put aside agendas and competitive pressures and work together for the best interest of all stakeholders: product vendors, laboratories, consultants, the CMVP,  and (perhaps most importantly) end users.

BlogFooter_Ray

25 Apr 2013

A Conversation with Whit Diffie

On Tuesday, we had the honor of announcing the establishment of SafeLogic’s advisory board and the first three members.  The trio is absolutely stellar, and it’s a thrill to have the opportunity to work with such accomplished people.  I recently got to chat with Whit Diffie about his thoughts on encryption, technology, and how SafeLogic factors into the long-term outlook of security and compliance.  I’d like to share with you some of his thoughts.  I also just wanted to brag that I was talking cryptography with Whit Diffie!

Whit Diffie

In the context of the validation of Suite B algorithms, I raised the question of importance with enterprise clients.  In assessing government applications, the procurement officer’s analysis is binary – either the cryptography has been validated, or it hasn’t.  Nothing short of a validation is acceptable and there is no gray area.  Business hasn’t embraced the same point of view yet, but it has certainly been evolving.  Does that cultural acceptance of gray area create vulnerability?

Whit replied. “Cryptographic algorithms are the best cooked aspect of information security.  Every other aspect, beginning with algorithm implementation, is prone to error and thus to penetration and compromise.  The importance of validating cryptographic implementation is second to nothing in information security.”

I pressed further.  SafeLogic’s mission is to bring government quality encryption to all, but some enterprise solution vendors believe that it is overkill for certain private sector use cases.  Are there scenarios in theory where cryptography can be unverified and still inherently secure enough?

That didn’t sit well with Whit.  “Cryptography is not just a theory.  In order to secure everything from e-commerce to personal communication, cryptography must be properly implemented.”

Diffie’s response reinforced what I have been carrying as a central tenet to SafeLogic’s goals.  In order to put faith in a solution that contains encryption, like trusting the lock on a door, we must be assured that each facet has been installed correctly and tested.  Without an independent third party to verify it, vendors could claim anything at all.

 

In 2008, Whit commented in an interview that Suite B could have a major impact, improving the interoperability of cryptographic security systems worldwide.  So I was curious about his thoughts five years later.  Has it played out as he expected?

Whit’s commented on how huge the task really is.  “The adoption of a world-wide cryptographic standard is an ongoing process that may last throughout the century.  At any point, it’s possible to look around and say ‘look how much we have achieved’ but also to look around and say ‘look how much remains to be done.’ ”

Not to be discouraging, Diffie went on.  The interoperability is indeed already showing rewards.

“The importance of standardized, pluggable, cryptographic implementation of the sort SafeLogic provides is that they ease the work of application-specific developers, which frees them to concentrate on their core competencies.  To a non-security developer, cryptography is just another nuisance, a peripheral expertise that must be acquired to get the job done.  The more of security that can be obtained from experts who have made it easy to install, the more quickly projects that depend on security – rather than focusing on security – will go.”

 

It’s very cool that Whit Diffie sees SafeLogic as a cog in the evolution of application development.  His view is very copasetic with where we are positioned – by leveraging a specialist, companies can innovate faster, better, and more efficiently than ever.

 

Along with the rest of the SafeLogic team, I am excited to have Whit on the Advisory Board and I’m looking forward to many conversations like this in the future!

BlogFooterWalt

18 Apr 2013

Two Companies, Both Alike in Dignity

… in fair Silicon Valley where we lay our scene …

The Bard

 

 

This week, SafeLogic posted our first two case studies.  (You can download them here.)  While I will leave the particulars as a treat for those who read them, here are four reflections that I’d like to share on the similarities between these use cases.  Don’t worry, I won’t write them in iambic pentameter.

 

– Both customers have sparkling reputations for security, assurance, and reliability.  Neither has any appetite for risk in that regard.  SafeLogic is a new company, but the expertise of the founders soothed any hesitation and both chose to stake their credibility on the quality of our products.

– Both are extremely large companies that recognize the value in letting their engineering team specialize.  Pulling people off of their core tasks in order to learn on the job and reinvent the wheel is something that established teams like to avoid whenever possible.  This allows each developer to maximize their time on responsibilities for which they are best suited.

– In addition, in both cases, the client recognized the value proposition of offloading cryptography to SafeLogic.  Both are large enough that they could reasonably invest in the R&D of an in-house solution, but both deemed it unnecessary and found the best ROI to be in this scenario.  SafeLogic has already done the heavy lifting, and will aggressively maintain the product certification.  This saves clients from a massive expense and continuing headache, and offers the immediacy of ‘Drop In Compliance’.

– Each client seeks clear differentiation from the market.  In the eyes of the federal government, using an unvalidated cryptographic solution is equal to using none at all.  Unless you can rely on the independent validation of the module, you cannot rely on it at all.  Both of these cases recognized that their end users come to them looking for the absolute best in class, and that meant being able to answer ‘Yes’ to the questions of compliance.

