5 New Rules for Keeping Your Company Safe

New White Paper from SpiderOak Explains Foundational Shift in Thinking Required in 2018 Landscape

NEWS PROVIDED BY

SpiderOak 

CHICAGO, Jan 30, 2018 /PRNewswire — As CEOs, executive teams, and boards of directors seek to contain their companies’ cybersecurity risk, technology security firm SpiderOak warns that there are key differences in the cybercrime landscape now – and that companies have to change to meet that threat. In a new white paper, 5 New Rules for Keeping Your Company’s Data Safe,” SpiderOak’s Jonathan Moore and Matthew Erickson outline the key steps that will help level the playing field between a company’s security systems and the attacks occurring at a record pace and scale.

“The modern adversarial environment has advanced so rapidly that current approaches to mitigating risk are completely falling short,” says Moore, chief technology officer at SpiderOak; the firm recently published its new cybersecurity threats and trends for 2018. “But it is possible for a company to vastly reduce the damage and scope of attacks, even in the midst of unprecedented new techniques from attackers. Attacks may be inevitable – and threaten every single business on the planet – but massive, costly breaches are not.”

“By embracing a foundational shift in a company’s approach to cybersecurity, management and boards can turn what could have been a multi-billion-dollar problem into one that barely affects the balance sheet,” says Erickson, director of client services and technology.

5 New Rules for Keeping Your Company’s Data Safe

Highlights from the white paper’s five key points include:

Rule #1: Have a clear inventory of what data is critical to your organization. 

“The era of Big Data has driven companies to collect as much information from customers as possible. Vast pools of financial and personal information are sitting in your organization, and you may not even be using it. Data is a liability that can be measured in dollars, and most companies hoard it without a second thought.”

Rule #2: Create a “two-person rule” for your data and processes. 

“While companies often have dual-signature checks and other oversight measures on their cash flow, most lack the same level of accountability across the rest of the organization, including how their data is managed.”

Rule #3: Compartmentalize your data.

“Companies most often keep multiple layers of data – from financials and customer information to its intellectual property, employee SSNs, and company emails – concentrated in one or just a few servers, where the data for one purpose is connected to data for another. This creates a network of linked exposure; a breach in one area can domino quickly into a breach of another database.”

Rule #4: Build your defense in depth.

“Most companies don’t have effective defenses internally between systems. In the interest of cheap and easy deployment, combined with fearing performance penalties among internal systems, most organizations have wide-open security configurations. It only takes one breach for attackers to leverage unsecured internal systems to gain access to their target.”

Rule #5: Keep the keys to your kingdom offline.

“Today’s computing environment, from the CPU up to the web browser, contains millions of ways to enable attackers to compromise systems. But organizations can use hardware tools today that, based on cryptography, enable them to keep their closest secrets on special USB keys, which can be kept in a safe. Even if attackers get control over an organization’s computers, if the secrets are stored and secured in this way, it would be impossible to expose sensitive data.” 

“As companies start to see enormous losses from breaches in the form of disrupted business, damaged reputations, embarrassing revelations, remediation costs, and more,” says Moore, “CEOs and executive teams are going to be under increasing pressure to rethink how their organizations are protecting themselves against attacks.”

For a copy of the white paper or more information about SpiderOak, please contact Temin and Company at 212.588.8788 or [email protected].

About SpiderOak  

SpiderOak provides mission-critical data and systems security for organizations and individuals. Using the latest and most secure blockchain technology and encryption, paired with identity management, SpiderOak’s platform defends client assets, intellectual property, and operations against military-grade cyberattacks. Our offerings include an enterprise platform protecting all of an organization’s data, software, applications, and devices; a secure software updater allowing companies to develop and update their applications in a secure way; and secure backup, messaging, file sharing, and storage for large and small businesses and individuals. For more information, please visit https://spideroak.com.

A sync technology with no backdoors?

A Secure, Compartmentalized File Sync Tool

The SpiderOak Sync tool offers easy and fast file sharing and sync with guarantees of integrity, authority, and confidentiality through our use of private blockchain technology. While the mobile file sync and collaboration are similar to other public cloud solutions, SpiderOak offers a fundamentally different approach to software. Responsibility for authority, identity, integrity and confidentiality are removed from networks & servers, simplifying your threat model and giving you greater control over your organization’s security.

