June 2013 | SafeLogic

Archive for June, 2013

26 Jun 2013

Let’s Recap a Great Week

Life at SafeLogic moves pretty fast.  We look at every day as a week, and every week as a month.  And last week was an awesome month.

I was privileged to sit on a panel with some very bright people in the mobility space.  It was a nice cross section of solution provider, app developer, and venture capital representatives.  I was there to discuss security.  Some takeaways from my perspective:

  • MDM is dead as a standalone product. It will be a core feature set of any mobility solution; it has to be. But we’re now shifting focus to the protection of content.  Finally!
  • Phil Buckellew discussed IBM’s MobileFirst initiative, and I’m glad he did.  I think that program could spawn a development paradigm that enhances enablement and increases transparency in the mobile space.  Exciting stuff.
  • I was asked about the multiple layers of security available (hardware, OS-layer, app-layer).  I mentioned that these are all important tools and should be used to protect information according to the overall environment, types of content, risk level, etc., but in my opinion, it starts and ends with the app.  That’s how users are accessing data, and the best way to protect that data (either in-flight or at-rest) is by controlling the crypto in the app.

Hats off to Maribel Lopez for putting together a diverse panel and facilitating a great discussion.

From there, it was back to my desk to do a webinar with ISC(2).  The good folks from Venafi sponsored the discussion around  the dangers of failed and mismanaged certificates.  Kevin Bocek did a fantastic job communicating real threats and vulnerabilities in a very complex area of infosec.  Brandon Dunlap rocked the moderation, and I discussed what we’re seeing from a security, mobility, and cert management perspective in both public and private sectors.

To really cap it off, there were a few other surprises waiting for me back at the office that pushed SafeLogic even further as a brand and as a real player in the security space.

Last week was definitely a monster month. I’m excited to see what happens next!


17 Jun 2013

The Pentagon Prepares for Shopping Spree

PentagonI’ve been doing some reading on the Pentagon’s five year plan and associated budget requests.  Watching the government negotiate the defense budget is always interesting, as both sides of the aisle stereotypically issue many caveats and words of caution.  In this space, we don’t provide political commentary, but we do want to draw your attention to issues that will have an effect on your work and your personal security.

So what is the issue here?  Budget has been, and always will be, a point of contention for the Pentagon.  That’s nothing new.  But we appear to be on the brink of a major shift.

Let’s take a look at the annual numbers as projected.

Pentagon Budget





That third column represents the year-over-year annual change.  When I see those numbers, I’m not sure exactly how to interpret them.

The initial 18% boost indicates that there may have been successful internal lobbying for more spending, and we are simply underfunded for the remainder of this fiscal year.  This likely will result in a boost in the federal buying cycle for October and November, when the budget calendar flips over to 2014.

From 2014 to 2015, we see an approximate 1.5% increase in proposed budget.  I’m comfortable calling that neutral.  Cost of living adjustment, inflation adjustment… it’s minor.  (Yes, I just said that $70 Million is minor.  Ridiculous.)

Now here’s the curious part.  Why do we see subsequent decreases of $110 Million in 2016 and then $160 Million in 2017?  I have several theories.

Theory #1: Overall reductions in the Pentagon budget will slash the headcount, yielding lower overall numbers to operate.

Theory #2: The initial boost in budget for 2014 is weighted for infrastructure investment and require more upfront dollars, while the 2016 and 2017 numbers paint a more accurate picture of the operational budget.

Theory #3: I am way off base, trying to prescribe strategy for an arbitrary process that has more to do with negotiation and compromise than with actual planning.

In actuality, I am reasonably certain that it is a combination of all three theories, plus a few more.  The marginal increase in 2018 would indicate that my first theory cannot be accurate alone, but could certainly be relevant in conjunction with other mitigating factors.

The bottom line: Look for an accelerated buying cycle in October.  The Pentagon is going to suddenly have $710 Million extra spending money, burning a hole in its pocket.  Is your company prepared and ready to capitalize?

SafeLogic is fast, and we can get you in the NIST queue on the fast track to your FIPS 140-2 validation, but don’t wait until October to make your move.  Check out the Pentagon budget numbers, make your own forecasts, and drop us a note.


11 Jun 2013

What Gets Me Up in the Morning?

I’m nervous… but I’m also inspired.

I’m nervous because there is a widespread lack of understanding of the basics of encryption, and I’m seeing improper and even insecure implementations of encryption.  These create vulnerabilities and potentially lead to the compromise of data and break of privacy.