Although the title of this post references the most famous tragedy of all time, this story definitely has a happily ever after.  Every one of these points apply to companies smaller, leaner, and with fewer resources than these two customers.  In fact, they aren’t just relevant, they take on even more importance.  The costs associated with traditional paths to compliance are extremely high, and they represent a more significant investment by ratio to smaller companies.  So if the ROI makes sense for companies who can afford to absorb long term costs, you better believe that it pencils out for everybody.

BlogFooterWalt

11 Apr 2013

Leapfrogging the Competition

In my last post, I described how CryptoComply could save a great deal of time and money as well as open many doors to revenue.  With SafeLogic’s focus on the ease of integration, CryptoComply accomplishes the goal of instant compliance faster than anything else out there.  But for some folks, that’s not the end of the road.

For those who seek a FIPS 140 certificate featuring their own name, laboratory testing and the CMVP queue length are pretty daunting… unless you decided to use CryptoComply and RapidCert in tandem.

The RapidCert program allows vendors who implement CryptoComply to take a hands-off approach, which creates benefits in four main areas:

– Reduced Bandwidth Needs

CryptoComply is built to minimize the engineering commitment for implementation.  RapidCert extends this advantage by offloading the tasks of assembling the documentation and preparing the submittal for review.

– Reduced Maintenance Effortleapfrog

SafeLogic takes care of the updates to the module and your certificate as covered in the service agreement.  As with most certifications, there are evolving requirements to track and maintain.  We handle that as well, so you don’t have to worry about it.

– Reduced Involvement

SafeLogic does the driving while you relax and reap the benefits.  We handle the documentation, which can take several months in-house.  We act as your liaison with the testing lab, accelerating that process from a few months to a few weeks.  Let our experience and specialization be your secret weapon.

– Reduced Time to Certification

SafeLogic knows exactly how to prepare for the lab test and review, so we can turn a process that may take several months into a streamlined submittal that can get tested, approved, and submitted to the CMVP within weeks.

 

Suddenly, you have leapfrogged over competitors that began the traditional process months ago.  While they are making excuses to prospects about being in progress for testing, you can demonstrate verified FIPS compliance with CryptoComply and provide a more aggressive estimate of completion for the CMVP review.

So when your Go To Market plan includes completing a FIPS 140-2 validation for your product, you don’t have to be a hero.  You don’t get a gold star or extra points for suffering through the entire process in-house.

Bring in SafeLogic – we will save you time, money, and gray hair.

5 Apr 2013

Buyer Beware: Mobile Security Solutions Are Not All Created Equal

Since the times of Julius Caesar, cryptography has been used to hide secrets from unauthorized persons. Ancient Roman warriors used the Caesar Cipher to encode messages during battle. While this cipher is a primitive ancestor to modern cryptographic algorithms, its purpose was the same as today – to protect data from prying eyes.

Because of the growing sophistication of mobile devices currently available, enterprises have embraced a culture of mobility. However, the same growth in data capacity, computing power, and processor speeds causes cryptography to take on exponentially more importance. Roman data breaches were limited by physical constraints; a messenger simply couldn’t carry very much. How much data is vulnerable if a company laptop, phone, or tablet falls into the wrong hands?

Even more troubling is the realization that the influx of consumer-grade mobile devices has grown much faster than the corresponding security solutions. Enterprise Mobility Management (EMM) is beginning to catch up, but many early adopters were burned by their lack of mobile strategy. Now, enterprises insist that certain features are included in any viable EMM solution, and encryption is at the top of that list. Without encryption, that valuable proprietary corporate data would be exposed in a variety of ways, whether it is accessed via the web or saved locally to a hard drive. Encryption also provides the easiest method to selectively wipe corporate data in case of device loss or employee termination.

Be mindful that not all encryption is created equal. Just as the Caesar cipher would be ineffective if attacked by today’s hackers, algorithms used today vary in effectiveness. Further, any cryptographic solution must be implemented correctly to provide any real security.

The gold standard for cryptography is the Cryptographic Module Validation Program (CMVP), established by the National Institute of Standards and Technology (NIST) in conjunction with the Communications Security Establishment Canada (CSEC). This program is responsible for validating that cryptographic modules meet the Federal Information Processing Standard (FIPS) 140-2.

To confirm that a solution has a NIST certificate, the CMVP offers a public listing of validated solutions. The products that qualify have undergone rigorous testing and are approved for use in any non-classified U.S. government application.

If you are shopping for an EMM solution and it has not been FIPS 140-2 validated, more investigation is needed. Without an independent body to verify the algorithms and implementation, you should ask yourself one major question:

Why trust an encryption solution that the federal government doesn’t trust?

Originally posted to The Chief Mobility Officer blog on April 4, 2013.

BlogFooter_Ray