Most file sync and collaboration tools have significant drawbacks in either security or ease of use. SpiderOak Sync is a rare combination of best in class security with intuitive, user-friendly design.  Sync is available for both on-premises deployment as well as SpiderOak hosted cloud installations to meet your needs in budget, security, and data placement.

Software Approach.

Organizational Control of Authority, Identity, Integrity and Confidentiality.

Data messaging and storage is handled through client-based end-to-end encryption for confidentiality with the use of blockchain for managing identity, integrity, and authority. Accounts are identified by private key material held only by the user, and data is encrypted against device-specific keys held within device TPMs, HSMs, and SEs where available.

Data flows are segmented first by teams within a platform instance, and then further by channels within teams. Each segmentation is cryptographically enforced, so that users within each grouping are unable to view data in another segmentation. Administrative authority within a team does not imply any capabilities within channels, including capabilities to read or write. Only entities that have been “invited” to participate within a channel can do so, and the record of team and channel authority and membership is recorded and managed via blockchain. This use of blockchain provides an irrefutable record of which entities are allowed to administer or participate within a channel, without requiring any central point of authority to dictate these rights. 

In addition, Sync supports optional features such as secure deletion, retention polices, LDAP integration, and escrow for message data and objects when it is needed for regulatory compliance.

SpiderOak and Policy Management

May 5, 2019

Technology Issues

The policies of agencies can be enforced by new technology.

Data and controls can be protected with private blockchain.

Example:

A written policy of an organizations policy says “don’t steal data”.

No way to enforce the policy with current technology. Gaps are managed by rules and controls.

Issues:

The code we use in organizations is called a Trusted Computing Base.

All code has defects (Let’s just say about 1 every 1,000 lines of code).

Most agencies have millions of lines of code.

Most defects are known and can be acquired by hackers and bad actors.

Solutions

It is possible to reduce the trusted computing base and the trusted base of people by using distributed ledger (private blockchain).

Summary

New technology allows organizations to have better people and data controls.

Reducing the Trusted Base allows for agencies to focus on missions.

Insider threats can be stopped.

SpiderOak Policy Engine

Using distributed ledger and a unique rules engine we can enable ‘need to know’ security with no gap between policy and technology enforcement.

We recognize that some organizations have well developed ‘need to know’ policies when it comes to sensitive data, especially when dealing with national security, defense or law enforcement. We also know that despite these policies, data continues to fall into the hands of hostile actors.

Why?

The simple reason is that these adversaries have a strong ‘want to know’ and can leverage multiple ways to attack the gap between organizational policy and it’s real world enforcement. Poorly implemented compensating controls, human error, software vulnerabilities, defects, and persistent attacks are just a few.

That’s why we think the ability to close that gap is a game changer and will transform how we think about security.

If securing sensitive data is an area of concern for you I’d be happy to provide a personal briefing, send more intel on the topic (in either an unclassified or classified setting).

Spideroak’s unique approach to closing the vulnerability gap

Using distributed ledger and a unique rules engine we can enable ‘need to know’ security with no gap between policy and the actual technology enforcement.

We recognize that all organizations have well developed ‘need to know’ policies when it comes to extremely sensitive data, especially when dealing with national security or law enforcement. We also know that despite these policies data continues to fall into the hands of hostile actors.

The primary reason is that these adversaries have multiple ways to attack the gap between organizational policy and its real-world enforcement. Poorly implemented compensating controls, human error, software vulnerabilities and insider threats are just a few examples.

That’s why we think the ability to close that gap is a game changer and will transform how we think about security.

If securing sensitive data is an area of concern for you I’d be happy to provide a briefing.

How to stop attackers with SpiderOak’s Authority Model

SpiderOak’s Authority Engine is a flexible technology that can be plugged into any environment where organizations need certainty over how data can be accessed.

Software & hardware defects, malware and compromised networks all lead to attackers gaining authority they shouldn’t have. System and network administrators are given authority they don’t need. SpiderOak’s authority engine removes the ability for attackers and administrators from attaining the authority they need to compromise your data.