You’ve likely seen the wave of press on PRISM (here’s a good primer).  I’m not going to debate the privacy or ethical implications of this program.  That’s not my place.  But it’s very serious stuff. You need to stay aware of it, as it has implications for all of us, and it deals with your data (well, maybe yours, depending upon the EULA with participating companies).

In related news, Ars Technica released a report that Skype messages appear to not be encrypted end-to-end.  The messages are apparently decrypted at the server, then re-encrypted for transmission back down to the peer.  Now, I haven’t seen any claims from Microsoft for “end-to-end” encryption, and presumably they’re filtering for spam, malicious links, etc., but now your chats, links, files, and everything else are being stored on a server somewhere outside your control. Someone you don’t know and someone you shouldn’t trust has access.

The Skype issue doesn’t bother me so much. I don’t have extremely sensitive chats over Skype. I pick up the phone for that.  Oh, wait… that’s no good either?  Sigh.

Security is such a complicated field.  End users feel good when their solution provider says, “Trust us, it’s secure!” (SnapChat, anyone?)  The public sees the little padlock icon and they feel assured.  But have you ever hit a $9 combination lock with a sledgehammer?  I recommend you try that experiment before you trust one.  Padlock

So what’s under the hood of these “secure” solutions?  Is it a rock-solid cryptographic library that’s been tested and validated to strict standards?  And perhaps more importantly, is it implemented properly?

Here’s the fun part.  Instead of getting discouraged, aggravated, or just plain scared, I’m inspired by these questions.  We’re working hard to change all that and provide answers. These problems can be solved by using strong encryption the right way. We are giving users and developers the capability to protect their data with validated encryption and to control their cryptography. We are working with leaders in the mobility and cloud spaces to make this happen. We are seeing customers rip out home-grown encryption and replace it with verified, validated libraries. We are seeing teams re-architect products specifically with security and encryption in mind.

At the end of the day, we’re helping protect data.  User data, corporate data, financial data, healthcare data.  That, my friends, is inspiring.


6 Jun 2013

The Cryptographic Construction of Medicine

Today, we published a white paper here at SafeLogic, discussing the role of cryptographic technology in meeting HIPAA regulations. There may not be any other use case in which more average Americans are affected every day by encryption, and it is a vital piece of the legislation.

Most of us have had an experience in which HIPAA rules were a thorn in our side. Sometimes tasks that appear simple end up being a giant pain, such as transferring health records to a new physician. After countless hours and a dozen phone calls, ‘HIPAA’ no longer sounds like an animal at the zoo and may as well be a four-letter word. I’ve been there.HIPAA

Luckily, that is largely a function of manual processing that is rapidly becoming a thing of the past. Modern software providers are working hard on the problem from various angles. Assessing physician demands and the needs of the patients, adding user interface improvements and technological innovations, the doctors of the future will be able to do so much more. Real-time collaboration with specialists and colleagues, instant feedback on prescriptions and medicine interactions, leveraging monitoring devices paired with mobile platforms… this is the stuff from sci fi movies when I was a kid!

Medical software solutions, combined with the exponential growth of diagnostic data being collected, create potentially explosive situations if the data is not encrypted to the highest level. Connected devices have access to massive amounts of sensitive and personal health information and HIPAA acknowledges that it must be encrypted. A single compromised laptop or tablet can lead to hundreds of thousands of patients’ files. Unlike enterprise data, where proprietary data represents the lifeblood of innovative companies, this is quite literally our lives. Imagine the threats that could plague us if our medical records were vulnerable – everything from embarrassment and bullying to maliciously altered medical prescriptions and targeted biological weapons.

Maintaining the integrity of our health records is crucial, and the reality is that it would be impossible without validated cryptography. The idea of unencrypted medical records, even stored locally, gives me the absolute creeps. Luckily for the American public, it is an ironclad requirement. Serious penalties are in effect for healthcare providers who are not compliant with HIPAA and fail to encrypt Protected Health Information.

Now that I have made you completely paranoid about electronic health records and how dangerous it would be to ignore encryption, read our whitepaper.  SafeLogic addresses each cryptographic requirement of HIPAA with CryptoComply. By integrating our FIPS 140-2 validated module, software vendors are able to deliver the highest level of encryption and data assurance to your doctor with every update, version, and release of their solution. Innovation will lead the way to a stronger, more efficient health care system, and waiting for FIPS validation hinders that evolution. CryptoComply brings instant compliance to the table, which means the best software, with the best encryption, can be deployed as soon as possible with full HIPAA compliance.

Stay informed about the protection of your medical records, and stay healthy out there.