Security is on everyone's mind. According to industry research firm Gartner, worldwide security spending will reach $96 billion in 2018. In the following Q&A, IronClad Encryption co-founder Daniel Lerner reveals the biggest threat facing companies today. He also explains how IronClad's unique technology protects organizations.
Why are today’s organizations so vulnerable to data breaches?
The biggest problem is that the existing encryption systems are relatively difficult to implement, so, in many cases, they don't get implemented. You may have data which is secured in one system which you want to switch to another system, and in the process of transferring the data you decrypt it, and forget to erase the decrypted version. Or, you may want to make a backup and put it into your data warehouse which is supposed to be a secure facility. You don't encrypt it while it's in storage, and there is a data breach into the secure facility. These kinds of things result in security breaches that could be avoided. Today’s organizations need easier-to-use systems that have less friction at the the operation level.
We hear a lot about the importance of encryption as a defense mechanism. Yet, hackers are also stealing encrypted data. How are they able to get to the encrypted data?
The most obvious thing that happens is the data key is given away, accidentally, usually through a phishing attack.
If a hacker gets the key, what can he do with it?
If you're able to get the key, you have access to the associated encrypted data. Most systems use a single key.
The most difficult breaches are called brute force attacks. They occur when the encryption actually gets broken which exposes your entire database. Even though you have your data encrypted, someone has used a more powerful computer and broken the single key which protects your data. That kind of attack is completely unstoppable using single-key encryption.
IronClad uses temporary keys and breaks up your data into little tiny packets. Each of those packets is assigned a key. Even if someone were able to guess one of the keys associated with a single packet, it can't be used on other packets. It's unbreakable by any of today's thinking about encryption.
So, by "multiple keys" do you mean 5, 10, 25? How many keys are you talking about?
We're talking about more keys than there are atoms in the universe. In the scale of things, if you were to take account of all of the atoms in the entire universe, we have many, many more times that many keys. To be exact, our base level of encryption uses 2 to the 4096th power key combinations. That is a number with over 1,000 zeros. The number of elementary particles in the universe amounts to only 10 to the 80th power.
Is your system a symmetric system or an asymmetric system?
It’s actually both. We use symmetric encryption for the data and we use asymmetric encryption to continuously change the key pattern while the data is being transmitted. We only use these as a starting point. Then, we generate literally millions and millions of keys while the data is being transmitted. When the data is received at the other end of the line the keys are generated there, invisibly and synchronously to decrypt the data. The keys are not transmitted in any way. Then, all of those keys are thrown away. They're meaningless once the data has been received and decrypted.
Is there any possibility that the keys shared between the sender and receiver will get out of sync?
That's been a problem with every synchronous encryption system. We've solved that problem multiple ways, two of which I’ll explain. First, we use digital signals which are being sent back and forth between the two ends of the line which keep the synchronization consistent. Second, we use a token that is a reference to resynchronize the two ends of the communication if somehow the systems got out of synchronization. For example, if you and I were using one of our forthcoming secure phones to have a private conversation, one of us could lose the cell signal if we walked or drove into a dead zone. The tokens ensure synchronization regardless of line drops and interference. We've put a lot of effort into keeping the synchronization consistent because you need it to create the keys on the two ends of the system.
Is there any possibility someone other than the sender or receiver could substitute themselves in?
No. Since the keys are continually changing on the two ends, it's not possible for a "man in the middle" to get in the line of the communication channel. A man-in-the-middle won't have the ability to know anything about the communication since it is encrypted with continuously changing keys.
Are you using your own encryption algorithm or industry standards?
AES 256 is the foundation of our software. We can use all different types of encryption standards in our software. We don't have to use AES in our library, though. We can use other types of encryption and can switch the type of encryption used for each packet, which has its own key. We are not bound to any particular encryption methodology.
What are the "security rings" you refer to on your website?
“Security rings” are the mechanism by which organizations can enforce multiple approvals. The approvals can be simultaneous, sequential, geographic, or other pre-defined requirements.
Do I need to replace any of my existing hardware or software in order to use your technology?
It depends on what you have in place. We have many technology solutions applicable to many different hardware and software environments. For example, modern servers can run our containerized products. Legacy equipment solutions can be provided for older systems such as Windows 3 and DOS. Industrial applications and legacy hardware that allow no software changes can take advantage of our BlackICE Ethernet appliance. In addition, licensable code is available for the IoT marketplace manufacturers.
You said modern servers can run containerized products. Why use containers?
Containers provide a standard way to package pieces of software. As an analogy, if you have a shipping container, you put anything in it, but the container itself doesn’t change. Software containers are a standardized environment that holds your software application. We've built IronClad Encryption into the container itself. If your application is running in a secure IronClad Encryption container, its communications are inherently secure. You don’t have to understand anything about security, nor alter your application, to gain the full benefit of an Ironclad container. It just works transparently. So, your application which runs in the container doesn't even know that it's sending and receiving all of its information through the Ironclad encryption to the outside world. In other words, your application programmers don't even have to know that the data is being encrypted and decrypted as it enters and leaves the container.
So, who’s using your technology?
We have technology and distribution partnerships with Charter Trading, Layer 3 Communications, Technologent, and Black Pearl Engineering at the present time. We’re not at liberty to discuss what we’re building or implementing for them. However, it’s fair to say that our products are being implemented in both horizontal and vertical ways, which means as general-purpose solutions that can be used by organizations in any industry and industry-specific solutions that directly address the unique needs of those organizations.