Understand the problem that organizations face across the board is authority ( give it to the wrong people and you have a problem). The solution is to better manage authority. That has a higher value than all cybersecurity spending. It’s like finding a bug in design versus trying to fix it in production. We want organizations to realize that being held back operationally by security concerns is slowing the mission.

Enabling Organizational Policies to Drive Security

When policy can be executed by technology — few examples exist. SpiderOak technology allows organizations to match policy to technology.

  1. Public keys are the basis for identity.
  2. Distributed ledgers are the best way to define and maintain roles and permissions.
  3. Once an actor has public keys and a clear set of roles/permissions, it is easy to distribute shared keys enabling secure communication and storage.

SpiderOak has developed technology that allows for the instant provisioning of cryptographically secure collaboration spaces for use in scenarios where certainty about who has access to that space is a mission requirement.

Cryptographic segmentation based on secure private blockchain technology, utilizing FIPS 140–2 encryption, is used to enforce strong assurances of confidentiality, integrity, immutability, and authority.

A security model based on a Distributed approach

A security model based on a Distributed approach, by its very nature, enforces better data security while also reducing the risk of security breaches and compromised data.

The traditional, Centralized approach allows IT services and staff to manage all aspects of the access to your data when all they are truly responsible for is the Availability of the IT infrastructure — typically meaning the uptime of the server. A Distributed approach, however, enforces a separation of the IT activity from the cryptographic activity of keeping your data secure.

To improve our overall security posture, our end goal has to be to reduce the complexity of our security approach and to place trust only where it absolutely has to be placed. A Distributed approach provides the technical tools to properly secure and manage the Authority, Identity, and Integrity/Confidentiality layers of the model.

The job of infrastructure is to provide availability, additionally, authority is misassigned and should be removed to decrease attack surface.

Cryptography allows us to minimize trust to only the components which have a mission need for it.

SpiderOak has developed technology that allows for the instant provisioning of cryptographically secure collaboration spaces for use in scenarios where certainty about who has access to that space is a mission requirement.

Cryptographic segmentation based on secure private blockchain technology, utilizing FIPS 140–2 encryption, is used to enforce strong assurances of confidentiality, integrity, immutability, and authority.

Authority Based Security with SpiderOak

Authority — Who can do what with the data in question.

Identity — To be able to understand authority, you then need to have a grasp on identity. You can’t apply rules on authority if you don’t know to whom they’re being applied.

Confidentiality — The primary use of authority is to control access to data. If your system doesn’t handle keeping data confidential, all the rules in the world can’t help you.

Integrity — You need to make sure that rules in the system don’t get modified by malicious actors, or even the data itself getting corrupted or modified.

Availability — Data is going to be there when you need it.

A security model based on a Distributed approach, by it’s very nature, enforces better data security while also reducing the risk of security breaches and compromised data.

This is represented in the graphic here. The traditional, Centralized approach allows IT services and staff to manage all aspects of the access to your data when all they are truly responsible for is the Availability of the IT infrastructure — typically meaning the uptime of the server. A Distributed approach, however, enforces a separation of the IT activity from the cryptographic activity of keeping your data secure.

To improve our overall security posture, our end goal has to be to reduce the complexity of our security approach and to place trust only where it absolutely has to be placed. A Distributed approach provides the technical tools to properly secure and manage the Authority, Identity, and Integrity/Confidentiality layers of the model.

The job of infrastructure is to provide availability, additionally, authority is misassigned and should be removed to decrease attack surface.

Cryptography allows us to minimize trust to only the components which have a mission need for it.

Three Simple ideas — Distributed Ledgers

1.Distributed ledgers are the best way for Organizations to define and maintain roles and permissions, a.k.a. Authority.

2.Public keys are the best basis for Identity.

3.Public keys paired with a clear set of roles & permissions enable instant provisioning of secure, cryptographically enforced compartments for data storage and communications.

SpiderOak has developed technology that allows for the instant provisioning of cryptographically secure collaboration spaces for use in scenarios where certainty about who has access to that space is a mission requirement.

Cryptographic segmentation based on secure private blockchain technology, utilizing FIPS 140–2 encryption, is used to enforce strong assurances of confidentiality, integrity, immutability, and authority.